1.7 Appendix A

Payment Card Merchant Services and Payment Card Industry Data Security Standards (PCI DSS)

Overview

Credit and debit card payments are generally one of the most efficient and convenient ways to process payments for goods and services. A university School/College/Division unit that accepts payment cards from internal and/or external customers is a merchant.

As with any business transaction, there are responsibilities and risks that a merchant and their School/College/Division assumes when they agree to process customer credit and debit card payments. These responsibilities include the need to comply with the university's contractual and legal requirements with the payment card companies.  One of these contractual and legal requirements is the need to comply with the Payment Card Industry Data Security Standards (PCI DSS).  The purpose of the PCI DSS is to protect card holder data. PCI DSS provides a specific framework for creating, maintaining and protecting a secure payment card environment for customers using credit and debit cards.

The following web-link provides greater details about PCI DSS: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

POLICY

The Cashiers Office and Cash Management, in collaboration with Computing & Information Technology (C&IT) are responsible for overseeing the PCI DSS process. The Cashier's Office is responsible for approving all new requests to accept credit card payments by proposed merchants and termination of existing merchants. C&IT is primarily responsible for assessments of electronic transmission and storage of card payment data and serving as the liaison with the network scanning service provider used by the university. If the Cashier's Office determines that a stand-alone merchant terminal is required, it will request that Cash Management establish the merchant account.  Cash Management is responsible for assigning new merchant account numbers for stand-alone terminals, administration of the overall annual PCI Self-Assessment Questionnaire and Attestation of Compliance process and serving as the primary liaison with university's banks regarding compliance with credit card company agreements, including PCI DSS related matters.

University Requirements

  1. Protect Cardholder data.

  2. Must not store customer card information (physical or electronic).

  3. Within thirty days after the calendar year end, complete and submit an annual PCI DSS security self assessment questionnaire and take any necessary corrective action(s) to comply with PCI requirements along with any related costs associated with this responsibility.

  4. Take immediate corrective action to resolve any issues identified by PCI network scans.

  5. Notify the Cashier's Office in a timely manner of any changes of staff that have been authorized to process card payments, or that have been assigned responsibilities for the systems or business procedures used for processing the card payments.

  6. Assume responsibility for ensuring that any external vendor using a non-university system to process credit card transactions on their behalf adheres to the same PCI standards that the merchant must adhere to. Prior to implementation, all third party vendors that will access cardholder data must contractually agree to adhere to PCI DSS security requirements and to annually provide the university with a PCI DSS Certification of Compliance.  A Certification of Compliance must also be provided to the university Cashier prior to its approval of the initial third party vendor agreement.

  7. Refer all software purchases that execute electronic credit card payments or contracts to have an external third party vendor process card payments to the Cashiers Office for approval prior to submission to the Purchasing Department.  Any such software purchases must be certified as PCI DSS compliant prior to purchase.

Violations of Policy and Consequences

If an existing merchant does not comply with the aforementioned university and PCI DSS requirements, their ability to process card payments will be terminated. In addition, annually, not later than 30 days after the calendar year end, each merchant must submit a completed PCI DSS security self-assessment questionnaire and document along with any necessary corrective action taken in order to comply with PCI DSS requirements.   Each merchant must take the necessary action(s) to correct any issues identified by PCI network scans as soon as possible, but depending on the severity of the issue, no later than one month after receiving the initial scan results that identified the non-compliance issue.

Other Violations that could result in termination include:

  1. Frequent failures to comply with PCI DSS requirements.

  2. Frequent failures of PCI network scans.

  3. Failure of a School/College/Division using an external vendor for any aspect of processing credit card transactions to obtain an annual certification from that vendor which states that their card payment application complies with the PCI standards.

  4. Failure to properly report compromises of customer cardholder information in a timely manner.

RESPONSIBILITIES/PROCEDURES

Responsibilities

 

 

Cashier's Office

  1. Shared responsibility for the oversight of the PCI process with Cash Management, especially as it relates to the CASHNet system.

  2. Responsible for initial evaluation of School/College/Division requests to begin processing card payments or proposed changes to existing card payment processes. Prepares and distributes PCI compliance information and educational materials to the School/College/Division that process credit card payments.

  3. Responsible for CASHNet/eMarket site third party e-commerce accounts including confirmation with the vendor regarding their systems' PCI compliance.  Validation of CASHNet's PCI compliance should be provided by a 3rd party vendor providing this service (e.g. Trustwave, etc.).

Cash Management

  1. Shared responsibility for the oversight of the PCI process with the Cashier's Office, especially as it relates to stand-alone terminals.

  2. Charged with the administration of the bank merchant card contract, the 3rd party vendor providing PCI compliance scans, general oversight of the university PCI process and administration of the Self Assessment Questionnaire and Attestation of Compliance process.  These activities include requests for new merchant account numbers from the bank and maintenance of the list of School/College/Division processing credit card payments.

  3. Provides the Cashier's Office and C&IT with new information regarding PCI standards related to their activities and supports the Cashier Office efforts to prepare informational/educational materials for the School/College/Division processing credit card payments.

