Payment Card Industry (PCI) Policy
Payment Card Industry (PCI) Compliance
- The payment card industry data security standards - or PCI-DSS is a mandated set of security standards created by the major credit card companies to offer merchants and service providers like UNR a complete, unified approach to safeguarding cardholder data for all credit card brands.
- The PCI-DSS requirements apply to all payment card network members, merchants, and service providers that store, process or transmit cardholder data.
- The requirements apply to all methods of credit card processing, the most comprehensive and demanding of which apply to E-commerce websites, and retail point-of-sale systems that process credit cards over the internet.
- Due to recent changes in PCI regulation all mobile devices that process payments must meet the following requirements:
PCI Mobile Device Policy:
Due to recent changes in PCI regulation all mobile devices that process payments must meet the following requirements:
- Joined to the UNR Exchange Organization using a PCI Mobile Device service account
- Force the following restrictions:
90 Day PIN expiration
5 character minimum length
8 failed logins before system reset
5 minute time out before password re-entry
5 remembered password history
Device encryption enforced
No internet sharing
- Registered device with the Helpdesk and logged in Footprints.
- Use of device on Cellular networks only or third party PCI certified wireless networks.
- Device must be only used for Credit Card transactions and must be in a locked cabinet when not in use.
- Device must be updated regularly.
- IT must be notified within 24 hours if device is lost or broken.
Policy Roles and Responsibilities
- All employees, contractors, vendors and third-parties that use, maintain or handle UNR information assets must follow this policy.
- The following university positions and departments have responsibilities related to the development, monitoring and enforcement of this policy.
- The Chief Information Officer is responsible for coordinating and overseeing UNR's compliance regarding the confidentiality, integrity and security of its information assets. The Chief Security Officer, Jeff Springer, works closely with the Chief Information Officer and other UNR managers and staff involved in securing the university's information assets to enforce established policies, identify areas of concern, and implement appropriate changes as needed.
- The Network Security Department works with department system manager, administrators and users to develop security policies, standards and procedures to help protect the assets of UNR.
- The UNR IT Critical Systems Group is the direct link between information security policies and the network, systems and data.
- The Human Resources Department will, when requested by the department, perform background checks including pre-employment, criminal, and credit history on all potential employees who will have access to systems, networks, or data that contain credit card information.
- University departments are responsible for ensuring that reference checks are done on all classified and professional employees hired.
- Departments will enter termination information into the employee separation notification form on the HR website. This generates an email sent to the notification group, which notifies computing and telecommunications when an employee is terminated. This will result in the employees' access being terminated for all university PCI systems.
- The BCN Purchasing Department will ensure third parties, with whom cardholder data is shared, are contractually required to adhere to the PCI-DSS requirements and to acknowledge they are responsible for the security of the cardholder data which they process.
- The Controller's Office will verify that all employees responsible for processing credit card payments attend security awareness training upon hire, and annually. If training is not completed, the department's merchant number will be deactivated.
- Understand what the consequences of your actions are with regard to computing security practices, and act accordingly. Embrace the "security is everyone's responsibility" philosophy to assist UNR in meeting its business goals.
- Employees must read and sign the UNR Security Awareness and Acceptable Use Policy and accept the campus use agreement during the NETID activation process and annually thereafter, as well as attend training on the policy annually.
- Finally, all users must accept the campus use agreement during the NETID activation process.
- All confidential or sensitive data must be protected via access controls to ensure that data is not improperly disclosed, modified, deleted or rendered unavailable.
- Employees are only authorized to view information based on what is required to perform their job.
- As part of the PCI compliance process at UNR, a separate PCI network has been established to process credit card transactions for certain campus software applications such as the bookstore.
- Employees needing access to this network will be required to complete an additional security application and have a separate login and password.
- Shared or group user id's are never permitted for user-level access. Every user must use a unique user ID and a personal secret password for access to UNR information systems and networks.
Credit Card Processing
- Departments may receive credit card numbers by phone, fax or mail.
- After the authorization for the charge is received, the credit card number must be shredded or if retained, it must be kept in a locked, secure location and shredded after 120 days.
- Only employees with a business "need to know" should have access to the stored receipts and confidential credit card data. This access should be terminated whenever an employee changes job duties or terminates employment.
- Credit card numbers may not be received via email, this is not a secure transmission method. If an email is received, do not process the payment. Respond to the sender that the payment cannot be processed through an email request. Make sure the credit card number does not appear in your response and immediately delete the original email containing the credit card number.
- Credit card transactions are processed in one of three ways: Through terminals, through a website hosted by the university where the credit card payment is made via a third party processor, such as authorize.net; or through a website hosted by a third party.
