Add to collection(s) Add to saved
  1. Business
  2. Management

The University of North Carolina at Charlotte

advertisement 
The University of North Carolina at Charlotte
Credit/Debit Card Processing Procedures
I.
Executive Summary and Purpose
The University of North Carolina at Charlotte (UNC Charlotte) currently accepts 3 major credit cards
(MasterCard, Visa and Diner’s Club) for payment of services rendered and goods sold. Debit cards
with the Visa or MasterCard logo are also accepted. All University departments are required to
process card transactions through the merchant services provider selected by the University and the
North Carolina Office of the State Controller.
These procedures are required in direct support of the UNC Charlotte Credit Card Processing
Regulation. This document sets forth the technical details and procedural requirements for
implementing credit card processing at UNC Charlotte or outsourcing that processing to a third party.
The procedures' scope, revisions, exceptions, and compliance are noted in the Credit Card
Processing Regulation.
II.
Definitions
Account Number: The unique number identifying the cardholder’s account which is used in financial
transactions.
Application Server: The computer hosting the application with which the general end-user or the
point-of-sale (POS) terminal connects.
Cardholder data: Cardholder data is any personally identifiable data associated with a cardholder.
This could be an account number, expiration date, name, address, social security number, etc.
Cardholder Information Security Program (CISP): CISP defines a standard of due care for
securing Visa cardholder data, wherever it is located. CISP compliance has been required of all
entities storing, processing, or transmitting Visa cardholder data.
Card Verification Value 2 (CVV2): An additional verification code used in transaction processing.
Credit Card Number: Any part or all of the unique number identifying the account for a financial
transaction.
Credit/Debit Card Processing: Act of storing, processing, or transmitting credit/debit cardholder
data
Database Servers: The computer storing the sales and/or credit card numbers.
eCommerce Application: Any internet-enabled financial transaction application, whether a buying
application or selling application.
Employee: Any employee (as defined by the Employee Handbook), faculty, student employee, or
contractor employed by a third party and providing services to UNC Charlotte.
1
Encryption: Scrambling data in a recoverable format.
Firewall: A network device or host-based software implementation designed to restrict network
access to a computer.
Hashing: Scrambling data in an unrecoverable but verifiable format.
Intrusion Detection System (IDS): A network monitoring device for recognition of attempts to
compromise monitored systems.
Intrusion Prevention System (IPS): A network monitoring device for preventing attempts to
compromise monitored systems.
ISO 17799: The International Standards Organization document defining computer security
standards.
POS Device: Point-of-sale (POS) computer or credit card terminals either running as standalone
systems or connecting to a server either at UNC Charlotte or at a remote off site location.
Sensitive Cardholder Data: This is defined as the account number, expiration date, CVC2/CVV2 (a
three-digit number imprinted on the signature panel of the card), and data stored on track 1 and track
2 of the magnetic stripe of the card.
Swipe Terminal: POS credit card terminals.
Two-factor Authentication: Authentication requiring two different methods confirming identity
typically based on something the user has (e.g. a card, a key, a fingerprint) and something the user
knows (e.g. a password).
Web Development: The design, development, implementation and management of the front-end of
the eCommerce application.
III.
General Guidelines
A.
Any University unit wishing to accept credit/debit card for goods and/or services must complete
a Credit/Debit Card Processing Application.
B.
Upon approval, the Business Affairs office will request a merchant ID, if a separate merchant
ID is necessary, for the college or department from the merchant services provider. If the
college or department will be conducting e-Commerce, an e-Commerce merchant ID must be
established which is separate from any POS merchant ID.
C.
The Business Affairs office will work with the college or department regarding the purchase of
all POS terminals. All POS equipment printing a customer receipt is required to truncate the
card number (i.e. no more than four digits of the credit card number may print on the
customer’s receipt) and not display the expiration date of the card on the customer receipt.
D.
If specialized software and/or systems are required for processing, the Financial Services
Office, the University IT Security Officer, Internal Audit Department, and the applicable
computer support unit will work with the college or department to ensure that processing
standards and safeguarding measures are met.
2
E.
University departments and colleges should NOT physically or electronically store ANY
sensitive cardholder data. To the extent possible on e-Commerce transactions, the sale
transaction should NOT take place on University computers or network resources. It is
acceptable for Point of Sale devices to store the sensitive cardholder data on their device until
transactions are settled; once settlement occurs, no information should be stored
electronically.
F.
UNC Charlotte academic and business units are prohibited from accepting credit/debit card
information via email.
G.
UNC Charlotte academic and business units are prohibited from establishing web sites to
receive and/or process credit/debit card information outside of the allowed e-commerce web
infrastructure.
H.
All fax machines that receive cardholder information must reside in a physically secure and
controlled access location.
I.
