In September of 2006, a group of five leading payment brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Incorporated, launched the Payment Card Industry (PCI) Security Standards Council; an open global forum responsible for the development, management, education and awareness of the PCI Security Standards.
From the Council, came the Data Security Standard (PCI DSS) which provides a baseline of technical and operational requirements designed to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.
The PCI DSS requirements apply to all entities involved in payment card processing, including: merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. Additionally, the PCI DSS affects all credit card acceptance channels, including: retail, mail, telephone, fax, and e-commerce.
Loyola University Chicago is required to remain in compliance with the PCI DSS.
The common processes and precautions for handling, processing, storing and transmitting credit card data established by the PCI DSS, help to combat the unprecedented assaults on personal and financial data which impact cardholders, retailers, banks, service providers and credit card companies.
A high-level overview of the 12 PCI DSS requirements is outlined below:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
Non-compliance penalties vary among major credit card networks and can be substantial; companies can be barred from processing credit card transactions altogether, higher processing fees can assessed, and, in the event of a serious security breach, fines of $500,000 or more can be levied for each instance of non-compliance. Several large, well-known institutions that lacked adequate protection have been responsible for exposing credit card payment data. Consequently, these companies were penalized with significant fines, and experienced backlash from the public resulting from the negative media coverage of the major data security breaches within their organizations.
All University departments that transmit, process, or store cardholder data are responsible and accountable for their PCI Compliance. All employees must do their part to protect credit card data and to mitigate the risks associated with processing credit card transactions.
University Cash Management Services (CMS) works with your department to ensure that you are processing credit card payments or donations in accordance with these regulations. Maintaining PCI Compliance will prevent your department and the University from receiving unnecessary fines due to data exposure.
To assist in maintaining the University’s PCI compliance, Loyola departments must adhere to the rules and business procedures below:
Please note: These rules are subject to change and may not address every PCI DSS requirement. Additional controls and practices may also apply.
- All University and CMS policies must be followed.
- Departments cannot collect credit card data or process credit card payments without prior approval from CMS.
- CMS approval must be obtained before a department can accept credit card payments. Departments are required to provide all potential acceptance channels (phone, postal mail, in-person point of sale, or eCommerce) for CMS review. Before approving any of these credit card acceptance channels, CMS will work with your department to ensure that secure processes are in-place to protect the credit card data being collected. Any changes to your department’s credit card payment acceptance channels must be approved by CMS.
- Departments approved to accept credit card data via postal mail must ensure that strong policies are in place and enforced to secure the cardholder data until it is processed and destroyed.
- Departments may NOT receive or request that credit card payment data be sent to the University via email, fax, instant messenger, chat, or any other unencrypted transmission method.
- Departments cannot direct cardholders to or provide a University designated computer, computer lab, iPad, tablet or other device to make credit card payments.
- Departments cannot use a computer to process an eCommerce payment on behalf of a cardholder, unless they have been given access to both Loyola’s LSA and Remote App server. eCommerce payments processed via LSA and Remote App must be done via a University Computer that is hardwired into University’s network; laptops or other wireless devices cannot be used. LSA and Remote App server access is setup by ITS, but can only be requested by CMS.
- Anyone at the University involved in the process of accepting credit card payments must undergo credit card security training on an annual basis and must adhere to the rules and regulations outlined by the Council and the University. Departments are required to notify CMS when new employees with access to credit card data and/or systems are hired and must ensure that all employees undergo training before they are allowed to handle or process credit card data.
- Do NOT acquire cardholder PINs (personal identification numbers). If a PIN is needed, the cardholder must enter it directly into the terminal.
- Credit card data must be labeled as confidential and employees may NOT electronically store any credit card data on a University computer, server, electronic flash drive, USB drive or optical storage (e.g., CD, DVD).
- Paper copies containing credit card data must NOT be left in an unsecure area. Electronic documentation must NOT be left open on a desktop, and users must log-out of programs that have access to credit card data when not in use.
- Electronic or hardcopy reports (e.g., excel or word documents) generated for departmental business reporting may NOT contain any credit card payment data.
- When tracking transactions, order numbers or reference numbers should be used instead of credit card numbers.
- The shredding of documents that contain credit card payment data must be completed using a cross cut shredder. If a company is hired to shred documentation, a representative from your department must watch the hired company shred the documentation using a cross cut shredding machine.
- Per PCI standard 9.5, departments must physically secure all related media (including, but not limited to point-of-sale (POS) terminals, computers, removable electronic media, paper receipts, and paper reports) to prevent them from being stolen. Departments must also ensure that a dual level of security (such as two of the following four locations: in a locked drawer/file cabinet, a safe that has been bolted to the floor, a locked office, or behind a badge-secured area) is put around such documentation or devices.
- Per PCI standard 9.6, departments must maintain strict control over the internal or external distribution of any kind of media that contains cardholder information or physical security characteristics of credit card payment information.
- Departments must invoke policies to restrict access to cardholder data by business need-to-know (those individuals whose job requires it). Unique user IDs and passwords must be assigned to all users with access to cardholder data and related system components. Utilizing group, shared, or generic accounts/passwords is NOT permitted. Restriction of physical access to cardholder data should also be enforced.
- Any user ID that is no longer active or no longer needed must immediately be disabled. Departments are required to notify appropriate systems administration personnel when deactivation is required.
- Use a visitor log to retain a physical audit trail of visitor activity in secured areas. Retain this log for a minimum of three months, unless otherwise restricted by law.
- Departments need to verify with CMS the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot any credit card devices.
- Departments must be vigilant about any suspicious behavior around point-of-sale devices (for example, attempts by unknown persons to remove, unplug or open devices). Report any suspicious behavior and indications of device tampering or substitution to CMS and the University Information Security Office (UISO) immediately.
- The activation of remote-access technologies for third party vendors should be done only when needed, with immediate deactivation after use.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Refunds must be issued back via the same method used for the original payment. Credit card payments must be refunded back to the same credit card used for payment; a refund via check or cash for a credit card purchase is NOT permitted. Likewise, payments made by cash or check, cannot be refunded via credit card.
- When processing refunds via POS devices, the credit card must be present.
If at any time a department experiences a breach or compromise of any payment information or related data or suspects that credit card information has been exposed, stolen or misused, that department must report the event immediately to their supervisor, CMS and ITS Information Security. CMS will then assess the situation in cooperation with ITS and invoke the necessary incident response plan. CMS will then notify the University’s acquirer.To notify CMS, please call 312-915-7438, email LUC-Payments@luc.edu, or fax 312-915-7773. To notify ITS Information Security, call 773-508-7373, email DataSecurity@luc.edu, or submit via https://www.luc.edu/its/uiso/contacttheuiso/report.shtml. Please do NOT disclose any credit card payment data in your notification. Please include the department name and contact number.
The following Loyola policies must also be reviewed:
Responsibilities of Credit Card Handlers and Processors This document must be reviewed, signed and submitted to CMS annually to complete PCI training.
Reviewed: August 7, 2019