Approved by Cabinet
10/27/2009
Revised
December 3, 2010
Revised
August 31, 2015
Approved by the President
8/19/2020
Policy Contact
Information Technology Security Administrator
607-436-3203
itsecurity@oneonta.edu
Category
Business and Finance Policies
Policy Statement
SUNY Oneonta must take all appropriate measures to protect payment card information in accordance with the Payment Card Industry Data Security Standards (PCI-DSS).
Rationale
Payment card transactions have become the preferred method for making payments or donations to SUNY Oneonta. Every business that accepts credit and debit card payments is required to comply with the PCI-DSS to protect against risk exposure. Noncompliance could result in fines and, in the case of a data breach, significant financial loss and damage to the institution's reputation.
Applicability of the Policy
This policy applies to all SUNY Oneonta employees who have access to credit or debit card numbers accepted for payments to the institution.
Policy Elaboration
To comply with the PCI-DSS, employees who work directly with payment card processing and documentation are required to review local procedures and sign this policy on an annual basis.
Definitions
Card holder data / Payment card data – The full magnetic stripe of the card or the entire card number plus any of the following: cardholder name, expiration date, service code.
PCI-DSS – The Payment Card Industry Data Security Standard was adopted to assure the protection of customer data and payment card numbers.
PCI environment – includes computers, network hardware and the segment of the Oneonta network (PCI VLAN) configured to meet the PCI standards for electronic submission, processing or storage of cardholder data.
Point-of-Sale device - Any device in which card holder data is inputted to facilitate payment card transactions.
Procedures
- Access to Customer Payment Card Data
- Access is authorized only for SUNY Oneonta personnel who are responsible for processing or facilitating payment card transactions. Access may be granted by the supervisor of a department with SUNY Oneonta approval to handle payment card data. Only authorized SUNY Oneonta personnel may process payment card transactions or have access to documentation related to payment card transactions.
- Authorized personnel must acknowledge (by signature) this policy and related procedures upon initial employment and annually thereafter.
- Signed acknowledgements must be maintained by the department supervisor.
- Transmission of Payment Card Information
- Insecure (unencrypted) transmission of cardholder data is prohibited. Payment card numbers and cardholder data may not be emailed, faxed, or sent via any electronic messaging technologies such as instant messaging or chat.
- Telephone Payments
- When recording payment card information for processing via a dial-up terminal, only cardholder name, account number, expiration date, zip code, and street address may be recorded. It is not permissible to record and store the security code (CVV2).
- Store transaction documentation and merchant receipt in a secure (locked) area.
- Card Present Transactions (Point-of-Sale)
- Point-of-Sale devices must be inspected for tampering before the first use of the week and the inspection must be logged.
- Picture ID is required if the card is not signed.
- Provide receipt to customer.
- Store transaction documentation and merchant receipt in a secure (locked) area.
- Department supervisors must maintain a list of all POS devices and personnel authorized to use them.
- Receipt of Payment Card Information in Email
- Under no circumstances will payment card data received in email be processed.
- The recipient of the payment card number must respond to the sender with the standard template provided at the end of this section advising that the transaction cannot be processed and offering an acceptable method for transmitting card information. Payment card numbers must be deleted from the response.
- Processing Payment Card Transactions and Storage of Cardholder data on Campus Computers
- Offices that make payment card transactions on the web (that is, enter a customer’s payment card data on a website in payment for a purchase or donation to the institution) must do so from a computer designated for that purpose on the campus PCI Virtual Local Area Network (VLAN).
- Card holder data must be entered on a computer that is expressly designated as belonging to the PCI environment.
- Card holder data must not be stored electronically.
- Payment Card Transactions over the campus Wi-Fi network is prohibited, unless using an approved point-to-point encryption device and written authorization from the SUNY Oneonta IT Security Administrator is obtained. Authorization must be renewed annually.
- Delivery of Transaction Documents to Student Accounts (for staff at peripheral locations)
- Prepare Funds Transmittal Sheet
- Personally deliver all transaction documentation to Student Accounts, Netzer 240. Never send transaction information through campus mail.
- Securing Transaction Documents (for Student Accounts staff)
- During window session, place merchant receipt and other transaction documents in drawer. At workstation, store securely until session materials are placed in safe at end of day.
- Any transaction documentation retrieved from the safe for review or refund purposes must be handled securely and placed back in the safe as soon as possible, but no later than the end of the business day.
- Payment card transaction documents must be stored in the safe. When retention period passes it may be taken from the safe and destroyed (shredded) immediately.
- Retention and Destruction of Cardholder Data
- Card holder data must be retained in a secure location only as long as is necessary for business purposes
- Card holder data must be destroyed when no longer needed. Paper must be cross-cut shredded. Electronic files must be destroyed in a manner appropriate to the media on which they are stored.
- Processing Involving Third-Party Service Providers
- Offices must maintain a list of service provider used.
- A written agreement must be maintained that includes an acknowledgement that the service provider is responsible for the security of card holder data the service provider possesses or otherwise stores, processes, or transmits on behalf of SUNY Oneonta or associated entity.
- Service provider PCI DSS compliance must be verified on an annual basis by obtaining the service provider’s Attestation of Compliance or checking for the service provider’s compliance status on the “Visa Global Registry of PCI DSS Validated Service Providers.”
- The Information Technology Security Administrator must be consulted during engagements with new service providers to assure PCI DSS compliance and assess risk.
- Security Incident Reporting
- In the event of suspected tampering or substitution of a Point-of-Sale device or computer belonging to the PCI environment, or suspected loss or theft documents or files containing cardholder data the IT Security department must be notified immediately by contact list (in order of preference):
- Information Technology Security Administrator, 607-436-3203
- Information Technology Security Analyst, 607-436-2770
- Office of the Chief Information Officer, 607-436-2226
Template Response* for Payment Card Number Received in Email
Thank you for your recent communication regarding payment for item or event. For your protection, we cannot accept payment card information via email. Email is an insecure means of transmitting information and you must never use it to send your payment card number or other sensitive personal information (passwords, Social Security Number, etc.). Please call our office at phone number during regular business hours to complete the transaction or visit website if available. Thank you.
*Delete the cardholder data from your response and delete the original message after replying.
Authorized Employee Attestation
I have read the Payment Card Processing and Handling Policy and the above procedures and agree to abide by them.
Name _______________________________________________ Date____________
Signature ______________________________________________________________
Related Documents / Policies
PCI-DSS – The Payment Card Industry Data Security Standard