The University of North Carolina at Charlotte Credit/Debit Card Processing Procedures I. Executive Summary and Purpose The University of North Carolina at Charlotte (UNC Charlotte) currently accepts 3 major credit cards (MasterCard, Visa and Diner’s Club) for payment of services rendered and goods sold. Debit cards with the Visa or MasterCard logo are also accepted. All University departments are required to process card transactions through the merchant services provider selected by the University and the North Carolina Office of the State Controller. These procedures are required in direct support of the UNC Charlotte Credit Card Processing Regulation. This document sets forth the technical details and procedural requirements for implementing credit card processing at UNC Charlotte or outsourcing that processing to a third party. The procedures' scope, revisions, exceptions, and compliance are noted in the Credit Card Processing Regulation. II. Definitions Account Number: The unique number identifying the cardholder’s account which is used in financial transactions. Application Server: The computer hosting the application with which the general end-user or the point-of-sale (POS) terminal connects. Cardholder data: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. Cardholder Information Security Program (CISP): CISP defines a standard of due care for securing Visa cardholder data, wherever it is located. CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data. Card Verification Value 2 (CVV2): An additional verification code used in transaction processing. Credit Card Number: Any part or all of the unique number identifying the account for a financial transaction. Credit/Debit Card Processing: Act of storing, processing, or transmitting credit/debit cardholder data Database Servers: The computer storing the sales and/or credit card numbers. eCommerce Application: Any internet-enabled financial transaction application, whether a buying application or selling application. Employee: Any employee (as defined by the Employee Handbook), faculty, student employee, or contractor employed by a third party and providing services to UNC Charlotte. 1 Encryption: Scrambling data in a recoverable format. Firewall: A network device or host-based software implementation designed to restrict network access to a computer. Hashing: Scrambling data in an unrecoverable but verifiable format. Intrusion Detection System (IDS): A network monitoring device for recognition of attempts to compromise monitored systems. Intrusion Prevention System (IPS): A network monitoring device for preventing attempts to compromise monitored systems. ISO 17799: The International Standards Organization document defining computer security standards. POS Device: Point-of-sale (POS) computer or credit card terminals either running as standalone systems or connecting to a server either at UNC Charlotte or at a remote off site location. Sensitive Cardholder Data: This is defined as the account number, expiration date, CVC2/CVV2 (a three-digit number imprinted on the signature panel of the card), and data stored on track 1 and track 2 of the magnetic stripe of the card. Swipe Terminal: POS credit card terminals. Two-factor Authentication: Authentication requiring two different methods confirming identity typically based on something the user has (e.g. a card, a key, a fingerprint) and something the user knows (e.g. a password). Web Development: The design, development, implementation and management of the front-end of the eCommerce application. III. General Guidelines A. Any University unit wishing to accept credit/debit card for goods and/or services must complete a Credit/Debit Card Processing Application. B. Upon approval, the Business Affairs office will request a merchant ID, if a separate merchant ID is necessary, for the college or department from the merchant services provider. If the college or department will be conducting e-Commerce, an e-Commerce merchant ID must be established which is separate from any POS merchant ID. C. The Business Affairs office will work with the college or department regarding the purchase of all POS terminals. All POS equipment printing a customer receipt is required to truncate the card number (i.e. no more than four digits of the credit card number may print on the customer’s receipt) and not display the expiration date of the card on the customer receipt. D. If specialized software and/or systems are required for processing, the Financial Services Office, the University IT Security Officer, Internal Audit Department, and the applicable computer support unit will work with the college or department to ensure that processing standards and safeguarding measures are met. 2 E. University departments and colleges should NOT physically or electronically store ANY sensitive cardholder data. To the extent possible on e-Commerce transactions, the sale transaction should NOT take place on University computers or network resources. It is acceptable for Point of Sale devices to store the sensitive cardholder data on their device until transactions are settled; once settlement occurs, no information should be stored electronically. F. UNC Charlotte academic and business units are prohibited from accepting credit/debit card information via email. G. UNC Charlotte academic and business units are prohibited from establishing web sites to receive and/or process credit/debit card information outside of the allowed e-commerce web infrastructure. H. All fax machines that receive cardholder information must reside in a physically secure and controlled access location. I. Only designated personnel, who have completed training, may have access to fax machines that can receive credit card information. J. All sensitive cardholder information physically received by the University must be accompanied with an audit history. K. Departments should maintain adequate records of the sales transactions. Daily sales totals, logs, etc. substantiating revenue should be stored in accordance with state record retention policies and the current Merchant Services Plan. L. Individual receipt slips and other documents, whether physical or electronic, with sensitive cardholder data must: 1. 