Payment Card Industry Compliance Policy

Rationale: This policy defines the Policy and Guidelines for Electronic Commerce for Security and Privacy data along with Merchant Cards Security Incident Plan.

I. Purpose

This policy defines the Policy and Guidelines for Electronic Commerce for Security and Privacy data along with Merchant Cards Security Incident Plan.

II. Scope

This policy is binding and applies to all University employees and service providers who transmit or process payment card transactions.

III. Policy

It is University policy to manage Electronic Commerce in compliance with regulations set forth by the State of North Carolina.  NC OSC – Statewide Electronic Commerce Program

IV. State and Contractual Requirements Governing Credit Cards

A. State and Contractual Requirements Governing Credit Cards

1. Cash Collection Point Approval for Departments

Approval must be obtained from the AVC Finance or designee in order for the department to accept credit cards from its customers as a payment option. Approval is only given to departments that meet PCI DSS, NC Office of the State Controller Electronic Commerce Policies, and State Cash Management Law.

2. State Requirements

NCGS §147-86.22(b) authorizes the State Controller to issue policies relating to “electronic payments,” which support the Statewide Electronic Commerce Program (SECP). All entities subject to the State's Cash Management Law and all entities that participate in one or both of the Master Services Agreements (Electronic Funds Transfer and Merchant Cards) are subject to the policies. Entities are encouraged to be fully aware of the policies to ensure compliance. As a prerequisite for participating under the Master Service Agreement (MSA), University of North Carolina at Asheville is required to comply with all Payment Card Industry Data Security Standards.

3. Contractual Requirements Concerning Fines

A department can be fined even if a security breach has not occurred. It is uncertain as to how aggressive the card associations will be in levying fines for such non-compliant merchants that might be detected, but fines may reach an estimated high of $25,000 per month for non- compliance.

In the event of a breach, all fines and expenses associated with the breach will be borne by the department accepting the credit card that was compromised. Related expenses in addition to the fine could include but are not limited to labor and supply cost associated with identifying and notifying the population exposed by the breach. All costs associated with any required external audits will also be paid by the department, which could be significant.

4. The Credit Card Compliance Committee

PCI-DSS are national standards which apply to all organizations anywhere in the country that process, transmit or store credit cardholder information. The University and all departments that process payment card data have a contractual obligation to adhere to the PCI-DSS to annually certify their continued compliance by submitting the PCI-DSS Self-Assessment Questionnaire (SAQ) appropriate to their credit card activities.

Any costs incurred by a department to become and remain compliant with the PCI Data Security Standards, including but not limited to an annual penetration test (if applicable), shall be borne by the department. Any costs incurred by the University associated with an onsite security audit or a forensic investigation that may be required shall be borne by the department. Individual credit card information is confidential. Failure to maintain strict controls over this data could result in unauthorized use of credit card data. Credit

B. Payment Card Industry Data Security Standards (PCI-DSS)

PCI-DSS are national standards which apply to all organizations anywhere in the country that process, transmit or store credit cardholder information. The University and all departments that process payment card data have a contractual obligation to adhere to the PCI-DSS to annually certify their continued compliance by submitting the PCI-DSS Self-Assessment Questionnaire (SAQ) appropriate to their credit card activities.

Any costs incurred by a department to become and remain compliant with the PCI Data Security Standards, including but not limited to an annual penetration test (if applicable), shall be borne by the department. Any costs incurred by the University associated with an onsite security audit or a forensic investigation that may be required shall be borne by the department.

Individual credit card information is confidential. Failure to maintain strict controls over this data could result in unauthorized use of credit card data. Credit card information is confidential information and should be treated with great care.

Key Data Control Items:

  • Under no circumstances should a department store sensitive authentication data (track data from the magnetic stripe, card-validation code Card Verification Value 2 – Visa payment cards data, after authorization (not even if encrypted). Once the credit card has been processed, all credit card information must be destroyed immediately via a cross shredder. It is not sufficient to simply mark out the credit card information.
  • Never send or request cardholder information to be sent via email. Department forms (web and mail order forms) should not ask for credit card information.
  • Under no circumstances should a department retain electronically (including Excel files, thumb drives, shadow databases, etc.) the card numbers and expiration dates of the customer credit cards.
  • Campus networks, wired or wireless, may not be used to process credit card payments, unless the device is a P2PE PCI compliant device.
  • All credit card information temporarily recorded on paper should be processed immediately and then the paper document should be properly destroyed in a crosscut shredder.
  • The customer copy of the credit card receipt can only contain the last 4 digits of the credit card number. It is required that departments use double truncation which permits only the last 4 digits to be printed on both the merchant and customer receipt.
  • Never send credit card information to the University Archives. Receipts should be destroyed via crosscut shredder immediately after the approved business need has expired.

