In September of 2006, a group of five leading payment brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Incorporated, launched the Payment Card Industry (PCI) Security Standards Council; an open global forum responsible for the development, management, education and awareness of the PCI Security Standards.
From the Council, came the Data Security Standard (PCI DSS) which provides a baseline of technical and operational requirements designed to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.
The PCI DSS requirements apply to all entities involved in payment card processing, including: merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. Additionally, the PCI DSS affects all credit card acceptance channels, including: retail, mail, telephone, fax, and e-commerce.
The common processes and precautions for handling, processing, storing and transmitting credit card data established by the PCI DSS, help to combat the unprecedented assaults on personal and financial data which impact cardholders, retailers, banks, service providers and credit card companies.
A high-level overview of the 12 PCI DSS requirements is outlined below:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
Loyola University Chicago is required to remain in compliance with the PCI DSS. Anyone at the University involved in the process of accepting credit card payments must undergo PCI training annually, and must adhere to the rules and regulations outlined by the council and the University.
Non-compliance penalties vary among major credit card networks and can be substantial; companies can be barred from processing credit card transactions altogether, higher processing fees can assessed, and, in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance. Several large, well-known institutions that lacked adequate protection have been responsible for exposing credit card payment data. Consequently, these companies were penalized with significant fines, and experienced backlash from the public resulting from the negative media coverage of the major data security breaches within their organizations.
All University departments that transmit, process, or store cardholder data are responsible and accountable for their PCI Compliance. All employees must do their part to protect credit card data and to mitigate the risks associated with processing credit card transactions.
University Cash Management Services (CMS) works with your department to ensure that you are processing credit card payments or donations in accordance with these regulations. Maintaining PCI Compliance will prevent your department and the University from receiving unnecessary fines due to data exposure.
If the e-commerce needs of your department cannot be met by the TouchNet Marketplace product provided and maintained by CMS, you may request authorization to partner with a third party. However, the third party must provide documentation establishing their PCI compliance, must be on VISA’s list of acceptable service providers (if applicable), and must process via the TouchNet payment gateway and a University merchant account established by CMS.
To assist in maintaining the University’s PCI compliance, Loyola departments must adhere to the rules and business procedures below:
Please note: These rules are subject to change and may not address every PCI DSS requirement. Additional controls and practices may also apply.
- All University and CMS policies must be followed.
- Departments cannot collect credit card data or process credit card payments without prior approval from CMS.
- CMS approval must be obtained before a department can receive credit card data over the phone and via postal mail, and before a department can process in-person card present transactions or eCommerce payments. Before approving any of these credit card acceptance channels, CMS will work with your department to ensure that secure processes are in-place to protect the credit card data being collected. Any changes to your department’s credit card payment acceptance channels must be approved by CMS.
- Departments approved to accept credit card data via postal mail must ensure that strong policies are in place and enforced to secure the cardholder data until it is processed and destroyed.
- Departments may NOT receive or request that credit card payment data be sent to the University via email, fax, instant messenger, or chat. Only transmission methods that can provide encryption capabilities will be approved by CMS.
- Departments can only acquire or utilize credit card processing equipment, hardware and software approved by CMS.
- Departments cannot direct cardholders to a designated computer or computer lab to make credit card payments.
- Departments cannot use a computer to process an eCommerce payment on behalf of a cardholder, unless they have been given access to both Loyola’s VPN and Citrix server. eCommerce payments processed via VPN and Citrix must be done via a Loyola Computer that is hardwired into Loyola’s network; laptops or other wireless devices cannot be used. VPN and Citrix server access is setup by ITS, but can only be requested by CMS.
- Departments cannot process credit card payments over a wireless internet or cellular connection via laptops, cell phones, tablets or other similar devices. Wireless credit card processing must be approved by CMS and can only be done via VeriFone vx680 swipe terminal over cellular connection.
- Departments cannot allow third party vendors to process payments on campus using Loyola’s analog lines, Ethernet connections, or wireless internet. Employees cannot share their user credentials with third parties who come on-campus, and third parties cannot use guest wireless access to process credit card payments.
- Departments cannot utilize imprint machines to collect credit card data. Imprint machines are non-electronic portable devices that slide over and record credit card data, and display full 16-digit credit card numbers on receipts.
- All departments who handle or process credit card data must undergo credit card security training on an annual basis. Departments must notify CMS when new employees with access to credit card data are hired and must ensure that all employees undergo training before they are allowed to handle or process credit card data.
