ºÚÁϳԹÏÍø

PCI-DSS Procedure and Incident Reporting

• PCI-DSS Information

  Executive Summary and Purpose 

  This Credit Card Acceptance and Processing Policy provides requirements and guidance for all credit card activities for the ºÚÁϳԹÏÍø.  Employees approved as merchants and their respective departments are responsible for being aware of and complying with all terms and conditions included in the full policy and not just those outlined in this executive summary. 

  This policy is in compliance with the credit card industry’s PCI-DSS (Payment Card Industry Data Security Standard) as set by Visa and the other major credit cards () 

  The Credit/Debit Card Policy supersedes and replaces all other campus policies and procedures for all issues related to the scope of this policy. 

  1. Scope

  The Credit/Debit Card Policy encompasses people, processes, and systems and as such applies to: 

  • All computing and network resources with regard to credit card processing.   

  • Any free-standing credit card processing unit or Point of Sale system. 

  • All departments, affiliates, and employees of the ºÚÁϳԹÏÍø who accept and process credit card payments in the conduct of College business. 

  • All approved external organizations contracted by the aforementioned parties to provide outsourced services for credit card processing for College business. 

  • All approved departments, affiliates and employees of the ºÚÁϳԹÏÍø who provide credit card processing services for third parties. 

  1. Definitions

  • Account Number: The unique number identifying the cardholder’s account which is used in processing financial transactions. 

  • Breach Notification Laws: Governing laws that require a merchant to notify customers of a data breach that results in loss or theft of that customer’s personally identifiable information (PII).  

  • Business Continuity Plan (BCP): A documented plan for maintaining business operations in the event of a disaster or breach. A supplemental document will be provided by the Treasurer’s Office, IT Information Security and IT Network Engineering to detail the required elements of a Business Continuity Plan.  

  • Cardholder data: Cardholder data is any personally identifiable data associated with a cardholder. Examples include but are not limited to an account number, expiration date, name, address, social security number, etc. 

  • Cardholder Data Environment: The location where cardholder data is stored, processed or transmitted. 

  • Commerce Server Data Environment: The location of a physical or virtual server machine used in the processing, transmitting or storing of cardholder data. 

  • Data Compromise: The exposure of sensitive or personally identifiable information (PII) resulting from either intentional security breach (an “attack”) or human error. 

  • Data Security Breach: The act of circumventing security controls on a system, thus allowing unauthorized access to data via an attack on the system. Data may or may not be compromised during a security breach.  

  • Disaster Recovery Plan: A documented plan for information technology continuity in light of a disaster, emergency or breach that details incident response testing procedures and data back-up procedures. A supplemental document will be provided by the Treasurer’s Office and Information Technology to detail the required elements of a disaster recovery plan. 

  • ISO 27002: The International Standards Organization document defining computer security standards. 

  • Payment Application Data Security Standard (PA DSS): A set of requirements derived from and closely related to the PCI DSS, but intended to illustrate for payment software vendors what is required for their payment software applications to facilitate and not prevent their customers’ PCI DSS compliance. 

  • Payment Card: Any credit, debit or pre-paid credit/debit card. All payment card activity for ºÚÁϳԹÏÍø is monitored by the Treasurer’s Office. 

  • Payment Channel: The hardware/software used to conduct a payment transaction. 

  • Personally Identifiable Information (PII): Information that can be used to uniquely identify, contact or locate an individual, or information that can be used in conjunction with other sources to uniquely identify an individual. In the case of payment card data, PII can be all printed and non-printed information contained on a payment card that identifies the customer. The Treasurer’s Office and General Counsel will identify and periodically update PII applicable to the Policies and Procedures s revisions to industry regulations and other security factors require. 

  • In the context of payment card operations, it is strictly prohibited for a ºÚÁϳԹÏÍø entity to retain the following elements of PII: credit/debit card number, Card Validation Code (CVC), customer’s PIN or contents of the magnetic stripe of a payment card. 

