|Responsible Executive:||Finance and Administration|
|Approving Official:||Vice President for Finance and Administration|
|Effective Date:||January 1, 2014|
|Revision History:||August 21, 2017 (formatting only); November 6, 2015; January 1, 2014|
The purpose of this policy is to define a set of payment card requirements for all department heads and managers of units that process, transmit or store confidential cardholder information. The provisions of this policy and of the PCI DSS that serves as its foundation apply to all university divisions, departments and direct support organizations, including third party vendor affiliates, which support the university and direct support organizations’ credit card processing operations.
Account Number - Payment card number (credit or debit) that identifies the issuer and the cardholder account (also called the Primary Account Number (PAN)).
Anti-Virus Software - Programs capable of detecting, removing, and protecting against various forms of malicious code or malware, including viruses, worms, Trojan horses, spyware and adware.
Approved Scanning Vendors (ASVs) – Organizations that use a scanning solution to determine Payment Card Industry compliance of their customers.
Cardholder Data - Full magnetic stripe or the PAN plus any of the following: cardholder name, expiration date, service code.
Cash Collection Point - A cash collection point is defined as a department, event, club or other entity which collects more than $5,000 annually, with the exception of those entities whose collections occur infrequently and are for the recovery of expenditures such as telephone, copies, etc. All Cash Collection Points must be authorized by the Controller's Office before collections begin.
Compliant Service Provider - Organizations that process, store, or transmit cardholder data on behalf of members, merchants, or other service providers. Service providers must validate their compliance by submitting the required documentation to the Payment Card Industry Security Standards Council.
Firewall - Hardware, software, or both that protect resources of one network from intruders from other networks. Typically, an enterprise with an intranet that permits workers access to the wider Internet must have a firewall to prevent outsiders from accessing internal private data resources.
Merchant - A university department approved to accept payment cards by the University’s Payment Card Oversight Committee.
Merchant Number - An account number that identifies individual payment card honoring merchants within the university or direct support organization.
Payment Application - Software vendors who develop applications that store, process, or transmit cardholder data as part of authorization or settlement. Examples of applicable payment applications include but are not limited to POS software, e-commerce shopping carts, and web-based payment applications.
Payment Cards - Any credit, debit or private label card accepted as a form of payment.
Payment Card Industry Data Security Standard (PCI DSS) - The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
Primary Account Number (PAN) - The payment card number (credit or debit) that identifies the issuer and the particular cardholder account (also called Account Number).
Qualified Security Assessor (QSA) - An individual qualified to perform PCI compliance auditing and consulting. The primary goal of an individual with the QSA certification is to perform an assessment of an organization that handles payment card data against the high-level control objectives of the PCI DSS.
Self-Assessment Questionnaire (SAQ) - The SAQ is a validation tool for merchants not required to undergo an onsite data security assessment per the PCI DSS. The PCI SSC publishes four distinct SAQs.
Student Business Services- A unit of the Controller’s Office, responsible for the operational setup and maintenance of payment card environments.
Truncation - The practice of removing a data segment. Commonly, when account numbers are truncated, the first 12 digits are deleted, leaving only the last 4 digits.
University Payment Card Oversight Committee – Committee established by the Vice President of Finance and Administration, to oversee the University’s PCI compliance efforts.
Only approved Cash Collection Points may accept payment card transactions. If the department is not an approved Cash Collection Point or is unsure of its status as an approved Cash Collection Point, refer to FSU Policy OP-2-D-B Cash Management.
Arrangements to accept payment cards must be made through Student Business Services by completing the Application for Payment Card Merchants and the appropriate PCI Self-Assessment Questionnaire (SAQ). Applicants should carefully consider the estimated cost of accepting payment cards prior to submitting their application (see Payment Card Cost Worksheet). Please be aware that costs are subject to change over time.
Applications will be reviewed by the University Payment Card Oversight Committee to ensure that all data and personal information related to payment card sales passes through specific, approved hardware and software that meets the twelve security requirements of the PCI DSS described below.
Existing merchants must report proposed changes to their approved business plan as well as changes in the way that they process payment cards. Significant changes to the departmental website, products or services being sold, intended customer base, anticipated transaction volume, outside advertising, or application software as well as changes to the department’s responsible contacts must be reviewed by the University Payment Card Oversight Committee prior to implementation. Merchants planning to undergo these kinds of changes must complete a new Application for Payment Card Merchants
Merchants must accept all payment cards offered through the university’s Merchant Card agreements. These currently include: Visa, MasterCard, American Express, Discover, and the FSUCard. This list is subject to change.
Card-Present Transactions – Transactions that occur where the payment card is available and swiped or typed into an approved point of sale terminal.
Card-Not-Present Transactions – Transactions that occur where the payment card is not available, but data is received through one of a number of other channels such as telephone, mail, or fax. Transactions are processed through an approved point of sale device or payment application.
E-Commerce Transactions - The department utilizes a third-party to host its website, which displays goods and services information and is used to process payments online. The payment card data is processed and stored by the third-party, with access given to the appropriate department staff. This type of setup is intended for departments, with unique needs. There are third-party costs that must be factored into this business model. Vendors must be PCI DSS compliant, either by being on Visa’s List of Compliant Service Providers and/or Visa’s List of Validated Payment Applications, or by supplying other documentation that affirms they are PCI DSS compliant.
