Payment Card Industry Data Security Standards (PCI DSS) Security Policy

Introduction:

The Payment Card Industry Data Security Standards (PCI) constitute a set of procedures contractually required by the payment card industry. The primary intent of PCI is to ensure the protection of payment card transactions and cardholder data.

Scope:

This policy sets forth the framework for Georgetown University’s compliance with PCI security and technical requirements.

Applicability:

The PCI Security Policy applies to every Service Center Coordinator, Center Staff, University Merchant ID holder (“Merchant”) and all individuals who accept, process, store, manage or otherwise interact with payment card data (“Card processor”.)

Definitions:

Acquirer:  Also referred to as “Merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity that initiates and maintains relationships with Merchants for the acceptance of payment cards.  The acquiring bank for the University is PNC.

Authorized User:  A member of the University community who has been identified and authorized by a Service Center Coordinator as a card processor, has documented acceptance of University policies, and has successfully completed the mandatory training.

Card processor: Any authorized member of the University community who accepts, processes, stores, reviews, or in any way handles cardholder data on behalf of a Service Center.

Cardholder data: The full Primary Account Number (PAN) or the full PAN along with any of the following elements: Cardholder name, Expiration date, Service code.

Dedicated PCI Facility: Space whose primary purpose, or within which one of the primary activities, is the processing of cardholder data, such as a call center. 

Merchant: A University unit that has been assigned a merchant ID by Treasury Operations for the purpose of accepting and processing payment card transactions. Merchants are aggregated into Service Centers.

Merchant ID: Number used to identify the University unit processing each transaction.

PAN: Full Primary Account Number

Payment card: Credit or debit card

PCI:  Payment Card Industry Data Security Standards (also called PCI DSS)

POS Device:  Acronym for Point of Sale Device.  Also called Terminal.  Authorized device used to process payment card transaction.  Such transactions may be “Card Present” or “Card Not Present”

ROC/AOC:  Acronym for “Report on Compliance” or “Attestation of Compliance.”  Report documenting detailed results from an entity’s PCI DSS assessment

Security Event:  An occurrence considered by the University to have potential security implications to a system or is environment.  In the context of PCI DSS, security events identify suspicious or anomalous activity.

Separation of Duties:  Practice of dividing steps in a function among different individuals, so as to prevent a single individual from being able to subvert the process.

Service Center:  Any Campus-based University unit with responsibility for processing and managing payment card transactions and financial procedures, and which is assigned one or more Merchant IDs by Treasury Operations for the purpose of accepting and processing payment card transactions.

Service Provider: Any company that stores, processes, or transmits cardholder data for or on behalf of another entity

Terminal: see POS Device

Guiding Principles/Purpose:

The PCI DSS Security Policy defines the security standards that Service Centers and card processors must follow in implementing basic safeguards to protect the confidentiality, integrity, and availability of payment transaction and cardholder data.

Administration and Implementation:

Georgetown University will maintain the security of payment card data in the manner set forth in the Georgetown PCI Security policy and the associated procedures. Georgetown University will adhere to all applicable general requirements, approaches, standards, specifications, and maintenance requirements of PCI DSS in developing and maintaining policies and procedures for security standards for the protection of PCI data. Whenever there is a change in the standards that necessitates a change to Georgetown University Security policies and procedures, Georgetown University will promptly document and implement the revised policies and procedures.

Requirements and Responsibilities:

PCI requires the University to put into place appropriate safeguards to protect the integrity, confidentiality and availability of payment card data that is received or managed by the University’s merchants.

Administrative Safeguards

Risk Assessment: Georgetown will perform a PCI risk assessment at least annually, and upon significant changes to the environment. This assessment will identify critical assets, threats, and vulnerabilities and produce a formal, documented analysis of risk.[Addresses PCI DSS Section 12.2.]

Information Security Policy:  Georgetown has implemented a general Information Security Policy, applicable to all members of the University Community. The University has established, published, maintained, and disseminated a University information security policy, and will review the security policy at least annually.  The University will also update the policy when the environment changes. [Addresses PCI DSS Section 12.8.]