  • Payment Card Industry Data Security Standard (PCI DSS): The Payment Card Industry Data Security Standard is the result of collaboration between the major credit card brands to develop a single approach to safeguarding sensitive data. The PCI DSS defines a series of requirements for handling, transmitting and storing sensitive data. Entities engaged in any form of payment card processing must comply with these standards as a condition of their payment card processing contracts. A copy of the PCI DSS can be obtained at  

  • POS Device: Point of Sale (POS) computer or credit card terminals either running as stand-alone systems or connecting to a server either at the ºÚÁϳԹÏÍø or at a remote off site location. 

  • Processing Method: The means by which authorized departments accept payment cards. Payment card transactions can only be accepted via walk-in (face-to-face) payment, telephone (in authorized locations only.  Telephone calls cannot be recorded) or customer-initiated online payment. Tuition/fee payments are accepted only as customer-initiated through the MyºÚÁϳԹÏÍø or in person. No department may accept a payment card transaction or payment card information via mail, email, fax, any end-user messaging technology or on a website that collects payment card information unless the site is authorized by the Treasurer’s Office via a system usage waiver. 

  • Risk Assessment: A documented process used to identify and qualitatively and/or quantitatively evaluate risks and their potential effects, including brand damage and monetary effects. A supplemental document will be provided by the Treasurer’s Office and Information Technology to detail the required elements of a Risk Assessment.   

  • Sensitive Cardholder data: Sensitive Cardholder data is defined as the account number, expiration date, CVC2/CVV2/CID (a three or four digit number displayed on the signature panel of the card or in the case of American Express on the face of the card), and data stored on track 1 and track 2 of the magnetic stripe of the card. 

  • Web Development: The design, development, implementation and management of the user interface of the e-commerce application 

  1. Statement of Policy

  Responsibility of College Departments 

  All departments that manage credit card transactions must adhere to strict procedures for ensuring that data is secure at all times. Regardless of which credit card vendor is used, the ºÚÁϳԹÏÍø faces steep penalties, including fines and lost business, or revocation of card processing privileges if credit card data is stolen. 

  All ºÚÁϳԹÏÍø divisions and departments desiring to accept payment for financial transactions electronically via the Internet using e-commerce are required to process all transactions through gateways approved by the Treasurer’s Office. The College provides PCI ready solutions, such as TouchNet’s MarketPlace, to appropriately handle these transactions.  All requests for access to credit card acceptance must be made to the Treasurer’s Office. 

  Types of E-commerce: 

  • Web Sites: The College provides secure and PCI compliant transactions through TouchNet’s MarketPlace product.  The MarketPlace () is available to all departments at CofC.  To find out more please contact the Treasurer’s Office at treasurer@cofc.edu. 

  • E-Mail:  Credit card information should never be solicited or accepted by email.  This presents a risk to both the credit card holder and the College.  

  • Products or services provided by e-commerce sites are limited to those that support the ºÚÁϳԹÏÍø mission. 

  Approved Process: 

  The approval process for all credit card activities will be as follows: 

  The Treasurer, or named delegate(s), must approve all requests to begin accepting credit cards at the ºÚÁϳԹÏÍø before a unit enters into any contract or purchase of software and/or equipment. This requirement applies regardless of the transaction method used (e.g. e-commerce, POS device, or e-commerce outsourced to a third party). All credit card processing equipment should be provided to the Treasurer’s Office and all personnel processing credit cards must receive PCI training. 

  All technology implementations (including approval of authorized payment gateways) associated with the credit card processing must be in accordance with the Credit/Debit Card Policy and approved by the Treasurer, VP of Fiscal Services, Procurement, and Information Technology Dept. prior to entering into any contract or purchasing software and/or equipment. 

  Sensitive cardholder data must not be stored in any way on the ºÚÁϳԹÏÍø computers or networks. Credit card numbers should never be written down nor appear in emails or fax documents. 

  All unsolicited credit card information must be destroyed using a crosscut shredder. 

