Longwood University Best Practices for Payment Card Activities Understand Policies and Procedures Merchants must understand Longwood University’s payment card security policy #1015 and applicable procedures. Compliance with the PCI standards at www.pcisecuritystandards.org is mandatory. Protect Cardholder Data In order to mitigate the risks of accepting credit cards as a method of payment, departments should consider using TouchNet Marketplace when practical. Do not store credit card data unless required to conduct departmental business. Never store credit card numbers electronically in a database or spreadsheet, on portable media or on share drives. Never store sensitive authentication data - magnetic stripe data, chip data, the CAV2/CVC2/CVV2/CID, or the PIN/PIN block - under any circumstances. Do not store the full cardholder account number (PAN) with expiration date. Mask all but the last 4 digits of the credit card number. Crossing through the primary account number (PAN) is not an acceptable means of securing the data on paper. Instead, remove the portion of the document containing cardholder data and shred. Maintain up-to-date policies and procedures, including departmental desktop procedures. Ensure computers handling credit card data possess updated versions of University recommended antivirus and spyware detection software. Do not request, send or accept payment card information by email. If you receive cardholder data via email, do not process the transaction. Make the sender aware that, for their safety, they should never email credit card information. Remove the cardholder data when responding and direct them to an approved processing method. Delete the email containing cardholder data completely from your email account. Complete annual credit card security training upon hire and at least annually. Any confirmed or suspected breach should be reported immediately to the Information Security Office. Implement Strong Access Control Measures Departments may not negotiate contracts with credit card processing companies or companies accepting credit card payments. All merchant accounts for accepting credit cards must be approved by Financial Operations. Permit only those employees with a legitimate “need to know” access to cardholder data. Limit user access to specified privileges. Each employee with access to payment card information via computer should have a unique login or password. Log out of computer when unattended. Never share passwords or user IDs. Never use vendor supplied default passwords. Passwords should be changed regularly – at least every 90 days. Restrict Physical Access to Cardholder Data Always protect cardholder data against unauthorized access. Keep credit card information locked in a secure location (locked drawer, file cabinet, office or safe). Do not allow unauthorized persons access to areas where credit card data is stored. Restrict physical access to computer workstations and other equipment used in credit card payment processing. Physical space can be secured through the use of employee badges, swipe card or key access, or video camera monitoring. Destroy documentation containing credit card information when no longer needed for business or legal reasons. Approved destruction methods for hard-copy materials include shredding (via cross-cut shredder), incinerating or pulping. Best Practices for a “Card Present” Transaction Swipe and retain the card only until the transaction is authorized. The credit card number should be masked – only the last 4 digits of the credit card number should be printed on the receipt. Give the customer their receipt to sign, if applicable. Compare the signature on the receipt to the one on the card. The university does not recommend accepting unsigned cards. Departments accepting unsigned cards must require a second form of picture ID prior to completing the transaction. Best Practices for a “Card Not Present” Transaction Direct cardholder to complete transaction through the department’s online payment system. Do not offer to enter payment card data into a third party website on behalf of a customer. The act of entering a payment on another’s behalf increases risks associated with credit card acceptance. Instead, direct customers to any internet enabled computer to complete their transaction. If departmental procedures permit the entering of payment card data on behalf of a customer, transactions must be conducted on a separate, secured payment terminal. If your department accepts credit cards in paper format (via mail), we recommend that you structure the form so that the credit card data can be removed (i.e. perforation at bottom of page) and shredded immediately following processing. This allows you to retain other information needed for business purposes without storing cardholder data. If card data is accepted by phone, develop a standard form (preferably on color paper) that is easily identifiable as containing credit card data and which can be shredded after the transaction is authorized.