Middle Georgia State University Policy Manual

7.8.1 PCI DSS Compliance Policy

Added:	5/10/2024
Revised:	N/A
Last Reviewed:	5/10/2024
Effective:	6/9/2024

 

 

 

 

 

Overview and Purpose

To accept credit card payments, Middle Georgia State University (MGA) must prove and maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS is a mandated set of requirements agreed upon by the five major credit card companies: VISA, MasterCard, Discover, American Express and JCB. These security requirements apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment.   

The purpose of the PCI DSS is to protect cardholder data. Any failures to protect customer information may result in monetary loss for customers, suspension of credit card processing privileges, fines, and damage to the reputation of the University.  

This policy provides the requirements for processing, transmitting, storing, and disposing cardholder data of payment card transactions, to reduce the institutional risk associated with the administration of credit card payments, to ensure proper internal control and compliance with the PCI DSS.

Scope

This policy applies to all campus individuals, stewards, third-party merchants, systems, and networks involved with the transmission, storage, or processing of cardholder data which utilizes the University IT infrastructure to perform payment card processing.   

Policy

 

The University does not support payment card processing in University-owned systems. The strategy is to outsource all payment card processing to off-site, PCI-compliant vendors, thereby minimizing the PCI compliance scope for University owned business processes (where the University is the merchant). These standards apply to all campus merchants using Middle Georgia State University’s I.T. infrastructure.   

All PCI-DSS merchant activity must comply with the following. Unless otherwise indicated, the individual duties outlined below are the responsibility of the PCI-compliant vendor or owner of POS equipment.  

• Be approved:  
  • The MGA Chief Information Security Officer (CISO) and the Assistant Vice President, Finance & Business approve merchant activity for the University.
• Maintain a secure network and systems :
  • Network transmission of payment card information must occur only on the University’s dedicated point of sale (POS)  
  • Transmission of payment card information on the University’s WIFI networks is
  • Point of sale (POS) devices that transmit credit card information must be PCI DSS compliant.
  • Use of vendor-supplied defaults for system or device passwords is prohibited.
  • Maintain an inventory of system components in scope for PCI DSS.
• Protect Cardholder data:
  • All payment card transmission must be encrypted. All credit card terminals must utilize PCI DSS compliant standards, e., P2PE (Point to point encryption) or similar encryption. 
  • Storing, processing, or retaining payment card data on the University's network and systems is prohibited. 
  • Communicating or accepting cardholder data in-person or over the phone is permitted when other forms of credit card payment are unavailable to the customer. However, cardholder data, if temporarily written down, must be kept only long enough to complete the transaction. Cardholder data must be destroyed (shredded) immediately following the transaction – it must never be retained.
  • Accepting or communicating cardholder data via email, fax, chat, instant messenger, or other messaging technologies is expressly prohibited.
• Maintain a vulnerability management program:
  • Vulnerability scanning of point-of-sale systems and devices must be performed at least quarterly.
  • Anti-phishing, antivirus, and anti-malware mechanisms are required to protect users against phishing attacks.
• Implement access control measures:
  • Point of sale devices that transmit cardholder data must be stored in a locked or controlled space when not in use.
  • Routine inspections of Point-of-Interaction (POI) devices are required by daily users to detect tampering and device substitution. Staff should report suspicious activity to their supervisor immediately.
• Monitor and test networks (University):
  • Utilize data loss prevention software to detect the transmission of unencrypted credit card data across the network. Any unencrypted transmission should be immediately reported to end-user, POC, and Assistant Vice President, Finance & Business.
  • Monitor network for unapproved devices. Block network access to prevent transmission of sensitive data when necessary.
• Maintain an information security policy (University):
  • Annual internal audit of PCI compliance policy and procedures.

Enforcement  

When procedures, processes, equipment, vendors, or personnel are found to be out of compliance with this policy, the Chief Information Security Officer, in coordination with the Assistant Vice President, Finance & Business, will notify the designated University POC for the department or system. The communication will explain the reason for non-compliance, provide the required plan of action to become compliant, and give a timeframe in which to complete the action plan.  

If compliance is not attained within the given timeframe, the matter will be escalated to the Vice President for Finance and Business, and a decision will be made to suspend payment card processing, extend the timeline to reach compliance, or take other appropriate and necessary action.    

Failure to comply with this policy or criminal use of payment card devices, credit card data, and associated software may result in corrective action, up to and including termination or criminal charges.  

Any fines or assessments imposed by a credit card company due to alleged non-compliance will be the responsibility of the impacted department or vendor.    

Security Incidents   

A security incident is defined as a suspected or confirmed data compromise. A data compromise is any situation where there has been unauthorized access to a system or network where prohibited, confidential, or restricted data is collected, processed, stored, or transmitted. A data compromise can also involve suspected or confirmed loss or theft of any material or records that contain cardholder data.   

In the event of a security incident, anyone with actual knowledge or a reasonable suspicion of an incident is instructed to make an immediate report to the following:   

• Chief Information Security Officer – cybersecurity@mga.edu or call 471.2470

Definitions

Attestation of Compliance (AOC) - is a declaration of the results of a PCI DSS assessment, completed and signed by the entity that underwent the assessment. The AOC reflects the results of a PCI DSS assessment documented in an associated Report on Compliance or Self-assessment Questionnaire.  

Cardholder Data (aka payment card data) - includes the primary account number (PAN), cardholder name, expiration date, service code, and sensitive authentication data.  

Payment Card Industry Data Security Standard (PCI-DSS) – While not a law, compliance with the Payment Card Industry Data Security Standard is required to accept major credit cards for business transactions on a University System of Georgia (USG) campus. PCI DSS defines protected customer financial information and establishes security best practices to safeguard that information.  Further details about PCI can be found at the PCI Security Standards Council web site (https://www.pcisecuritystandards.org/)  

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended for small to medium sized merchants and service providers to assess their own PCI DSS compliance status.  

Point of Interaction device (POI) - the initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions.   

Point-to-point encryption (P2PE) - a payment security solution that instantaneously converts confidential payment card data (credit and debit card) information into indecipherable code at the time the card is swiped, to prevent hacking and fraud.  

For further PCI DSS related terminology, please refer to the PCI SSC Glossary:  https://www.pcisecuritystandards.org/glossary/  

Related policies and resources

• MGA Incident Response Procedures
• MGA Appropriate Use Policy
• MGA Network Access Policy
• PCI Security Standards Council
• PCI DSS v4.0 Quick Reference Guide
• PCI Compliance – Responsibilities