  Third party vendors must not collect or track customer information (e.g., web bugs, cookies, software buffers). 

  Maintaining Standards: 

  Departments and events approved for credit card processing activities must maintain the following standards: 

  All approved employees including students involved in e-commerce or POS transactions must understand all requirements as outlined in the Credit/Debit Card Policy.  The Treasurer’s Office must be provided a list of all individuals handling payment transactions per the Cash Receipts Policy and the list must be kept current noting any changes in personnel and business processes.  All employees involved in credit card processing, including Information Technology, Public Safety, Physical Plant and MarketPlace users, must complete PCI training prior to credit card acceptance or gaining access to network access areas on campus. 

  All servers and POS devices will be administered in accordance with the requirement of the PCI-DSS standards. 

  Access to credit card processing systems and related information must be restricted to appropriate personnel.  In some cases personnel may be subject to background and credit checks prior to participating in the processing of credit card payments. 

  Each department responsible for credit card processing will be subject to an Annual Self-Assessment Questionnaire and a Quarterly Network Scan as scheduled by the Information Technology department. All systems processing cardholder data must comply with the Credit/Debit Card Policy and the associated procedures. The College’s IT Department and the Treasurer’s Office will assist in the initial self-assessment. To combat the loss of payment card information to hackers, e-commerce sites must comply with all security requirements as outlined in the PCI-DSS standards (). 

  Third party source code (HTML, CGI or script) should be provided to the Treasurer’s Office and/or Information Technology at the ºÚÁϳԹÏÍø upon request. 

  Third parties providing payment gateways or who interact in any way with credit cards as a form of payment must provide certification of PCI-DSS or PA-DSS compliance annually. These documents must be provided to the Treasurer’s Office each year. 

  All third party vendors must provide evidence of adequate liability insurance.  The State of South Carolina regulations currently require coverage of $5 million per occurrence or $10 million aggregate. 

  Only approved ºÚÁϳԹÏÍø logos may be used on e-commerce sites existing within the ºÚÁϳԹÏÍø domain. 

  1. Revisions and Exceptions

  The Credit/Debit Card Policy may be revised only with approval of the Vice President of Fiscal Services and Executive Vice President for Business Affairs. The Vice President of Fiscal Services may grant written exceptions to the policy in extreme circumstances and will notify the Executive Vice President for Business Affairs, Treasurer, Chief Information Security Officer and Internal Auditor. 

  1. Compliance

  Failure to comply with the Credit/Debit Card Policy and the above referenced procedures will be deemed a violation of College policy and will result in suspension of electronic payment capability for the affected department. Additionally, fines may be imposed by the affected credit card company, generally $50,000 for the first violation. Technology that does not comply with the Credit/Debit Card Policy and the associated PCI-DSS standards will be disconnected from network services. 

  1. Communication

  Upon approval, the Credit/Debit Card Policy shall be published on the ºÚÁϳԹÏÍø Hub. The Treasurer, Chief Information Security Officer and Internal Auditor will recommend subsequent revisions to the Credit/Debit Card Policy for approval by the Vice President of Fiscal Services and Executive Vice President for Business Affairs. 

• Incident Reporting Procedure

  Incident Reporting

  All departments engaging in payment card processing are responsible for immediately reporting a suspected incident of any machine used in card processing.

  Campus-wide Security Incident Reporting information can be found at /it/index.php

  IF THERE IS A SUSPECTED OR ACTUAL BREACH, IMMEDIATELY FOLLOW THESE STEPS:

  1. Cease use of any suspect machine.
  2. Do not turn off the machine.
  3. Immediately report an incident, using the Credit Card Security Breach Report.

  The Treasurer’s Office and/or Information Security and/or Public Safety will begin an investigation into the incident. Do not resume processing until approved by the Treasurer’s Office. 

  False reports will be subject to disciplinary action.

  Notification Procedures in Case of Breach of Privacy

  ºÚÁϳԹÏÍø takes several measures to ensure the privacy of personally identifying information it collects and maintains about faculty, staff, and students.