Only designated personnel, who have completed training, may have access to fax machines
that can receive credit card information.
J.
All sensitive cardholder information physically received by the University must be accompanied
with an audit history.
K.
Departments should maintain adequate records of the sales transactions. Daily sales totals,
logs, etc. substantiating revenue should be stored in accordance with state record retention
policies and the current Merchant Services Plan.
L.
Individual receipt slips and other documents, whether physical or electronic, with sensitive
cardholder data must:
1.
2.
3.
4.
IV.
be stored in a physically secure location
be in a limited access location
only be accessed by individuals who have completed training
only be accessed by individuals who have had background checks
M.
On a daily basis, the department must balance transactions and settle their sales electronically
to the merchant services provider.
N.
The department will complete and send the Cashier’s Credit Card Book Receipt Form to the
Cashier’s Office so that the sales revenue can be recorded in the University accounting
system. The Cashier’s Credit Card Book Receipt Form, along with a copy of the sales report
from the card processor, and a copy of the detail report from the POS terminal should be
brought to the Cashier’s Office no later than noon of the day following settlement. The
Cashier’s Credit Card Book Receipt Form is available at Financial Services website
(http://www.finance.uncc.edu/FormsNew.htm).
O.
At the time of disposal, all documents containing sensitive cardholder data should be shredded
using a cross-cut shredder.
P.
All departments accepting credit/debit cards for payment must comply with the UNC Charlotte
Credit/Debit Card Processing Regulation.
Guidelines for Point-of-Sale (POS) Transactions
3
A.
The Business Affairs office will coordinate all credit/debit card processing for the University.
No individual department may enter into a contract with a credit/debit card processor without
approval of the Vice Chancellor of Business Affairs or his/her delegate(s).
B.
All card transactions will be processed on equipment compatible with the processing
platform(s) of the University’s merchant services provider. The University’s merchant services
provider is determined by UNC Charlotte in accordance with the North Carolina Office of the
State Controller.
C.
All customer receipts must truncate the card number so that only the last four digits are printed
and must not display the card expiration date.
D.
Departments requiring customized equipment for point-of-sale transactions must contact the
Business Affairs office before such equipment is purchased. ITS Information Security will also
be consulted prior to equipment purchase.
E.
In order to reduce fraud, credit card companies and UNC Charlotte require the following
procedures for processing cards when the card is present (i.e. a face to face transaction):
1.
2.
3.
4.
5.
6.
7.
F.
Ask for an ID at the point of sale to verify that the card member is using the card.
Always swipe the card through the terminal/point of sale device, if applicable.
Obtain authorization for every card sale.
Ask customer to sign the sales receipt.
Match the embossed number on the card to the four digits of the account number
displayed on the terminal.
Compare name and signature on the card to those on the transaction receipt.
If you believe the card member or card sale is suspicious, make a call to your voice
authorization center for card being used.
If cardholder information is taken over the phone or via fax (i.e. card is not present), in order to
reduce fraud, the following guidelines are required:
1.
2.
3.
4.
5.
Obtain cardholder name, billing address, shipping address (if different from billing
address and if applicable), account#, and expiration date.
Verify the customer's billing address either electronically (by entering the zip code in the
POS device) or by calling the credit card automated phone system (Address Verification
System - AVS).
Request the Security Code (the three-digit code on the back of the card in the signature
panel) and validate the code at the time of authorization either electronically (through the
POS device) or by calling the credit card automated phone system. This code should be
destroyed once validated; it should not be stored physically or electronically.
Get a signature for each delivery that is not the card member.
Maintain credit card receipts and all delivery records for the retention period defined in
the current Merchant Services Plan.
G.
All point-of-sale terminal transactions must be batched and transmitted to the card processor
on a daily basis.
H.
Sales totals (net of refunds) must be reported to the Cashier’s Office on a Cashier’s Credit
Card Book Receipt Form. The Cashier’s Credit Card Book Receipt Form, along with a copy of
the sales report from the card processor, and a copy of the detail report from the POS terminal
should be brought to the Cashier’s Office no later than noon of the business day following
settlement.
I.
It is important that departments reconcile their POS transactions and report the sales amounts
to the Cashier’s Office. The department’s Cashier’s Credit Card Book Receipt Form should be
4
the origination point; the Cashier’s Office should not report the sales amount per the credit
card processor reports to the department in order for the department to prepare the transmittal.
V.
J.
The Cashier’s Office will compare the sales amount per the Cashier’s Credit Card Book
Receipt Form to the records at the card processor and will immediately inform the department
of discrepancies. All discrepancies should be resolved within 24 hours so that sales can be
posted to the departmental account in the UNC Charlotte accounting system on a timely basis.
K.
When the Cashier’s Office receives charge back inquiries from the credit card companies, the
applicable department will be contacted to provide the necessary information about the sales
transaction in question.
e-Commerce Transactions
A.
