Goal is protection of sensitive data
• New Rice policy calls for protection of sensitive
personally identifying information
• Confidential information includes:
- Social Security numbers
- Credit card numbers
- Driver’s license or other gov’t issued ID
- Bank account information
- Protected health information
- Student education records
1
Credit Card Use at Rice
• Rice departments process credit card transactions
for the following business purposes:
- Receiving donations
- Selling merchandise
- Registering people for events
- Receiving tuition and fees payments
• This initiative only concerns payments accepted by
Rice. So, Pcards are not included.
2
Credit Card Security
• Payment card industry established data security
standards (PCI DSS) for credit and debit card
transactions
• Key points of DSS:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
3
PCI compliance activities at Rice
•
•
•
•
•
•
Committee to manage process
Drafted procedures and website
Briefing sessions
Completed first year assessments
Identified issues to be resolved by June 1
Second year assessment due Dec 2011
IF WE HAVE MISSED YOUR DEPARTMENT, PLEASE
LET US KNOW!
4
Key Points of University-wide
Credit Card procedures
5
•
Treat data as confidential.
•
Data that is not absolutely necessary in order to conduct business will not be retained in
any format (e.g., paper or electronic).
•
Data will not be accepted, requested, or retained via e-mail or other electronic means.
•
Do not store card-validation codes (the three- or four-digit code) used to validate card-notpresent transactions or the personal identification number (PIN) or encrypted PIN block.
•
Mask account numbers if and when displayed (i.e., no more than the first six and last four
digits of the credit card numbers).
•
Restrict physical access to records to a “business-need-to-know” using such means as
locked file cabinets and restricted file rooms and restrict distribution of such records.
•
If external media or couriers are used to transmit or transfer such data, means that enable
tracking of the data will be used. Any transfer using these or similar means will be
approved by appropriate levels of management before the fact.
•
If this information is shared with any external service providers, vendors’ contractual
obligations to comply with the PCI standards will be ensured.
Departmental
Credit Card Procedures
• Departments that accept and handle credit and debit
card payments must have departmental procedures
• Key issues:
• Only keep the information you MUST have to do
business. Store paper securely.
• Do not store credit card data electronically.
• Require external vendors to be PCI DSS
compliant; consult with General Counsel.
• Contact: Susan Castanza (castanza@rice.edu)
6
Authorization
to Process Credit Cards
• Application Process: Contact Susan Castanza
(x4649)
– What is the business need?
– How do you propose to accept credit and debit card
payments?
– What are the various costs associated with accepting
credit and debit cards?
• Touchnet Payment Gateway is preferred for on-line
processing
– PCI-DSS compliant
• Requires commitment to security compliance
7
Website
• Sources of Information:
– There is a new web site that gathers all this
information together: creditcards.rice.edu
• Includes:
– Application Process
– Security Information
– Processing Tips
8
Thanks to Credit Card Committee
•
•
•
•
•
•
•
•
•
9
Rhonda Bethea
Krystal Bivens
Susan Castanza
Randy Castiglioni
George Cochrum
Jeff Frey
Dow Hudlow
Rick Mello
Ryan Moore
•
•
•
•
•
•
•
Mike Morgan
Frank Rodriguez
Karen Rubinsky
Marc Scarborough
Lynder Watson
Janet Covington
Veta Byrd