  The ºÚÁϳԹÏÍø Information Technology department hosts servers that may have sensitive data in a controlled access area. Servers are secured with firewalls, virtual private networks, data access monitoring software, and passwords, as well as other methods.

  Access to personally identifiable information is limited to those employees with a legitimate, job-related need to know. Employees have access only to those data elements which they actually need for designated purposes, and access is controlled through an electronic desk system and other security access systems. There is regular review of those data elements to which individual employees are allowed access.

  If security is breached and personally identifying information is compromised, the College will immediately notify law enforcement officials including, as appropriate, CofC Public Safety, the FBI, the U.S. Secret Service, the U.S. Postal Inspection Service and/or other law enforcement agencies.

  The College will contact everyone whose identity may have been put at risk, regardless of whether personal data appears to have been accessed or extracted. It will also notify the campus community about the security breach through electronic and others means. The notification will include the following information:

  • Exactly when and how did the breach occur, and when was the breach detected?
  • How many individuals are affected?
  • What personal information was put at risk?
  • Does the College know whether any information was stolen?
  • What procedures did the College follow with regard to the security breach?
  • How should individuals respond if they discover fraudulent use of their personal information?
  • What steps is the College taking to prevent illegal access of confidential information in the future?
  • What has the College done to notify those affected?
  • Who can respond to additional questions concerning this security breach?

  The custodian of the data is responsible for notifying those affected by an electronic security breach. In the case of a non-electronic security breach, the office or department where the breach occurred will be responsible for notification.

  Incident Response Team

  The Incident Response Team is established to provide a quick, effective and orderly response to computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications. The Incident Response Team’s mission is to prevent a serious loss of profits, public confidence or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks or databases. The Incident Response Team is authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. The Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities as necessary. The Incident Response Team will subscribe to various security industry alert services to keep abreast of relevant threats, vulnerabilities or alerts from actual incidents.

  Incident Response Team Members

  Each of the following members will have a primary role in incident response.

  Treasurer

  Chief Information Security Officer

  Senior Information Security Analyst

  Network Manager/Senior Architect

  Each of the following members may provide supporting roles during incident response.

  Vice President Finance and Administration

  Information Technology Service HelpDesk

  CIO

  Internal Audit

  Incident Response Team Roles and Responsibilities:

  Treasurer:

  • Notifies members of the team that the breach occurred
  • Contacts merchant on campus to verify that they have followed all instructions
  • Escalates to executive management as appropriate
  • Contacts auxiliary departments as appropriate
  • Monitors progress of the investigation
  • Ensures evidence gathering, chain of custody, and preservation is appropriate

  Chief Information Security Officer

  • Determines the nature and scope of the incident
  • Contacts qualified information security specialists for advice as needed
  • Determines which Incident Response Team members play an active role in the investigation
  • Provides proper training on incident handling
  • Monitors progress of the investigation
  • Prepares a written summary of the incident and corrective action taken
  • Ensures evidence gathering, chain of custody, and preservation is appropriate

  Network Manager/Senior Architect

  • Analyzes network traffic for signs of denial of service, distributed denial of service, or other external attacks
  • Runs tracing tools such as sniffers, Transmission Control Protocol (TCP) port monitors, and event loggers
  • Looks for signs of a firewall breach
  • Contacts external Internet service provider for assistance in handling the incident, if necessary
  • Takes action necessary to block traffic from suspected intruder

  Senior Information Security Analyst

  • Monitors business applications and services for signs of attack
  • Reviews audit logs of mission-critical servers for signs of suspicious activity
  • Contacts the Information Technology Helpdesk with any information relating to a suspected breach
  • Collects pertinent information regarding the incident at the request of the Chief Information Security Officer
  • Examines system logs of critical systems for unusual activity

  Other Duties to Assign As Necessary

  • Ensures all service packs and patches are current on mission-critical computers
  • Ensures backups are in place for all critical systems

  Internal Auditor

  •  Periodically reviews policies and procedures for compliance with information security standards, PCI-DSS policies and Risk Assessment

  Payment Card Incident Response

  The Treasurer’s Office will coordinate all responses to suspected or confirmed payment card security incidents, with the assistance of IT Information Security and, if need, the Office of Public Safety.

