Payment Card Security

Payment Card Industry Data Security Standard (PCI DSS) 

Payment Card Industry (PCI) Data Security Standard (DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.  

This standard was created to increase controls around cardholder data to reduce credit card fraud and the compromising of credit cards and personally identifiable information. 

As part of the due diligence required under industry standards to accept credit card payments, the University at Albany and its affiliated entities and vendors are required to be certified under PCI DSS. 

 

I. Purpose 

The purpose of this policy is to establish business processes and procedures for accepting payment cards at University at Albany (the University) that will minimize risk and provide the greatest value, security of data, and availability of services to each university merchant account within the rules and regulations established by the Payment Card Industry (PCI) and articulated in the PCI Data Security Standards DSS). Additionally, these processes are intended to ensure that payment card acceptance procedures are appropriately integrated with the University’s financial and other systems. 
 

II. Authority 

The approval of the University at Albany policies and operation of the campus are delegated to the “head of the institution” (Campus President) from the SUNY Board of Trustees under State Education Law Article 8 Section 355(2)(g)&(h). 
 

III. Background 

In response to increasing incidents of identity theft, the major payment card companies created the Payment Card Industry Data Security Standard (PCI DSS) to help prevent theft of customer data. PCI DSS applies to all businesses that accept payment cards to procure goods or services. Compliance with this Standard is enforced by the payment card companies and generally, non-compliance is discovered when an organization experiences a security breach that includes cardholder data. 

Security breaches can result in serious consequences for the University, including release of confidential information, damage to reputation, the assessment of substantial fines, possible legal liability and the potential loss of the ability to accept payment card. 
 

IV. Definitions 

Cardholder: The customer to whom a payment card has been issued or the individual authorized to use the card. 

Cardholder Data: All personally identifiable data associated with the cardholder (i.e., account number, expiration date, cardholder name, etc.) 

Encryption: The process of converting information into an unintelligible form to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure. 

Merchant or Merchant Department: For the purposes of PCI DSS and this policy, a merchant is defined as any University department or affiliated entities that accepts payment cards bearing the logos of any of the five members of the Payment Card Industry Security Standards Council (American Express, Discover, MasterCard or VISA) as payment for goods and/or services, or to accept donations. 

Payment Card: Any payment card/device that bears the logo of American Express, Discover Financial Services, MasterCard Worldwide or VISA, Inc. 

Payment Card Industry Data Security Standards (PCI DSS): PCI DSS is a proprietary information security standard for organizations that handle credit card transactions from the major credit card companies including Visa, MasterCard, American Express and Discover. This standard was created to increase controls around cardholder data to reduce credit card fraud and the compromising of credit cards and personally identifiable information. 

Sensitive Authentication Data: Security-related information (card validation codes/values, full magnetic-stripe data, or personal identification number) used to authenticate cardholders, appearing in plain-text or otherwise unprotected form. 
 

V. Applicability 

This policy applies to all University employees, affiliated organizations, contractors, consultants or agents who, in the course of doing business on behalf of the University, accept, process, transmit, or otherwise handle cardholder information in physical or electronic format. 

This policy applies to all University departments and administrative areas which accept payment cards regardless of whether revenue is deposited in a University, University at Albany Foundation or University Auxiliary Services financial account. 
 

VI. Acceptable Payment Cards 

University at Albany currently accepts VISA, MasterCard, Discover and American Express Card and has negotiated contracts for processing payment card transactions. Individual University units may not use or negotiate individual contracts with these or other payment card companies or processors. All individual University units must use the campus negotiated contracts. 
 

VII. Maintaining Security 

  • Departments and administrative areas accepting payment cards on behalf of the University are subject to the Payment Card Industry Data Security Standard (PCI DSS). 

  • The University prohibits the transmission of cardholder data or sensitive authentication data via email, multi-function fax machines or unsealed envelopes through campus mail as these are not secure. 

  • The University requires that all external services providers that handle payment card information to be PCI compliant. 

  • The University restricts access to cardholder data to those with a business “need to know.” 

  • For electronic media, cardholder data shall not be stored on servers, local hard drives, or external (removable) media including floppy discs, CDs or thumb (flash) drives unless encrypted and otherwise in full compliance with PCI DSS. 

  • For paper media, cardholder data shall not be stored and it should be destroyed immediately after use by a cross-cut shredder. 
     

VIII. Responsibilities 

Merchant department managers are responsible for: 

  • Executing on behalf of the relevant Merchant Department, Payment Card Account Acquisition or Change Procedures. 

  • Ensuring that all employees (including merchant department manager), contractors and agents with access to payment card data within the relative Merchant Department acknowledge on an annual basis and in writing that they have read and understood this policy. 

  • Ensuring that all payment card data collected by the relevant Merchant Department in the course of performing University business, regardless of whether the data is stored physically or electronically is secured.  

Data is considered to be secured only if all of the following criteria are met: 

  • Only those with a “need to know” are granted access to payment card and electronic payment data; 

  • Email is not to be used to transmit credit card or personal payment information. If it should be necessary to transmit credit card information via email only the last four digits of the credit card number can be displayed; 

  • Credit card or personal information is NEVER downloaded onto any portable devices or media such as USB flash drives, compact disks, laptop computers (unless laptop is certified as a dedicated workstation for this purpose only on a network segmented/firewalled from the rest of the University's Network) or personal digital assistants; 

  • Fax transmissions (both sending and receiving) of credit card and electronic payment information occurs using only fax machines that are attended by those individuals who must have contact with payment card data to do their job; 

  • The processing and storage of personally identifiable credit card or payment information on University computers and severs prohibited; 

  • Only secure communication protocols and/or encrypted connections to the authorized vender are used during the processing of ecommerce transactions; 

  • The three or four digit validation code printed on the payment card is never stored in any form; 

  • The full contents of any track data from the magnetic stripe are never stored in any form; 

  • The personal identification number (PIN) or encrypted PIN block are never stored in any form; 

  • All but the last four digits of any credit card account number are masked when it is necessary to display credit card data; 

  • Notifying the Information Security Officer (518-956-8080) in the event of suspected or confirmed loss of cardholder data. Details of any suspected or confirmed breach should not be disclosed in any email correspondence. After normal business hours, notification shall be made to the University Police (518-442-3130). 

Note: Information Technology Services shall regularly monitor and test the University Network and coordinate the University’s compliance with the PCI Standard’s technical requirements and verify the security controls of systems authorized to process credit cards. 
 

IX. Training 

Employees who are expected to be given access to cardholder data shall be required to complete annual data security awareness training (Securing the Human training video); attend annual training presentation offered by CampusGuard, a data security consulting firm, to learn more about PCI DSS.