The Business Affairs office will coordinate all e-Commerce processing for the University. No
individual department may enter into a contract with a card processor without approval of the
VCBA, CIO or delegate(s).
B.
Departments must contact the Business Affairs office prior to purchase of specialized software
or equipment so that customized processing applications are reviewed in conjunction with
regulation and procedures. The Business Affairs office, the University IT Security Officer,
Internal Audit Department, and the applicable computer support unit will work with the
department to ensure that processing standards and safeguarding measures are met.
C.
All card transactions will be processed through a payment gateway(s) approved by the VCBA
and the CIO.
D.
Card processing transactions must be performed on the website of the payment gateway (i.e.
the customer should enter sensitive cardholder data on a payment engine website) and NOT
on University computer or network resources.
E.
No college or department may store ANY sensitive cardholder data on any UNC Charlotte
computing device. All Sensitive Cardholder data must be maintained by an approved service
provider. All outside service providers must comply with Visa CISP.
F.
All e-Commerce transactions must be processed in real time or batched and/or transmitted to
the merchant services provider on a daily basis.
G.
Sales totals (net of refunds) must be reported to the Cashier’s Office so that the sales revenue
can be recorded in the University accounting system. The Cashier’s Credit Card Book Receipt
Form, along with a copy of the sales report from the card processor, and a copy of the detail
report from the POS terminal should be brought to the Cashier’s Office no later than noon of
the day following settlement. The Cashier’s Credit Card Book Receipt Form is available at the
Financial Services website.
H.
It is important that departments reconcile their ecommerce transactions and report the sales
amounts to the Cashier’s Office. The department’s Cashier’s Credit Card Book Receipt Form
should be the origination point; the Cashier’s Office should not report the sales amount per the
credit card processor reports to the department in order for the department to prepare the
transmittal. Departments will be given web access to the payment manager database which
houses the card transactions. This will enable the department to perform reconciliation and
research.
I.
The Cashier’s Office will compare the sales amount per the Cashier’s Credit Card Book
Receipt Form to the records at the card processor and will immediately inform the department
5
of discrepancies. All discrepancies should be resolved within 24 hours so that sales can be
posted to the departmental account in the UNC Charlotte accounting system on a timely basis.
J.
VI.
When the Cashier’s Office receives charge back inquiries from the credit card companies, the
applicable department will be contacted to provide the necessary information about the sales
transaction in question.
e-Commerce Required Technical Security Procedures
A.
All servers that process or link to a server that handles Sensitive Cardholder data and
processes credit card payments must have the following in place:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
B.
A host-based firewall technology preventing connections from all ports except a specific
subset (e.g. 443 for secure web transactions, IP restricted port 22 for system
administration). All firewall rules must be documented and modifications approved.
Host-based intrusion detection in place to monitor and alert personnel of suspected
compromises.
All Microsoft Windows computers must run up-to-date anti-virus software.
File integrity monitoring to an external system for critical system and application files for
inappropriate/unauthorized modifications. Reviews for potential changes must occur
daily.
System logging or auditing to an external server for all critical operating system
modifications (e.g. all logins, unauthorized file access attempts) and maintain the log for
at least 6 months.
A single function (e.g. application or database) is implemented per server.
Security patches must be tested and, if possible, applied within one week of vendor
release. All patches must be applied or documentation explaining the implementation
problem within 30 days. A change log must be maintained for all servers.
Passwords must be at least 8 characters long and require complex passwords (inclusion
of a number or special character), expire after 90 days or less, not reuse the last 4
passwords, and stored in an encrypted or hashed format.
All accounts must be disabled after 30 days of inactivity and, if not re-enabled and
actively used, removed after an additional 60 days. The only exception is emergency
accounts used for system recovery and not used regularly.
All system patches must be applied to a new computer before connecting to the
network. All default account names and default passwords must be changed before
connecting to the network. All computer security configurations and services/daemons
must be reviewed before connecting to the network.
Vulnerability testing must be performed on associated computers every 30 days with
penetration testing at least annually.
Allow computer access only by uniquely assigned and auditable IDs.
All servers that process or link to a server that handles Sensitive Cardholder data and
processes credit card payments must have the following provisions in place for network and
modem connectivity:
1.
2.
3.
4.
A network-based firewall preventing inappropriate/unauthorized access from outside the
academic/business unit or specific authorized computers.
An intrusion detection system and/or intrusion prevention system monitoring for
unauthorized access attempts.
24/7 monitoring for network-based firewall and IDS/IPS systems for potential
penetrations and 24/7 on-call expertise for potential security incidents.
Two-factor authentication for routers servicing all computers connecting to, handling,
processing, or storing credit card numbers.
6
5.
6.
VII.
Specific authorization for modem connections. All modem connection must be outbound
only.