2. 3. 4. IV. be stored in a physically secure location be in a limited access location only be accessed by individuals who have completed training only be accessed by individuals who have had background checks M. On a daily basis, the department must balance transactions and settle their sales electronically to the merchant services provider. N. The department will complete and send the Cashier’s Credit Card Book Receipt Form to the Cashier’s Office so that the sales revenue can be recorded in the University accounting system. The Cashier’s Credit Card Book Receipt Form, along with a copy of the sales report from the card processor, and a copy of the detail report from the POS terminal should be brought to the Cashier’s Office no later than noon of the day following settlement. The Cashier’s Credit Card Book Receipt Form is available at Financial Services website (http://www.finance.uncc.edu/FormsNew.htm). O. At the time of disposal, all documents containing sensitive cardholder data should be shredded using a cross-cut shredder. P. All departments accepting credit/debit cards for payment must comply with the UNC Charlotte Credit/Debit Card Processing Regulation. Guidelines for Point-of-Sale (POS) Transactions 3 A. The Business Affairs office will coordinate all credit/debit card processing for the University. No individual department may enter into a contract with a credit/debit card processor without approval of the Vice Chancellor of Business Affairs or his/her delegate(s). B. All card transactions will be processed on equipment compatible with the processing platform(s) of the University’s merchant services provider. The University’s merchant services provider is determined by UNC Charlotte in accordance with the North Carolina Office of the State Controller. C. All customer receipts must truncate the card number so that only the last four digits are printed and must not display the card expiration date. D. Departments requiring customized equipment for point-of-sale transactions must contact the Business Affairs office before such equipment is purchased. ITS Information Security will also be consulted prior to equipment purchase. E. In order to reduce fraud, credit card companies and UNC Charlotte require the following procedures for processing cards when the card is present (i.e. a face to face transaction): 1. 2. 3. 4. 5. 6. 7. F. Ask for an ID at the point of sale to verify that the card member is using the card. Always swipe the card through the terminal/point of sale device, if applicable. Obtain authorization for every card sale. Ask customer to sign the sales receipt. Match the embossed number on the card to the four digits of the account number displayed on the terminal. Compare name and signature on the card to those on the transaction receipt. If you believe the card member or card sale is suspicious, make a call to your voice authorization center for card being used. If cardholder information is taken over the phone or via fax (i.e. card is not present), in order to reduce fraud, the following guidelines are required: 1. 2. 3. 4. 5. Obtain cardholder name, billing address, shipping address (if different from billing address and if applicable), account#, and expiration date. Verify the customer's billing address either electronically (by entering the zip code in the POS device) or by calling the credit card automated phone system (Address Verification System - AVS). Request the Security Code (the three-digit code on the back of the card in the signature panel) and validate the code at the time of authorization either electronically (through the POS device) or by calling the credit card automated phone system. This code should be destroyed once validated; it should not be stored physically or electronically. Get a signature for each delivery that is not the card member. Maintain credit card receipts and all delivery records for the retention period defined in the current Merchant Services Plan. G. All point-of-sale terminal transactions must be batched and transmitted to the card processor on a daily basis. H. Sales totals (net of refunds) must be reported to the Cashier’s Office on a Cashier’s Credit Card Book Receipt Form. The Cashier’s Credit Card Book Receipt Form, along with a copy of the sales report from the card processor, and a copy of the detail report from the POS terminal should be brought to the Cashier’s Office no later than noon of the business day following settlement. I. It is important that departments reconcile their POS transactions and report the sales amounts to the Cashier’s Office. The department’s Cashier’s Credit Card Book Receipt Form should be 4 the origination point; the Cashier’s Office should not report the sales amount per the credit card processor reports to the department in order for the department to prepare the transmittal. V. J. The Cashier’s Office will compare the sales amount per the Cashier’s Credit Card Book Receipt Form to the records at the card processor and will immediately inform the department of discrepancies. All discrepancies should be resolved within 24 hours so that sales can be posted to the departmental account in the UNC Charlotte accounting system on a timely basis. K. When the