Merchants must ensure that appropriate safeguarding measures are in place to protect cardholder data. The following twelve PCI DSS requirements, as published by the PCI SSC, are key security requirements related to payment card processing:
- Install and maintain a firewall configuration to protect cardholder data for all Internet connected terminals and computers.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data via a secured area.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security and storage.
Merchants must ensure that appropriate safeguarding measures are in place to protect cardholder data, by following the procedures provided in Section 7.0 of the Controller’s Office Business Management Guide and the Information Security and Privacy Office’s PCI DSS Information Security Requirements. The following university policies must be followed regarding the protection and destruction of cardholder information, in both hard copy and electronic formats.
- 4-OP-F-3 Records Management
- 4-OP-F-6 Destruction/Shredding of Confidential Documents and records
- 4-OP-F-7 Policy on Safeguarding of Confidential Financial and Personal Information
- 4-OP-H-6 Use of University Information Technology Resources
- 4-OP-H-8 Wireless Data Communications
- 4-OP-H-9 Information Technology Security
- 4-OP-H-11 Network Access and Use Policy
Vulnerability Scanning is required by the PCI DSS. The university maintains a vulnerability scanning contract with an ASV. All university, financial institution, or third-party provided computing devices e.g., swipe card devices, cashiering machines, registers that process, transmit or store cardholder data over the university’s network, must be included in the university’s network scanning program. Merchants intending to add terminals or web access must contact Student Business Services.
PCI DSS requires that each merchant complete a Self-Assessment Questionnaire (SAQ) on an annual basis. The PCI SSC publishes eight distinct merchant SAQs. Each merchant must annually complete the SAQ that fits its business model for processing card transactions and submit it to Student Business Services no later than August 15th. The eight SAQ validation types provided in the table below enables the merchant to determine which SAQ is applicable to its business model. The merchant should verify their determination with Student Business Services to ensure the appropriate SAQ is completed.
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises
Not applicable to face-to-face channels.
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.
Merchants using only:
Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage
Not applicable to e-commerce channels.
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder’s data storage
Not applicable to e-commerce channels.
Merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder storage data.
Not applicable to e-commerce channels.
Merchants with payments application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI-SSC-listed P2PE solution, with no electronic cardholder data storage
Not applicable to e-commerce channels.
SAQ D for Merchants: All merchants no included in descriptions for the above SAQ types.
SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.
Departments are responsible for ensuring that personnel who process, transmit, or store cardholder data or have access to such data have satisfactorily completed the University’s Security Awareness Training, prior to assuming their responsibilities. In addition, these individuals must comply with the university’s background screening requirements and sign an Employee Statement of Understanding Regarding Confidentiality. Each department is responsible for notifying Student Business Services whenever a change in personnel is made to assure that new personnel are properly trained before they begin working with cardholder data. The University Security Awareness Training must be taken annually by all personnel who process, transmit or store cardholder data or have access to such data.
In the event of a payment card data security breach, the department head should be notified immediately of any suspected or real security incidents involving computing assets, particularly any critical system. If it is unclear as to whether a situation should be considered a security incident, the department should coordinate with the Director of Information Security and Privacy to evaluate the situation.
The Director of Information Security and Privacy will assist in determining if a breach has occurred, escalate and report the incident to applicable parties in accordance with the university’s PCI Incident Response Plan. The university Information Technology Security Team will initiate a security incident summary report for investigating, tracking, analyzing and providing recommendations (corrective action plan) to remediate the breach to include a formal review and verification by the respective merchant and department head.
Department heads are primarily responsible for ensuring that all of their employees are made aware of and comply with this policy. Merchants are subject to annual internal audits and their payment card systems and devices are subject to monthly electronic scans by an external firm.
Merchants who are out of compliance with this policy will have their merchant status revoked. The founding card brands are able to levy significant fines and penalties to out of compliance payment card merchants’ acquiring banks. Contractually, the acquiring bank is allowed to pass those fines on to their merchants that are not in compliance and ultimately revoke the university’s ability to accept payment cards as a form of payment. In addition, departmental staff may be subject to university disciplinary action, which will be handled through the University disciplinary procedures applicable to the relevant unit or employee
University employees, volunteers, and students are bound by all applicable laws, rules, policies and procedures. Direct Support Organizations and Third Party Merchants are bound by all applicable laws, rules, policies and procedures, if utilizing university networks. This policy is not intended to limit the applicability of any law or policy and does not preclude University units from implementing additional, supplemental and/or more stringent safeguards.
III. LEGAL SUPPORT, JUSTIFICATION, AND REVIEW OF THIS POLICY
1. Payment Card Industry Data Security Standard (PCI DSS) - This comprehensive standard requires organizations to proactively protect customer account data.
2. Visa Cardholder Information Security Program (CISP) - Visa CISP compliance is required of all entities that store, process, or transmit Visa cardholder data.
This policy shall be reviewed by the Associate Vice President for Finance & Administration (AVP) every seven years for its effectiveness. The AVP shall make recommendations to the Vice President for Finance and Administration for any modification or elimination.