The University of Memphis
Payment Card Industry (PCI) Compliance
In order to accept credit cards for payment, the University of Memphis is required to comply with standards set forth by the Payment Card Industry Data Security Standard (PCI-DSS) and global payment brands. Failure to comply with these standards will jeopardize the University of Memphis’s ability to accept credit card payments and could result in substantial fines.
This policy establishes authority and responsibility for protecting credit card account information at the University of Memphis and applies to all University employees, students, contractors, consultants, guests, and any other users who process, transmit, or access credit card information on behalf of the University of Memphis. It is the University’s Policy not to store credit card data for any reason in any manner. This policy should be used in conjunction with the Cash Handling Guide-Processing Credit Card Transactions, Cash Receipting Training, ITS Data Security Policy, and the Red Flag Policy. Failure to follow these policies and procedures could result in revoking the department’s/activity’s ability to accept credit cards. Failure to follow these policies and procedures could result in revoking the department's/activity's ability to accept credit cards.
Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution”. Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.
Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.
Personal Account Number (or credit card number), name on the card, expiration date, and Card Validation Code. This information can also be considered any information stored on the magnetic stripe or chip of a payment card that could potentially be used for fraudulent activities.
Acronym for "Common Vulnerability Scoring System." Open industry standard for assessing the severity of computer system security vulnerabilities.
University of Memphis technical staff that provide support for faculty, staff and students. Technical support includes, but is not limited to, computer hardware, computer software, network connectivity and mobile device support.
Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.
|Global Payment Brands|
American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and VISA Inc.
For the purpose of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express Discover, JCB, MasterCard or Visa) as payment of goods and/or services. A merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.
The Committee, composed of representatives from ITS, the Bursar's Office and some receipting departments, charged with coordinating the implementation of this policy.
Acronym for "Payment Card Industry Data Security Standards". Comprehensive standards and supporting materials to enhance payment card data security. The standards provide a robust security process including prevention, detection and appropriate reaction to security incidents.
Acronym for "Payment Card Industry Security Standards Council." The PCI SSC is led by a policy setting Executive Committee, composed of representatives from the five founding global payment brands and strategic members. The council provides a variety of tools, questionnaires, guidance, FAQ's, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards.
Acronym for “Qualified Security Assessor." Company approved by the PCI SSC to conduct PCI DSS on-site assessments.
Acronym for “Self Assessment Questionnaire.” Tool used by any entity to validate its own compliance with PCI DSS.
All system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.
Isolated and protected network utilized for the processing of credit card data.
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.
Acronym for “Simple Network Management Protocol.” Supports monitoring of network attached devices for any conditions that warrant administrative attention.
|System Administrator (Department)|
An individual(s) responsible for the administration and maintenance of their service provider system and user access.
|Two Factor Authentication|
Method of authenticating a user, whereby two or more factors are verified. These factors include something the user has (such as hardware or software token), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints or other forms of biometrics).
“University” refers to the University of Memphis as a whole and includes all units.
Any network not necessary for the processing and security of credit card data, and maintenance of devices performing those operations.
Scan that detects flaws or weaknesses which, if exploited, may result in an intentional or unintentional compromise of a system.
The PCI Committee will review the University's scope, at a minimum annually and upon any credit card payment process change, any request from the University’s acquirer and any changes to PCI regulations. The PCI scope review is based on PCI DSS, *VISA and MasterCard Payment Card Merchant Level as outlined below and the appropriate Self Assessment Questionnaire (SAQ). Upon completion of the SAQ, any remediation will be acted upon immediately and the SAQ will be reevaluated. The University may at any time contract with a QSA to perform a Gap Analysis to determine any compliance gaps that will need to be included in the University PCI scope and any remediation for PCI compliance. The University’s Policy not to store credit card data for any reason in any manner will significantly reduce the University's scope. All credit card information should be thought of as highly sensitive and "need to know only" information and should be treated as such. Merchants that store, process or transmit cardholder data must be PCI compliant. Each merchant will fall into four merchant levels based on transaction volume. Level 1, Level 2, or Level 3 merchant is required to report its compliance status directly to its acquiring bank. The University of Memphis current acquirer has defined the University as a Level 3 merchant.
*Based on the global payment brands standards, VISA and MasterCard have the most stringent requirements for determining Merchant Level. Links to current VISA and MasterCard levels criteria are below:
PCI DSS Self-Assessment Questionnaire (SAQ) Scope:
|Section 1 - Install and Maintain a Firewall Configuration to Protect Data|
A. Electronic Communication and Access
Traffic is restricted to that which is necessary for the cardholder environment – all other traffic is denied.
2. Access to credit card processing services will be restricted from all other on-campus networks.
|Section 2 – Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters|
A. Vendor Defaults
Vendor supplied defaults must be changed before installing systems on the secure network. This includes, but is not limited to, passwords, SNMP community strings, and elimination of unnecessary accounts.