Cashier’s Office receives charge back inquiries from the credit card companies, the applicable department will be contacted to provide the necessary information about the sales transaction in question. e-Commerce Transactions A. The Business Affairs office will coordinate all e-Commerce processing for the University. No individual department may enter into a contract with a card processor without approval of the VCBA, CIO or delegate(s). B. Departments must contact the Business Affairs office prior to purchase of specialized software or equipment so that customized processing applications are reviewed in conjunction with regulation and procedures. The Business Affairs office, the University IT Security Officer, Internal Audit Department, and the applicable computer support unit will work with the department to ensure that processing standards and safeguarding measures are met. C. All card transactions will be processed through a payment gateway(s) approved by the VCBA and the CIO. D. Card processing transactions must be performed on the website of the payment gateway (i.e. the customer should enter sensitive cardholder data on a payment engine website) and NOT on University computer or network resources. E. No college or department may store ANY sensitive cardholder data on any UNC Charlotte computing device. All Sensitive Cardholder data must be maintained by an approved service provider. All outside service providers must comply with Visa CISP. F. All e-Commerce transactions must be processed in real time or batched and/or transmitted to the merchant services provider on a daily basis. G. Sales totals (net of refunds) must be reported to the Cashier’s Office so that the sales revenue can be recorded in the University accounting system. The Cashier’s Credit Card Book Receipt Form, along with a copy of the sales report from the card processor, and a copy of the detail report from the POS terminal should be brought to the Cashier’s Office no later than noon of the day following settlement. The Cashier’s Credit Card Book Receipt Form is available at the Financial Services website. H. It is important that departments reconcile their ecommerce transactions and report the sales amounts to the Cashier’s Office. The department’s Cashier’s Credit Card Book Receipt Form should be the origination point; the Cashier’s Office should not report the sales amount per the credit card processor reports to the department in order for the department to prepare the transmittal. Departments will be given web access to the payment manager database which houses the card transactions. This will enable the department to perform reconciliation and research. I. The Cashier’s Office will compare the sales amount per the Cashier’s Credit Card Book Receipt Form to the records at the card processor and will immediately inform the department 5 of discrepancies. All discrepancies should be resolved within 24 hours so that sales can be posted to the departmental account in the UNC Charlotte accounting system on a timely basis. J. VI. When the Cashier’s Office receives charge back inquiries from the credit card companies, the applicable department will be contacted to provide the necessary information about the sales transaction in question. e-Commerce Required Technical Security Procedures A. All servers that process or link to a server that handles Sensitive Cardholder data and processes credit card payments must have the following in place: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. B. A host-based firewall technology preventing connections from all ports except a specific subset (e.g. 443 for secure web transactions, IP restricted port 22 for system administration). All firewall rules must be documented and modifications approved. Host-based intrusion detection in place to monitor and alert personnel of suspected compromises. All Microsoft Windows computers must run up-to-date anti-virus software. File integrity monitoring to an external system for critical system and application files for inappropriate/unauthorized modifications. Reviews for potential changes must occur daily. System logging or auditing to an external server for all critical operating system modifications (e.g. all logins, unauthorized file access attempts) and maintain the log for at least 6 months. A single function (e.g. application or database) is implemented per server. Security patches must be tested and, if possible, applied within one week of vendor release. All patches must be applied or documentation explaining the implementation problem within 30 days. A change log must be maintained for all servers. Passwords must be at least 8 characters long and require complex passwords (inclusion of a number or special character), expire after 90 days or less, not reuse the last 4 passwords, and stored in an encrypted or hashed format. All accounts must be disabled after 30 days of inactivity and, if not re-enabled and actively used, removed after an additional 60 days. The only exception is emergency accounts used for system recovery and not used regularly. All system patches must be applied to a new computer before connecting to the network. All default account names and default passwords must be changed before connecting to the network. All computer security configurations and services/daemons must be reviewed before connecting to the network. Vulnerability testing must be performed on associated computers every 30 days with penetration testing at least annually. Allow computer access only by uniquely assigned and auditable IDs. All servers that process or link to a server that handles Sensitive Cardholder data and processes credit card payments must have the following provisions in place for network and modem connectivity: 1. 