- Before a web application may be established to accept credit card payments, the department must obtain approval in writing from the Network Security Department by contacting Jeff Springer at 775-784-8247 or firstname.lastname@example.org, Hari Nune at 775-682-7010 email@example.com, or Rhonda Dome at 775-784-4297 firstname.lastname@example.org.
- Manual credit card machines that make an imprint of the credit card are not allowed, without prior written permission from the Controller's Office.
- Use of credit card terminals off campus for special events must be connected via an analog phone line to be PCI compliant.
- It's also important to know that departments are not allowed to enter a credit card number using a UNR computer unless the computer is dedicated for this purpose only and has been set up by Network Security.
- These processing rules also apply to university PCards. Remember that PCard numbers may not be stored in any electronic format, but may be stored on a hard copy, which is kept in a locked, secure location.
Incident Response Plan and Procedures
- Employees must be aware of their responsibilities in detecting security incidents, all employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility.
- Some examples of security incidents include: Theft, damage or unauthorized access, such as unauthorized logins, papers missing from your desk, broken locks, missing log files, an alert from a security guard, or video evidence of a break-in or unscheduled or unauthorized physical entry.
- Fraud that is inaccurate information within databases, logs, files or paper records.
- Abnormal system behavior, such as unscheduled system reboot, unexpected messages, or abnormal errors in system log files or on terminals and security event notifications, such as file integrity alerts, intrusion detection alarms, and physical security alarms.
- With the exception of the following steps, it is imperative that any investigative or corrective action be taken only by Network Security Department personnel to assure the integrity of the incident investigation and recovery process.
- When faced with a potential situation you should do the following:
- If the incident involves a compromised computer, do not alter the state of the computer system. It should remain on and all currently running computer programs left as is. Do not shutdown the computer or restart the computer. Immediately disconnect the computer from the network by removing the network cable from the back of it. Finally, document any information you know while waiting for the Network Security Department to respond to the incident, including date, time, and the nature of the incident.
- To report a security incident, notify the Network Security Department immediately of any suspected or real security incidents involving UNR computing assets. If it is unclear as to whether a situation should be considered a security incident, the Network Security Department should be contacted to evaluate the situation.
- Do not communicate with anyone outside of your supervisor(s) or the Network Security Department about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the Network Security Department to the Vice President for Information Technology who will notify the President's Office.
- All cardholder data should be kept for 120 days. Data utilized for recurring transactions may be retained for the lifetime of the customer's account with UNR.
- Once a customer's account is disabled or terminated, all the cardholder data for that account must be purged within 120 days of the termination using an approved destruction method.
- Cardholder authorization data including track, CV2, and PIN information, may be retained only until completion of the authorization of a transaction. After authorization, the data MUST BE DELETED according to an approved disposal process. Storage of cardholder authentication data post-authorization is forbidden.
- Confidential or sensitive information like credit card information must never be copied onto removable media without authorization from the Network Security Department.
- At no time are hardcopy or electronic media containing confidential or sensitive information to be removed from any UNR secure office environment.
- The credit card number may not be kept in any electronic format, including Excel spreadsheets or USB thumb drives.
Data Disposal Policy
- All hardcopy documents containing credit card information currently in storage that are older than three years should be shredded. At the end of each of the next three years the oldest year's documents should be shredded.
- Hardcopies, that is, paper receipts, paper reports and faxes, should be cross-cut shredded, incinerated, or pulped.
- Before computer or communications equipment can be sent to a vendor for trade-in, servicing or disposal (surplus) all confidential or sensitive information must be destroyed or removed according to the approved methods in this policy.
- Outsourced destruction of media containing confidential or sensitive information must use a bonded disposal vendor that provides a "Certificate of Destruction."
- If your department is involved in an audit, investigation or litigation, all destruction of records in your custody must cease. When you are notified that the audit, investigation or litigation is ended or resolved, you may destroy documents according to this policy.
- A media inventory log is to be kept in all secure media hardcopy and electronic storage locations.
- All stored electronic media containing confidential or sensitive information must be inventoried at least annually by the Network Security Department.
- At this time, the security controls on the storage mechanism will be checked. Upon completion of the inventory, the log will be updated.
- All stored hardcopy media containing PCI data must be inventoried at least annually by the campus department, and the media inventory logs must be submitted to the Controller's Office who will verify that all the required logs have been completed.
- The Controller's Office will submit the media inventory logs to campus auditors. At this time, the campus auditors will check security controls on the storage mechanism and review and approve the log.