All data transfers and administrative access must be in an encrypted format (e.g. SSL,
SSH, IPSEC).
Credit card number storage requirements
A.
No Sensitive Cardholder data may be stored on a University computer unless an exception to
store Sensitive Cardholder data has been granted (see section XI). If Sensitive Cardholder
data is stored on a University computer, it MUST be protected by encryption, hashing, or
truncation. No complete credit card numbers will be stored on computers owned by UNC
Charlotte in an unprotected manner. Standard encryption algorithms must use at least a 128
bit AES key. Minimum key lengths will be increased as computing processing power
improves. Minimum key lengths for new encryption technologies must be provided with these
guidelines prior to implementation. Keys must be in a single accessible location with backups. Keys must be changed every 90 days and old keys must be deleted/destroyed after an
additional 30 days.
The following additional requirements apply to computers storing credit card numbers and
network connectivity beyond those noted in sections V and VI:
1.
2.
3.
4.
5.
6.
7.
8.
9.
VIII.
Accounts must lock-out after six or fewer invalid login attempts and require manual reenabling.
Sessions must time-out after 15 minutes.
All accesses to credit card numbers must be logged.
All root access activities must be logged to an external server.
The system must not be openly accessible from any public network.
A dedicated firewall must be in place specifically for computers storing credit card
numbers to preventing any public access to protected systems. Access is only permitted
by exception by both IP and port.
Credit card numbers must not be stored in multiple locations with the exception of
backups.
CVV2 information must not be stored beyond the transaction authorization point.
Two-factor authentication is recommended.
Physical security requirements
A.
All servers, that have been granted an exception to store Sensitive Cardholder data, and
those servers that process or link to a server that processes credit card payments MUST have
the following provisions in place:
1.
2.
The servers MUST be located in the Information and Technology Services (ITS) Data
Center.
A. Servers placed in a separate locked room within the data center or within locked
racks.
B. Video surveillance must be maintained on the servers.
C. All access to servers by anyone except employees specifically approved for access
to the credit card numbers must be escorted continuously.
The Data Center must log all room access (maintained for at least 90 days), maintain
video surveillance of room ingress and egress, and provide identification for easily
distinguishing employees, visitors, and inappropriate access. Visitors must be issued a
Data Center ID that must be returned or issued a temporary ID and continuously
escorted.
7
3.
IX.
Outsource requirements
A.
Any unit may outsource its credit card transaction processing so long as the outsourcing is to
an approved vendor as selected by the Business Affairs office. This is the preferred method of
processing credit card transactions. This option transfers the risk to the outsourced service.
Approval for credit card transaction processing must follow the standard approval process.
Contracts must address these elements:
1.
2.
3.
X.
Compliance with all appropriate credit card company security requirements.
Service level agreements.
Defining data retention and destruction requirements.
Review process of credit card transaction processing request
A.
B.
C.
D.
E.
XI.
All backup media must be secured on site, off site, and in transit. All transportation must
be handled by approved University employees or bonded couriers.
Document the business need for accepting credit card transactions in a new unit or location.
Meet with Business Affairs office for justification and approval of business case.
Meet with Information Security to evaluate options and costs for implementation (using existing
facilities, implementing separate facilities, or outsourcing transaction processing).
Meet with the CIO or delegate(s) for technical approval of implementation.
Meet with UNC Charlotte Legal Affairs to ensure all contracts meet federal, state, and
contractual requirements.
Exceptions to Regulation:
A.
B.
1.
2.
3.
C.
The Credit/Debit Card Processing Regulation or Procedures specifically allow for the
possibility of an exception in order to temporarily store, in a secure manner; Sensitive
Cardholder data on a University server (see Credit/Debit Card Processing Regulation section
IV.8).
Any request for this specific exception should be made in writing to the VCBA and CIO and
include the following:
Reason for requesting the exception.
Steps that are being taken to become compliant with the regulation.
Date expected to become compliant with the regulation.
The Business Affairs office and ITS Information Security will work with the VCBA and the CIO
to review the request for exception. Following a review of the request, the final approval or
denial will be made by the VCBA.
8
Related documents
Credit Card Authorization form
Credit Card Authorization form
CARDHOLDER'S DETAILS
CARDHOLDER'S DETAILS
unsIGneD CreDIt CArDs
unsIGneD CreDIt CArDs
patient_info - Amarillo Family Physicians Clinic
patient_info - Amarillo Family Physicians Clinic
information on navigating 1Pay online. (printable )
information on navigating 1Pay online. (printable )
Corporate Credit Card Policy and Procedures
Corporate Credit Card Policy and Procedures
Training
Training
Electronic Commerce Transactions CUSTOMER acknowledges and
Electronic Commerce Transactions CUSTOMER acknowledges and
Download
advertisement