B. Authorized Connectivity, Services, Protocols, and Devices
C. Remote Access
|Section 3 – Protect Stored Cardholder Data|
A. Storage of Cardholder Data
Cardholder data may not be stored in any University system, server, personal computer, e-mail account, portable electronic device (laptop, flash drive, CD/DVD, PDA, cell-phone, tablet, portable hard-drive, etc.) or on paper documents.
B. Protecting Cardholder Data
C. Masking Data
Any PAN displayed or printed must be masked to display no more than the last four digits.
D. Scanning for Credit Card Data
The University has deployed a software auditing package to perform quarterly scans of University owned systems to ensure that no credit card data is retained on those systems. The software is required to be installed on all local computers and perform scans searching for possible credit card numbers and any results of the scan are logged to a central management console supported by ITS. At no time are the entire contents of any files directly accessible from the management console. The only data stored in the software console are the reported match and the location and name of the file. The following is an overview of the procedures once the quarterly scan has completed.
Bursar's Office is responsible for monitoring and reviewing quarterly scans and remediation in the PCI network environment.
|Section 4 – Encrypt Transmission of Cardholder Data Across Open, Public Networks|
A. Security Protocols
Strong cryptography and security protocols, such as TLS, SSH, or IPSEC, will be used to protect all cardholder data transmitted over the network.
B. Unacceptable Transmission Methods
Cardholder data may not be transmitted via end-user messaging systems, such as but not limited to, chat/instant messaging, text messages, or e-mail. It is the University's policy not to accept any credit card data via any of these methods.
|Section 5 – Protect All Systems Against Malware and Regularly Update Anti-virus Software or Programs|
Industry standard anti-virus and anti-malware protection software will be installed on all devices in the secure network.
|Section 6 – Develop and Maintain Secure Systems and Applications|
All system components and software within the secure network will have the latest vendor-supplied security patches installed within one month of release.
|Section 7 – Restrict Access to Cardholder Data by Business Need to Know|
A. Limited Access
B. Access Authorization and De-authorization
|Section 8 – Identify and Authenticate Access to System Components|
Local Access Accounts
Remote Access Accounts
|Section 9 – Restrict Physical Access to Cardholder Data|
A. Credit Card Data Storage
Credit card data is not stored either electronically or on hard copy. Credit card data must be secured at all times prior to the processing of payment. Hard copy credit card data is crosscut shredded upon completion of processing payment.
B. Credit Card Data Controls
All access to cardholder data in non-electronic formats will be handled in accordance with the University's Cash Handling Guide, Training Guide and Department/Activity Internal Procedures.
C. Credit Card Devices
Credit card swipe devices will be protected against tampering. The department/activity with the device will be required to inspect the device weekly for tampering or subsitution. Staff training for the inspection of the devices is part of the annual cash receipting training. A list of all devices as required by 9.9.1 (a) will be maintained by the PCI Committee. Departments/activities that want to purchase new equipment are required to notify the Bursar’s Office prior to purchasing so the equipment can be verified as PCI compliant. Upon receiving the new equipment or moving location of current equipment, the department/activity must notify their Technical Support to verify the equipment and submit a help desk request to the Bursar's Office to update the Device Log.
|Section 10 – Track and Monitor All Access to Network Resources and Cardholder Data|
|Section 11 – Regularly Test Security Systems and Processes|
A. Inspection of In Scope Environment
On a quarterly basis, all components in the secure network will be inspected to verify no unauthorized wireless devices are present.
B. Vulnerability Scans
C. Penetration Testing
Penetration testing will be performed by an approved scanning vendor to meet PCI DSS requirements.
|Section 12 – Maintain an Information Security Policy|
A. PCI Related Policies
B. Acceptable Use of Technology
Critical technologies, including but not limited to, desktop and laptop computers, thin-clients, removable electronic media, and remote access technology will be limited to the minimum requirements necessary to process credit card data.
C. PCI Training
A formal cash receipting training including security awareness is required to be completed annually by all personnel involved in cash handling including, but not limited to, credit card processing.
D. Service Providers
Visa Card Criteria https://usa.visa.com/support/small-business/data-security.html/
Cash Handling Guide http://www.memphis.edu/bursar/handling_guide.php
Cash Handling Training(Credit Card) http://bf.memphis.edu/bfguide/10919.htm
Campus Data Security Policy https://umwa.memphis.edu/umpolicies/UM1691.htm
Red Flag Policy https://umwa.memphis.edu/umpolicies/UM1714.htm
| ||UM1762 -- Revised November 23, 2016|
UM1762 - January 21, 2016
UM1762 - Issued: October 2, 2013
|Academic||Finance||General||Human Resources||Information Technology||Research||Student Affairs|
| || || || |