Payment Card Industry Compliance
This policy sets forth the guidelines for compliance with Payment Card Industry Data Security Standards (PCI DSS) and incident response in case of a breach of cardholder data on or off campus.
The purpose is to protect cardholder information from being exposed to unauthorized individuals.
This policy applies to all departments and organizations that process payment card transactions or work with 3rd party processors on or off campus.
IV. Terms and Definitions
- Anti-virus Software - Programs capable of detecting, removing, and protecting against various forms of malicious code or malware, including (but not limited to) viruses, worms, Trojan horses, spyware, and adware.
- Due Diligence - Generally, due diligence refers to the care a reasonable person should take before entering into an agreement or transaction with another party. This would include the verification of all information given to a reasonable person by any prospective business associate.
- Encrypted – Information that has been converted into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
- Firewall – Hardware, software, or both that protect resources of one network from intruders from other networks. Typically, an enterprise with an intranet that permits workers access to the wider Internet must have a firewall to prevent outsiders from accessing internal private data resources.
V. Procedures and Guidelines
A. It is against Luther College Policy to store sensitive card information (full account number, type, expiration date, or track data) on any server, computer, flash drive or database.
B. Treat payment card receipts like you would cash.
C. Keep payment card data secure and confidential.
D. Restrict access to card data to “those who need to know”.
E. Documents containing cardholder data should be kept in a secure environment (I.E. safe, locked file cabinet, etc.).
F. Cardholder data must be transmitted securely (I.E. encrypted).
G. Email is not an approved way to transmit credit card numbers.
H. Fax transmittal is not an approved way to transmit credit card numbers.
I. All media containing cardholder data must be destroyed when no longer needed for business or legal reasons.
J. Hardcopy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed.
K. Manual swipers or imprinters are not authorized for use.
L. Technology changes that affect payment card systems are required to be approved by the College Controller prior to being implemented.
M. Any new systems/software that process payment cards are required to be approved by the College Controller prior to being purchased.
N. Any agreement with a 3rd party processor for online sales needs to be approved by the College Controller prior to being entered into. The requesting department will need to show proof of due diligence and provide documentation that the 3rd party processor is PCI Compliant.
O. All staff and student workers that will have access to cardholder information will be required to read the Statement of Responsibility and sign the Statement of Responsibility Acknowledgement that will be kept on file at their respective departments. A copy of these forms can be accessed at http://hr.luther.edu/common forms/index.html
P. Computer systems that process payment cards must be behind a firewall.
Q. Use and regularly update antivirus software.
R. Assign a unique ID to each person with computer access.
S. Do not use vendor-supplied defaults for system passwords and other security parameters. Change system passwords at least once every six months.
T. Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.
U. Report all suspected or known security breaches to the College Controller and Campus Security.
V. The Office for Financial Services will perform periodic audits of each department or organization that process payment card transactions or work s with 3rd party processors to ensure compliance to PCI DSS.
W. The Office for Financial Services and Library Information Services will complete a Self Assessment Questionnaire and Attestation of Compliance for each Luther merchant account on an annual basis.
X. The Office for Financial Services will be available to assist any department or organization to achieve PCI DSS Compliance.
VI. Incident Response Policy
A. Incident Identification
Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of incidents that an employee might recognize in their day to day activities include, but are not limited to,
- Theft, damage or unauthorized access (e.g., papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry).
- Fraud – Inaccurate information within databases, logs, files or paper records.
B. Reporting an Incident
Campus Safety and Security should be notified immediately of any suspected or real security incident involving cardholder data:
- Contact Campus Safety and Security at ext. 2111 to report any suspected or actual incidents. The Safety and Security phone number should be well known to all employees and should page someone during non-business hours.
- No one should communicate with anyone outside of their supervisor(s) or Campus Safety and Security about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by Campus Safety and Security.
- Document any information you know while waiting for Campus Safety and Security to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.
- Campus Safety and Security should contact the Corporate Controller immediately of any suspected or real incident involving cardholder data.
C. Incident Response
Response can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.
Contain, Eradicate, Recover and perform Root Cause Analysis.
1. Notify applicable card associations.
- Provide the compromised Visa accounts to Visa Fraud Control Group within (10) business days, for assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potential compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information. See Visa’s "What to do if compromised" documentation for additional activities that must be performed. That documentation can be found at http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_what_to_do_if_compromised.pdf
- Contact your merchant bank for specific details on what to do following a compromise. Details on the merchant bank (aka, the acquirer) can be found in the Merchant Manual at http://www.mastercard.com/us/wce/PDF/12999 merc-Entire Manual.pdf. Your merchant bank will assist when you call MasterCard at 1-(636)-722-4100.
- Contact your relationship manager or call the support line at 1-(800)-347-3083 for further guidance.
- Contact the American Express Enterprise Incident Response Program (EIRP) toll free at (888) 732-3750/U.S. only, or at 1-602-537-3021/International, or email at EIRP@aexp.com.
2. Alert all necessary parties. Be sure to notify:
a. Merchant bank
b. Local FBI Office
c. U.S. Secret Service
d. Local authorities (if applicable)
3. Perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used: http://www.ncsi.org/programs/lis/cip/priv/breach.htm
4. Collect and protect information associated with the intrusion. In the event that forensic investigation is required Campus Safety and Security will work with legal and management to identify appropriate forensic specialists.
5. Eliminate the intruder’s means of access and any related vulnerabilities.
6. Research potential risks related to or damage caused by intrusion method used.
D. Root Cause Analysis and Lessons learned
Not more than one week following the incident, members of Campus Safety and Security and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.
VII. Confidentiality and Record
The department or organization is responsible for the safe keeping of all cardholder information and to keep it from being exposed to unauthorized individuals, including any monetary loss suffered by the college due to theft or improper use of payment card numbers and associated information.
Controller, Office for Financial Services
Accounting Manager, Office for Financial Services
Director, Information Systems