  Payment card security incidents are defined as malicious attempts to access a payment system, successful attacks to compromise personally identifiable information (PII), or any unauthorized access to a payment system, including internal access outside of an employee’s job duties (even if accidental). Upon notification of a payment card security incident, the Treasurer’s Office and IT Information Security will begin an immediate investigation into the reason for and scope of the incident. All processing for that payment acceptance channel may be suspended until after the investigation is completed, and it is deemed safe to resume processing transactions.

  The purpose of this policy is to establish procedures to evaluate, contain and report any attempt to compromise any approved College processing method. All incidents will be reported using the . False reporting of an incident is considered unlawful and appropriate disciplinary action will be taken.

  Definitions

  All terms mentioned in this policy are defined in ºÚÁϳԹÏÍø PCI-DSS Policy and Procedures.

   

  All campus users of payment card information are required to know and fully understand all terms associated with this set of policies and procedures related to payment card processing, security and incident reporting.

  Department/Merchant Responsibility

  In the event of a payment card data security breach, the affected department/merchant is required to immediately notify the Treasurer’s Office using the and emailing the form to treasurer@cofc.edu, regardless of time of day. Training for designated incident response personnel within each payment card processing department will be conducted annually by the Treasurer’s Office.

  The affected department MUST discontinue processing transactions and disconnect all affected systems from the university network; DO NOT SHUT DOWN ANY EQUIPMENT.  All staff MUST remain logged off of the affected systems. The department MUST NOT resume normal business operations until notified by the Treasurer’s Office. This requirement is enforced for ALL ºÚÁϳԹÏÍø departments/merchants, regardless of the payment system used.

  If the breach is contained to one department/merchant, the Treasurer’s Office will assist that department with any required Payment Card Industry Data Security Standard (PCI DSS) post-incident reporting. If the department is found to be responsible for any compromise, the department can be penalized up to the immediate revoking of their processing privileges. Any financial loss incurred by the College resulting from inadequate controls or lack of adherence to PCI DSS, other industry security requirements and the College’s PCI policies may be charged to the department at the time of the breach.

  Departments MUST have their own disaster recovery, business continuity, and risk assessment policies and procedures in place. Those policies must be approved by the Treasurer’s Office and IT Information Security prior to implementation. The Treasurer’s Office can assist departments in drafting and revising procedures as industry or processing environment changes occur. Departmental staff should immediately notify the Treasurer’s Office of a suspected compromise, and the Treasurer’s Office and IT Information Security will coordinate any and all investigations into an incident that results in a data breach to that system. If an incident occurs, all audit logging for the external processing system is to remain functional during and after an incident.

  The Treasurer’s Office Responsibility

  The PCI DSS requires that ºÚÁϳԹÏÍø MUST complete the following if a payment card data security breach is detected:

  • Immediately contain the exposure of the breach.
  • Immediately notify the necessary institutional parties.
  • Prepare the Incident Response Report and file with the merchant bank within three business days.
  • Prepare a list of compromised accounts and file with the merchant bank within ten business days.

  The Treasurer’s Office will assess the situation and will immediately begin notifying necessary parties of the incident as appropriate. PCI DSS requires that the affected system be made unavailable until a forensic investigation is completed. The College will make the determination whether the circumstances surrounding the incident require notification of law enforcement.  

  • The Treasurer will notify the Vice President of Fiscal Services, the CIO, and the Executive Vice President for Business Affairs.
  • The Treasurer will notify the College’s acquiring banks.

  Annual testing of the College incident response plan is required to ensure all parties understand responsibilities for their area. The Treasurer’s Office will guide departments through the testing procedures. Departments with an active system usage waiver will also have their system tested as part of College’s annual incident response plan testing.