School/College/Division

  1. Responsible for compliance with university financial and cash controls, as well as the requirements and policies of the Payment Card Industry Data Security Standards (PCI DSS) which are shown above under University Requirements.

Failure to comply with approved safeguarding, storage and processing procedures may cause the School/College/Division to incur fines, restrictions and/or permanently lose the privilege to serve as a credit card merchant.  Any fines are the financial responsibility of the School/College/Division.

School/College/Division Business Office

  1. Responsible for the oversight of its School/College/Division  compliance with PCI DSS and university requirements, financial and cash controls, as well as timely submission of annual and any necessary interim updates.  This includes submission of the PCI Self Assessment Questionnaire and Attestation of Compliance and, if on line credit card processing is used, ensuring compliance with the server scans.

Computing and Information Technology  C&IT (Information Security Office)

  1. Provide assistance as needed for quarterly server scanning performed by third party vendor.  Also, provide ongoing support to identify standard incident handling roles; establish consistent processes and task(s) to manage a computer security event.  Responsible for technical evaluation of PCI compliance of customer credit card information including electronic storage and transmission.  

  2. Performs random server scans, software validation for PCI compliance and other technical aspects associated with "hosting" on-line credit card processing.  Responsible for administering the university wide Incident Response Program (also called "Incident Handling Protocol Response").

Internal Audit

  1. As part of departmental audits for Schools/Colleges/Divisions that use merchant cards, perform evaluations to insure that they are in compliance with PCI DSS Industry standards.

PROCEDURES

A. Request for new credit card processing or change in method of accepting customer payments

 

 

   

Cashier's Office

  1. The Cashiers Office is responsible for the establishment and administration of the processes for the evaluation and approval of School/College/Division requests to begin processing merchant card payments or any subsequent changes proposed by a School/College/Division to their existing merchant card payment processes.

Cash Management

  1. If the Cashier's Office approves a request for a stand-alone terminal, Cash Management will obtain the merchant account from the bank.

B. Quarterly PCI DSS Compliance (Network scans)

   

School/College/Division  

  1. School/College/Division using the internet for processing credit card transactions should submit the vendor attestation of compliance to Cash Management, and also must comply with quarterly PCI network scan requirements.

C. Annual PCI Compliance

   

School/College/Division  

  1. Within 30 days after the calendar year end, each School/College/Division must submit the appropriate annual PCI compliance material as outlined in item 2.

  2. Those School/College/Divisions using stand-alone merchant terminals or CASHnet/E-market sites must complete the annual Self-Assessment Questionnaire and Attestation of Compliance, and those School/College/Divisions using a 3rd party software vendor or card payment processor must obtain an Attestation of Compliance from that vendor and complete the appropriate portion of the Self-Assessment Questionnaire and the Attestation of Compliance for the related School/College/Division operating procedures.

  3. These materials should be reviewed and approved by the appropriate School/College/Division Unit/Department head.

  4. These materials should then be submitted by those School/College/ Divisions to the Cashier's Office for CASHNet/E-Market sites.

  5. Those School/College/Divisions using stand-alone merchant terminals or a 3rd party software vendor or card payment processor should submit these materials to Cash Management.

Cashier's Office and Cash Management

  1. The Cashier's Office (CASHNet and E-market sites) and the Cash Management Office (merchant terminals) will ensure that all participants are adhering to policy.

  2. Both areas will review the Annual Self Assessment Questionnaire and Attestation of Compliance documents which they are responsible for overseeing.  If they find these payment card responses inadequate, they will advise the School/College/Division as follows:  (1.) remedy this inadequacy immediately; only in special circumstances will the School/College/Division have sixty days to correct the PCI or internal control deficiency.

  3. Based upon the School/College/Division responses reviewed, Cash Management will compile the University wide annual Self-Assessment Questionnaire and Attestation of Compliance. Cash Management will incorporate input from the Cashiers Office, consolidate the reports and prepare for senior management signature. 

D. Interim PCI Updates

   

School/College/Division 

  1. At any time during the year that the School/College/Division is no longer PCI compliant or has changes in School/College/Division personnel responsible for the credit card payment processing (e.g. changes in business process owner, staff processing payments and the information technology contact staff), it will advise the Cashiers Office for CASHNet participants or Cash Management for stand-alone merchant terminals. If the School/College/Division can no longer be PCI compliant, then it must notify both the Cashier's and Cash Management area and cease accepting card payments.

Cashiers Office

  1. Cashiers Office will maintain the list of School/College/Division  that use CASHNet E-market sites.

E. Unauthorized Access to Customer Credit Card Information

   

School/College/Division 

  1. In the event that the School/College/Division becomes aware that there has been access to customer cardholder information by an unauthorized third party, they should immediately contact the Cashier's office and follow the procedures as detailed in the WSU "Incident Handling Protocol Response".  This response includes contacting the Information Security Office (313-577-6464).   The Cashier will also notify the Associate Vice President for Fiscal Operations, Cash Management and Internal Audit.