2. 3. 4. A network-based firewall preventing inappropriate/unauthorized access from outside the academic/business unit or specific authorized computers. An intrusion detection system and/or intrusion prevention system monitoring for unauthorized access attempts. 24/7 monitoring for network-based firewall and IDS/IPS systems for potential penetrations and 24/7 on-call expertise for potential security incidents. Two-factor authentication for routers servicing all computers connecting to, handling, processing, or storing credit card numbers. 6 5. 6. VII. Specific authorization for modem connections. All modem connection must be outbound only. All data transfers and administrative access must be in an encrypted format (e.g. SSL, SSH, IPSEC). Credit card number storage requirements A. No Sensitive Cardholder data may be stored on a University computer unless an exception to store Sensitive Cardholder data has been granted (see section XI). If Sensitive Cardholder data is stored on a University computer, it MUST be protected by encryption, hashing, or truncation. No complete credit card numbers will be stored on computers owned by UNC Charlotte in an unprotected manner. Standard encryption algorithms must use at least a 128 bit AES key. Minimum key lengths will be increased as computing processing power improves. Minimum key lengths for new encryption technologies must be provided with these guidelines prior to implementation. Keys must be in a single accessible location with backups. Keys must be changed every 90 days and old keys must be deleted/destroyed after an additional 30 days. The following additional requirements apply to computers storing credit card numbers and network connectivity beyond those noted in sections V and VI: 1. 2. 3. 4. 5. 6. 7. 8. 9. VIII. Accounts must lock-out after six or fewer invalid login attempts and require manual reenabling. Sessions must time-out after 15 minutes. All accesses to credit card numbers must be logged. All root access activities must be logged to an external server. The system must not be openly accessible from any public network. A dedicated firewall must be in place specifically for computers storing credit card numbers to preventing any public access to protected systems. Access is only permitted by exception by both IP and port. Credit card numbers must not be stored in multiple locations with the exception of backups. CVV2 information must not be stored beyond the transaction authorization point. Two-factor authentication is recommended. Physical security requirements A. All servers, that have been granted an exception to store Sensitive Cardholder data, and those servers that process or link to a server that processes credit card payments MUST have the following provisions in place: 1. 2. The servers MUST be located in the Information and Technology Services (ITS) Data Center. A. Servers placed in a separate locked room within the data center or within locked racks. B. Video surveillance must be maintained on the servers. C. All access to servers by anyone except employees specifically approved for access to the credit card numbers must be escorted continuously. The Data Center must log all room access (maintained for at least 90 days), maintain video surveillance of room ingress and egress, and provide identification for easily distinguishing employees, visitors, and inappropriate access. Visitors must be issued a Data Center ID that must be returned or issued a temporary ID and continuously escorted. 7 3. IX. Outsource requirements A. Any unit may outsource its credit card transaction processing so long as the outsourcing is to an approved vendor as selected by the Business Affairs office. This is the preferred method of processing credit card transactions. This option transfers the risk to the outsourced service. Approval for credit card transaction processing must follow the standard approval process. Contracts must address these elements: 1. 2. 3. X. Compliance with all appropriate credit card company security requirements. Service level agreements. Defining data retention and destruction requirements. Review process of credit card transaction processing request A. B. C. D. E. XI. All backup media must be secured on site, off site, and in transit. All transportation must be handled by approved University employees or bonded couriers. Document the business need for accepting credit card transactions in a new unit or location. Meet with Business Affairs office for justification and approval of business case. Meet with Information Security to evaluate options and costs for implementation (using existing facilities, implementing separate facilities, or outsourcing transaction processing). Meet with the CIO or delegate(s) for technical approval of implementation. Meet with UNC Charlotte Legal Affairs to ensure all contracts meet federal, state, and contractual requirements. Exceptions to Regulation: A. B. 1. 2. 3. C. The Credit/Debit Card Processing Regulation or Procedures specifically allow for the possibility of an exception in order to temporarily store, in a secure manner; Sensitive Cardholder data on a University server (see Credit/Debit Card Processing Regulation section IV.8). Any request for this specific exception should be made in writing to the VCBA and CIO and include the following: Reason for requesting the exception. Steps that are being taken to become compliant with the regulation. Date expected to become compliant with the regulation. The Business Affairs office and ITS Information Security will work with the VCBA and the CIO to review the request for exception. Following a review of the request, the final approval or denial will be made by the VCBA. 8