Information Access Management: All Service Centers will establish procedures in compliance with the University Information Security Policy and its associated procedures, to ensure that only authorized users have access to Cardholder data and to the devices that manage such data. [Addresses PCI DSS Section 8.]

Security Awareness and Training: All Service Centers will ensure that everyone who receives, handles, stores, or otherwise interacts with PCI (Cardholder) data receives PCI security training and periodic security updates at least annually [Addresses PCI DSS Sections 9 and12.]

Password Management: All card processors will adhere to the University’s Information Security Policy as well as the Standards for Password and Passphrase Management.

Passwords must be changed immediately if compromised. [Addresses PCI Section 8.4.]

Device and Media Controls:  All Service Centers will establish procedures to govern the receipt and destruction of media that contain PCI data, and to appropriately secure and manage PCI related devices.  The movement of these items within the department must be documented. [Addresses PCI DSS Section 9.5.]

Visitor Identification (Dedicated PCI Facility): Georgetown must document procedures to identify and authorize visitors to any Dedicated PCI Facility operated by the University.  Such procedures shall include:

  • Identifying onsite visitors (for example, assigning badges, using a visitor log that is maintained for at least 3 months) so as to distinguish them from authorized personnel
  • Documenting changes to access requirements
  • Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). [Addresses PCI DSS Section 9.2.]

Service Providers: The University will maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:

  • Maintain a list of service providers.
  • Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
  • Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
  • Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
  • Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by Georgetown. [Addresses PCI DSS Section 12.8-9.]

Incident Reporting: All Service Centers must have procedures in place so that the University Information Security Office is notified when PCI data is involved in a security incident (examples include virus or worm infection, accounts being compromised, and unintended disclosure of data to unauthorized individuals). [Addresses PCI Section 12.10.]

Physical Safeguards

Access Controls (Dedicated PCI Facility): Each Service Center with oversight of a  Dedicated PCI Facility must adhere to the Standards for Protection of Dedicated PCI Facilities. [Addresses PCI Section 9]

Management of media, including paper:

  • Physically secure all media in a secure location.
  • Document notification and approval of  any and all movement of media out of a secured area.
  • Properly maintain inventory logs of all media and conduct media inventories at least annually. [Addresses PCI Section 9.5-9.]

Protection of stored cardholder data (paper-only):

  • Limit data storage amount and retention time to that which is required for legal, regulatory and/or business requirements.
  • Develop departmental retention and disposal policy.
  • Mask PAN when displayed and render it unreadable
  • Never store card verification code after authorization [Addresses PCI Section 3.]

Technical Safeguards

UIS will maintain detailed documentation of standards and procedures in support of these safeguards, and incorporate them into UISO Procedural Requirements.

Appropriately implement Risk Management procedures: The University will implement measures to reduce computer risks and vulnerabilities, including: identifying and documenting potential risks and vulnerabilities that could impact systems managing PCI cardholder data (if any); and performing annual technical security assessments of systems managing PCI  data, in order to identify and remedy detected security vulnerabilities. [Addresses PCI DSS  Section 12.]

Assign to individual or team appropriate information security management responsibilities. Georgetown assigns to UISO responsibility for security policies, procedures, incident response, and access control. [Addresses PCI Section 12.5]

Incident Response: The University Information Security Office will create, maintain and test an incident response plan, so as to be prepared to respond immediately to a system breach. [Addresses PCI Section 12.10.]

Compliance:

Every employee with access to PCI data is required to adhere to all PCI mandates. Violation of this policy may result in disciplinary action up to and including termination of employment.

Resource(s):

University Information Security Policy

Computer Systems Acceptable Use Policy

Georgetown University Payment Card Industry Data Security Standard (PCI DSS) Policy

Approval:

Judd Nicholson

This policy will be reviewed and updated as needed, but at least annually, unless changes in institutional policy or relevant law or regulation dictate otherwise.

Reviewed and Approved:  February 2016         

Revised: March 2017