SFA Home / Policies

Payment Card Acceptance and Security (C-61)

Original Implementation:July 21, 2009
Last Revision: None

Purpose

The purpose of this policy is to apply best security practices to ensure the protection of payment card information by complying with Payment Card Industry (PCI) Data Security Standards (DSS). This policy is supplemental to any other information security policies currently in effect at Stephen F. Austin State University (university).

Resources Covered

All computers, electronic devices, or other resources at the university used in the processing, transmitting and storing of cardholder information are governed by this policy and subject to PCI-DSS requirements. This includes servers which store payment card information; workstations which are used to enter payment card information into a central system; cash registers, point-of-sale terminals connected to a phone line or the university network; and any other devices through which the payment card information is transmitted. Also covered are Web site storefronts that redirect customers to another Web site to enter payment information. In addition, all paper forms or receipts containing cardholder data are also covered under this policy.

Covered Groups

This policy applies to all university departments, faculty, staff, students, temporaries, vendors, associated entities, or any others who process, transmit, store or handle cardholder information in physical or electronic format on behalf of the university. This policy also applies to any affiliated organizations with cardholder information that is processed, transmitted or stored on systems connected to the university network or through assets or equipment owned by the university.

Definitions

Affiliated Organizations: An entity that uses systems connected to the university network or assets or equipment owned by the university to process, transmit or store cardholder information.

Cardholder: The customer to whom a credit card or debit card has been issued or the individual authorized to use the card.

Payment card information: Any personally identifiable information associated with a cardholder (e.g., cardholder name, account number, expiration date, address, social security number, personal identification number and card validation code).

Payment card: General term which includes both debit cards and credit cards.

Payment Processor: Any individual, department, school, or other functional area accepting payment cards in exchange for goods or services on behalf of university or an affiliated organization.

Payment Card Industry (PCI) Data Security Standards (DSS) are the result of collaboration between the five major credit card brands to develop a single approach to safeguarding cardholder data. The PCI standard defines a series of best practices for handling, transmitting and storing cardholder data.

Responsibilities

  1. The vice president for finance and administration (VPFA) is responsible for oversight of the PCI compliance program (program).  The VPFA will designate specific responsibility for the development, implementation and administration of the program.
  2. The designated program representative(s) will review and approve all requests to accept payment cards, perform all necessary actions to ensure PCI compliance and respond to any suspected payment card information threat.
  3. Payment card processors will establish and maintain documented procedures for complying with this policy and PCI-DSS.

 

Requirements

  1. PCI-DSS compliance is mandatory for any department or affiliated organization that accepts, captures, stores, transmits and/or processes payment card information.
  2. Only authorized and properly trained employees, vendors, and temporaries may accept and/or access payment card information.
  3. Each person who has access to payment card information is responsible for protecting the information.
  1. Payment card processors must obtain advance approval from the VPFA’s designated program representative(s) before accepting payment cards for payment of goods or services, or before entering into any contracts or purchases of software and/or equipment related to payment card processing.  Once approved, copies of contracts must be forwarded to the designated program representative(s).
  2. Payment processors are required to use the university’s preferred electronic payment service.  Exceptions may be granted only after a request from the payment processor has been reviewed and approved by the designated program representative(s).  When an exception has been granted, the payment processor remains responsible for ensuring the vendor providing electronic payment services is PCI compliant and provides ongoing certification of compliance.
  3. Payment processors who have been granted an exception from using the university’s electronic payment system and process payment cards on a personal computer (PC) must designate that PC for the exclusive use of payment card processing. Any PC designated exclusively for payment card processing must be configured and maintained by Information Technology Services (ITS).
  4. Payment cards cannot be processed stored or transmitted using the university’s network unless the following two requirements have been met: (1) the designated program representative has reviewed and approved the request to accept payment cards, and (2) the designated program representative has verified existence of all technical controls required by the PCI-DSS and other applicable university policies.
  5. Contracts with third parties with access to cardholder data must include standard language that requires adherence to the PCI-DSS.
  6. All systems used to process, store or transmit payment card data must be registered with the designated program representative. 
  7. Suspected theft of payment card information must be reported immediately to the Controller’s Office or the VPFA.  Any suspected breach in the network should be immediately reported to the director of information technology.
  8. Printed receipts or other physical materials containing cardholder information must be stored in a secure environment until they are processed.
  9. Unencrypted wireless, email, fax and campus mail are not recognized as secure methods for transmitting or accepting cardholder data. Cardholder data must not be transmitted in an unsecure manner.
  10. Payment card information must be kept as required by State of Texas record retention guidelines.
  11. Payment card information must be destroyed in a secure manner as soon as it is no longer needed.

 

Enforcement:

Periodic reviews may be performed to validate compliance with this policy.  If the requirements of this policy are not followed, suspension of payment card options will result.  Substantial fines may also be imposed by credit card companies if a security breach and subsequent compromise of payment card data occurs.


Cross Reference: PCI Security Standards; Policy C-5, Receipts and Deposits; State of Texas Record Retention Guidelines

Responsible for Implementation: Vice President for Finance and Administration

Contact for Revisions: Vice President for Finance and Administration

Forms: Application for Exception from Use of University Preferred Electronic Payment Service, Statement of Intent to Comply with the University Policy for Payment Card Acceptance and Security, Payment Card Processor Registration Form, Confidentiality Statement