Fayetteville Policies and Procedures 309.2
Payment Card Incident Response
Credit Card Operations will coordinate all responses to suspected or confirmed payment card security incidents, with the assistance of IT Services Information Security. Payment card security incidents are defined as malicious attempts to access a payment system, successful attacks to compromise personally identifiable information (PII), or any unauthorized access to a payment system, including internal access outside of an employee’s job duties (even if accidental). Upon notification of a payment card security incident, Credit Card Operations will begin an immediate investigation into the reason for and scope of the incident. All processing for that payment acceptance channel will be suspended until after the investigation is completed, and it is deemed safe to resume processing transactions.
The purpose of this policy is to establish procedures to evaluate, contain and report any attempt to compromise any approved university processing method. All incidents will be reported using the AskCommerce portal. False reporting of an incident is considered unlawful and appropriate disciplinary action will be taken.
All terms mentioned in this policy are defined in Fayetteville Policies and Procedures (FPP) 309.3 Payment Card Policies Glossary. All campus users of payment card information are required to know and fully understand all terms associated with the FPP 309.0 through 309.3 policies related to payment card processing, security and incident reporting.
In the event of a payment card data security breach, the affected department is required to immediately notify Credit Card Operations via the AskCommerce portal, regardless of time of day. Training for designated incident response personnel within each payment card processing department will be conducted annually by Credit Card Operations.
The affected department MUST discontinue processing transactions and disconnect all affected systems from the university network; DO NOT SHUT DOWN ANY EQUIPMENT. All staff MUST remain logged off of the affected systems. The department MUST NOT resume normal business operations until notified by Credit Card Operations. This requirement is enforced for ALL University of Arkansas departments, regardless of the payment system used.
If the breach is contained to one department, Credit Card Operations will assist that department with any required Payment Card Industry Data Security Standard (PCI DSS) post-incident reporting. If the department is found to be responsible for any compromise, the department can be penalized up to the immediate revoking of their processing privileges. Any financial loss incurred by the university resulting from inadequate controls or lack of adherence to PCI DSS, other industry security requirements and the FPP 309.0 through 309.3 policies may be charged to the department at the time of the breach.
Departments with an active system usage waiver MUST have their own disaster recovery, business continuity, and risk assessment policies and procedures in place. Those policies must be approved by Credit Card Operations prior to implementation. Credit Card Operations can assist departments in drafting and revising procedures as industry or processing environment changes occur. Departmental staff should immediately notify Credit Card Operations of a suspected compromise, and Credit Card Operations will coordinate any and all investigations into an incident that results in a data breach to that system. If an incident occurs, all audit logging for the external processing system is to remain functional during and after an incident.
Credit Card Operations Responsibility
The PCI DSS requires that the University of Arkansas (as the merchant) MUST complete the following if a payment card data security breach is detected:
- Immediately contain the exposure of the breach.
- Immediately notify the necessary institutional parties.
- Prepare the Incident Response Report and file with the merchant bank within three business days.
- Prepare a list of compromised accounts and file with the merchant bank within ten business days.
Credit Card Operations will assess the situation and will immediately begin notifying necessary parties of the incident as appropriate. PCI DSS requires that the affected system be made unavailable until a forensic investigation is completed. The Office of Financial Affairs will make the determination whether the circumstances surrounding the incident require notification of law enforcement. All notification to law enforcement will be in accordance with FPP 410.2 Notification Procedures in Case of Breach of Privacy.
Notification to the acquiring banks and internally will be addressed as follows:
- The Office of Financial Affairs IT director will notify the associate vice chancellor for finance, the investment manager, the director of financial affairs compliance and the university’s payment processor.
- The investment manager will notify the university’s acquiring banks.
- The associate vice chancellor for finance will notify the Office of University Relations, the vice chancellor for finance and administration, as well as any other internal or external contacts as necessary.
Annual testing of the university incident response plan is required to ensure all parties understand responsibilities for their area. Credit Card Operations will guide departments through the testing procedures. Departments with an active system usage waiver will also have their system tested as part of Credit Card Operation’s annual incident response plan testing.