C. Campus Operating Policies

1. Merchant Accounts and Credit Card Transactions

Departments cannot initiate their own contracts with credit card processing companies until approval has been received from the Controller. All merchant accounts for accepting credit cards must be preapproved by the Controller and must participate in the State’s MSA and be approved by the appropriate state offices. Payment card acceptance methods and solutions used must be approved by the Office of the Controller and the ITS Office of Information Security. Any third- party service providers used to collect, transfer, or process payment card information on behalf of the University merchant must be approved by the Office of the Controller and the ITS Office of Information Security. The use of payment card services must conform to all applicable procedures, standards, and regulatory requirements, including, but not limited to, the Payment Card Industry Data Security Standard (PCIDSS)

Each Department is responsible for all expenses associated with credit card merchant accounts and it cannot adjust the price of goods or services based on the method of payment.

2. Financial Controls

When an item or service is purchased using a credit card, and a refund is necessary, the refund must be credited to the same credit card account from which the purchase was made.

All transactions must be settled and recorded daily in the University’s financial system via proper reporting to The Cashier’s Office.

The department’s (merchant’s) copy of the receipt should not contain the full card number and expiration date. The merchant copy of the receipts must be kept in a secure place (i.e. locked cabinet with minimal access) for no more than 90 days. At the end of 90 days, the receipts should be destroyed in a secure manner, via cross cut shredder.

3. Reporting Requirements for Actual or Suspected Security Incidents

Departments must report any actual or suspected security incident in which cardholder information may have been compromised. The incident should be reported to the Associate VC for Finance and the University Controller. THIS MUST BE DONE IMMEDIATELY. The University must report all breaches to the State Controller’s Office within 24 HOURS OF DETECTION.

4. Responsibilities

a. Merchants that handle payment cards must:
  1. Create and maintain a list of all personnel approved to use Card Processing Equipment; This list must be shared with the Student Accounts Office.
  2. Create and maintain a list of all Card Processing Equipment and confirm that list with the Student Accounts Office annually. The list must contain the location, make, model, and serial number of each piece of Card Processing Equipment;
  3. Ensure that only approved personnel use Card Processing Equipment;
  4. Ensure that all staff that handle payment cards must take the PCI training provided through the Student Accounts Office;
  5. Ensure that all staff must be made aware of this policy; related policies, procedures, and resources; and University Policy 203 – Information Technology User Security Policy.
  6. Inspect all Card Processing Equipment daily when in use, at least monthly when not in use, to look for evidence of tampering, especially looking for foreign devices being attached to the equipment. If such evidence is discovered, it must first be reported to the department supervisor and then to the Assistant Controller.
  7. Physically secure all Card Processing Equipment in a safe locked location when not in use.
  8. Ensure all users of Card Processing Equipment requiring authentication have a unique identifier with which to authenticate
b. Operators of Card Processing Equipment must:
  1. Successfully complete the PCI training and quiz provided by the Student Accounts Office;
  2. Be aware of and abide by this policy; related policies, procedures and resources; and
  3. Report suspicious activities, evidence of tampering or security incidents first to the department supervisor and the Budget & Finance Office.
c. The IT Services Division shall:
  1. Provide a representative to the Credit Card Compliance Committee to aid and assist the Budget & Finance Office in complying with PCI standards.
  2. Review proposed changes and applications to the PCI environment.
  3. Annually review SOC reports of third-party merchants to ensure they are PCI compliant.
d. The Controller’s Office shall:
  1. Maintain a formal payment card security awareness program for university employees who handle payment cards;
  2. Approve or deny new locations of Card Processing Equipment;
  3. Maintain a list of service providers that are involved in processing payment cards for each merchant number owned by the university and a written agreement from each service provider acknowledging what their responsibility is for PCI compliance.

5. Exemptions

Exemptions to this policy may only be authorized by the Vice Chancellor of Budget and Finance and the Information Security Officer.

6. Enforcement

The University Controller and Information Security Officer have joint authority to enforce this policy. Failure to abide by the terms of this policy can result in the revocation of a unit’s authorization to accept payment card transactions. Individuals who fail to comply with this policy shall be subject to discipline in accordance with applicable University policies, up to and including dismissal.

Virtual Campus Tours

Launch Experience