Fayetteville Policies and Procedures 309.1
Payment Card Security
Credit Card Operations is responsible for campus compliance with payment card processing and security regulations and is granted the authority to impose appropriate sanctions to ensure conformity with university policies and procedures. Appropriate action up to and including suspension or termination of payment card processing privileges will be imposed for any University of Arkansas department that violates provisions outlined in the Fayetteville Policies and Procedures (FPP) 309.0 through 309.3 policies related to payment card processing, security and incident reporting.
The purpose of this policy is to establish procedures for securing payment card transaction data, so that the University of Arkansas can seek to ensure that sensitive account and personally identifiable information customers provide is protected against theft and/or improper usage. Additionally, the policy seeks to ensure that the university complies with credit and banking industry security regulations related to credit card processing and reporting, including Payment Card Industry Data Security Standard (PCI DSS). This policy applies to all University of Arkansas departments, employees (including temporary), contractors and consultants. Affiliated entities are encouraged to comply.
Definitions
All terms mentioned in this policy are defined in FPP 309.3 Payment Card Policies Glossary. All campus users of payment card information are required to know and fully understand all terms associated with the FPP 309.0 through 309.3 policies.
Reporting and Monitoring Responsibilities
Credit Card Operations staff will perform regular internal assessment of systems, security, policies and controls in place related to university payment card processing. Additionally, departments will complete a compliance questionnaire to be used by Credit Card Operations for preparation of the PCI DSS Self-Assessment Questionnaire. The associate vice chancellor for financial affairs will report annually to the vice chancellor for finance and administration on the status of campus compliance with Fayetteville Policies and Procedures and PCI DSS requirements.
Sanctions
Departments that do not comply with requirements of the FPP 309.0 through 309.3 policies or other supplemental documents related to the policies must take necessary action to become compliant or be subject to sanctions up to and including suspension or termination of payment card processing privileges. Credit Card Operations will notify departments when remedial action is necessary to achieve compliance with campus and industry requirements. If compliance is not achieved in a time deemed reasonable by Credit Card Operations, payment processing privileges will be suspended and the department will no longer be an authorized payment card merchant. Within the institution, departments engaged in payment card processing may be charged for any financial loss incurred by the university resulting from inadequate controls or lack of adherence to PCI DSS and other industry security requirements. Any appeals of actions taken by Credit Card Operations regarding suspensions or cost recovery will be considered by the vice chancellor for finance and administration.
Department Responsibilities
All departments engaged in any form of payment card processing must comply with the general procedures listed below. Procedures for suspected or actual compromise of a card processing environment are detailed in the FPP 309.0 through 309.3 policies. Additional procedures are required for departments that have been granted a system usage waiver (see FPP 309.0) to use an alternate processing system.
General Procedures
- Each department engaged in payment card processing shall maintain formal, written
operational procedures that demonstrate how compliance with the FPP 309.0 through 309.3 policies and the PCI DSS is achieved and maintained. Operational procedures must include transaction
processing methods, refund policies and reconciling procedures. Credit Card Operations
will review the document, and upon approval a copy will remain on file with Credit
Card Operations. Departments MUST evaluate procedures annually and update with Credit
Card Operations as necessary.
- An annual risk assessment will be performed by Credit Card Operations as part of the
payment card processing audits. Departments must cooperate with requirements of the
risk assessment process.
- Physical and electronic storage of sensitive personally identifiable information (PII)
associated with payment card transactions is prohibited. Credit Card Operations may revise the definition of PII as legal and industry regulations
change. Examples of PII for which departmental retention is prohibited are: Primary
Account Number (PAN), security code (CVV) or contents of magnetic track data from
a payment card. Storage of the last 4 digits of the account number (PAN) is also prohibited.
- Each department engaged in payment card processing shall ensure that all employees
who have access to customer PII associated with payment card transactions complete
the annual Credit Card Operations data security training course and sign an acknowledgement,
provided by Credit Card Operations, stating that they understand their responsibility
to protect customer PII. Additional training may be required, depending on the processing
method used by the department. Only persons who have completed all required training
will be permitted to handle payment card data on behalf of the University of Arkansas.
- Each department engaged in payment card processing must be in compliance with university
policies regarding employee background checks.