- Unique user IDs and passwords must be assigned to all users with access to cardholder data and related system components. Utilizing group, shared, or generic accounts/passwords is NOT permitted.
- Any user ID that is no longer active or no longer needed must immediately be disabled. Departments are required to notify appropriate systems administration personnel when deactivation is required.
- The storage of cardholder data should be kept to a minimum and only done if it is required for business, legal, or regulatory purposes. Such storage must be in accordance with the data retention policy and must be approved by CMS.
- Stored cardholder data must be protected at all times.
- Credit card numbers should NOT be stored by a department for repeat purchases or recurring donations.
- Do NOT store sensitive authentication data including: full magnetic stripe data or equivalent on a chip, card validation code or value (CAV2/CVC2/CVV2/CID), or PINs/PIN block data.
- Credit card data must be labeled as confidential and employees may NOT electronically store any credit card data on a University computer, server, electronic flash drive, or optical storage (e.g., CD, DVD).
- Paper copies containing credit card data must NOT be left in an unsecure area. Electronic documentation must NOT be left open on a desktop, and users must log-out of programs that have access to credit card data when not in use.
- Electronic or hardcopy reports (e.g., excel or word documents) generated for departmental business reporting may NOT contain any credit card payment data.
- When displayed, mask credit card account numbers to show only the last four digits.
- When tracking transactions, order numbers or reference numbers should be used instead of credit card numbers.
- The shredding of documents that contains credit card payment data must be completed using a cross cut shredder. If a company is hired to shred documentation, a representative from your department must watch the hired company shred the documentation using a cross cut shredding machine.
- Per PCI standard 9.6, departments must physically secure all related media (including, but not limited to point-of-sale (POS) terminals, computers, removable electronic media, paper receipts, and paper reports) to prevent them from being stolen. Departments must also ensure that a dual level of security is put around such documentation or devices. For example, credit card data must be stored in a locked cabinet behind a locked door.
- Per PCI standard 9.7, departments must maintain strict control over the internal or external distribution of any kind of media that contains cardholder information or physical security characteristics of credit card payment information.
- Departments must invoke policies to restrict access to cardholder data by business need-to-know and assign a unique ID and password to each person with computer access. Such access must be restricted only to those individuals whose job requires it. Restriction to physical access of cardholder data should also be enforced.
- Use a visitor log to retain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law.
- Departments must inspect their point-of-sale devices on a regular basis per the Departments assigned POS terminal inspection schedule, and should notify CMS and the University Information Security Office (UISO) if something appears to be changed, added or different. More specifically, departments should inspect for skimming devices or other malware that may have been attached to or downloaded onto POS devices, which could be used by thieves to steal credit card information.
- Departments need to verify with CMS the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot any credit card devices.
- Departments cannot install, replace, or return credit card devices without the approval of CMS.
Departments must be vigilant about any suspicious behavior around point-of-sale devices (for example, attempts by unknown persons to remove, unplug or open devices). Any suspicious behavior and indications of device tampering or substitution to CMS or University Information Security Office (UISO) immediately.
- The activation of remote-access technologies for third party vendors should be done only when needed, with immediate deactivation after use.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Acquiring or disclosing credit card account data without the cardholder’s consent (including, but not limited to, the full or partial 16-digit credit card number, the card validation code, or PIN) is NOT permitted.
- Refunds must be issued back via the same method used for the original payment. Credit card payments must be refunded back to the same credit card used for payment; a refund via check or cash for a credit card purchase is NOT permitted. Likewise, payments made by cash or check, cannot be refunded via credit card.
- When processing refunds via POS devices, the credit card must be present.
- Per Loyola University Chicago HR policy, a background check is performed upon hiring within the limits of local law.
- Departments must immediately notify CMS and ITS Data Security, if they suspect any credit card information has been exposed, stolen, or misused. To notify CMS, please call 312-915-7413, send an email to LUC-Payments@luc.edu, and send a fax to 312-915-7773. To notify ITS Data Security call 773-508-7668, and send an email to DataSecurity@luc.edu. In the notification email or fax, do NOT disclose any credit card numbers, card validation codes, or PINs. Please include the name of your department name and contact number.
The following Loyola policies must also be reviewed:
Credit Card PolicyResponsibilities of Credit Card Handlers and Processors (This document must be signed and submitted to CMS to complete this training. This form is required to be reviewed and signed annually.)
Updated: September 9, 2015