- Each department engaged in payment card processing must establish segregation of duties
among payment card processing, the processing of refunds and reconciliation of revenue
to the extent possible. Each such department shall immediately notify Credit Card
Operations of any staff changes related to payment card data-handling positions.
- Acceptable methods of payment card acceptance include: walk-in (face-to-face), telephone
or customer-initiated online payment (via CASHNet or an approved alternate payment
system). Phone payments must be processed while the customer is on the line. Making
note of a customer’s payment card number to process at a later time is prohibited.
All phone and walk-in payments must be processed using a counter-top payment terminal,
provided by the Office of Financial Affairs. Accepting payment card data via mail,
email, fax or any end-user messaging technology is prohibited. Tuition/fee payments
are accepted only as customer-initiated through the UAConnect Student Center or Parental
Portal.
- Customer PII associated with payment card transactions, especially account numbers,
shall not be transmitted via any insecure method, especially email, fax, cell phone,
vocally in a public location or any end-user messaging technology.
- Departments are prohibited from maintaining commerce servers within the department.
All server-level machines required for processing systems must be maintained by Credit
Card Operations. Any exceptions to this requirement must be approved by Credit Card
Operations.
- Visitors are not permitted to enter the Commerce Server Data Environment unless properly
identified by a badge or token that is surrendered when the visitor leaves. Visitors
MUST be accompanied by university staff at all times and must have a legitimate reason
for being in the Commerce Server Data Environment. All visitors must sign in when
entering and leaving the Commerce Server Data Environment.
- All devices within a department’s cardholder data environment should be secured to
the extent possible. Processing terminal devices should never be left unattended in
an area where customers or visitors may have access to the device. When terminals
are not in use, they must be secured in a locked office and/or drawer/cabinet. Registers
must be locked or logged-off while not in use. Credit Card Operations will provide
additional guidance to departments based on their specific needs.
- All registers used in payment card processing must be registered within the commerce
environment domain. Security configuration settings and updates will be managed through
the domain. Departments with register systems are required to notify Credit Card Operations
of any change in register equipment to ensure proper domain registration of new devices.
- Each department engaged in payment card processing must complete all security enhancements
to processing systems as required by Credit Card Operations. All vendor supplied security
patches to systems must be applied within three weeks of issue date.
- Each department engaged in payment card processing must use disk wiping technology
approved by IT Services Information Security to render unreadable any hard disk or
other media which has ever stored or processed customer PII before retiring it from
service.
- Each department engaged in payment card processing must cooperate with all reporting
and audit requirements by Credit Card Operations, including full compliance with the
PCI DSS and all other industry security requirements, or be subject to the sanctions
detailed above. Departments will be audited by Credit Card Operations at least annually
to ensure compliance with all policies and PCI DSS related requirements.
- Any changes to the departmental processing environment, including any software/hardware
additions MUST be approved by Credit Card Operations prior to purchase. If this provision is violated, the department will be subject to the sanctions detailed
above.
- All Web application code must be approved by Credit Card Operations prior to using
in conjunction with CASHNet or any other Web-processing system. Departments are prohibited
from displaying or verbally sharing detailed transaction error messages with end-users
of the application.
- All departments MUST use the centralized CASHNet system for all customer-facing online card acceptance activity. Exceptions due to unique business needs may be requested through Credit Card Operations. The use of PayPal will not be approved and is strictly prohibited. If a system usage waiver to utilize another processing method is approved, the department requesting the waiver must demonstrate full compliance with the PCI DSS and all other industry security requirements and submit written documentation of adherence to the PCI DSS to Credit Card Operations. System usage waivers will be evaluated annually.
Additional Procedures for Departments Granted Usage Waiver
Departments that have been granted a system usage waiver MUST abide by all regulations set forth in the FPP 309.0 through 309.3 policies and additional requirements not detailed above. A supplemental document containing all requirements for system usage waiver departments can be obtained from Credit Card Operations. All requirements MUST be met or the system usage waiver will be denied and the department will not be permitted to process payment card transactions via any POS/swipe or e-commerce channel.
Credit Card Operations approval is required for any third-party processing agreement/contract. All contracts and contract renewals for payment card processing MUST be approved by Credit Card Operations prior to execution. All contracts MUST contain PCI DSS contract language determined by Credit Card Operations and General Counsel.
Revised May 27, 2015
Reformatted for Web May 28, 2014
Revised November 19, 2010
January 4, 2007