Credit Card Operations General Policy and Procedures

Credit Card PCI General Information and Procedures

Any department processing payment card transactions via a web site or Point of Sale (POS) machine is affected by the Payment Card Industry Data Security Standard (PCI DSS). The Treasurer’s Office is responsible for maintaining compliance with these standards for the College of Charleston.

All College of Charleston approved employee merchants are required to become PCI DSS compliant, as well as adhere to all policies and procedures.

Training and re-certification is required for all approved employee merchants and is offered throughout the year. Please review the Training page for additional information regarding training/certification requirements for departmental users.

Any office engaged in any form of payment card processing (e.g., POS/swipe or e-commerce) must have the approval of the Treasurer’s Office prior to engaging in commerce activity. No College department may enter into any contracts or otherwise arrange for payment transaction processing or obtain any related equipment, software or services without the involvement and approval of the Treasurer’s Office.

All payment activity must be established within the College’s guidelines, http://treasurer.cofc.edu/policies/cash-receipts.php, with receipts deposited into the appropriate College indices/accounts.

The College of Charleston official online payment system is provided by TouchNet. All departments wishing to accept online payment card transactions must use the TouchNet Marketplace portal unless there is a determination that there is an expected long term in-person need for a point of sale device.

The purpose of this policy is to outline the payment card acceptance methods suitable for College business and the usage restrictions for payment card transactions. The Treasurer’s Office is responsible for campus compliance with payment card processing and security regulations, in cooperation with Information Security, and is granted authority to take appropriate action to ensure conformity with College policies and procedures. Appropriate action up to and including immediate termination of payment card processing activities will be imposed for any College of Charleston department that violates provisions as detailed on the CofC Payment Card Industries website (pci.cofc.edu) related to payment card processing, security and incident reporting.

Definitions

All terms mentioned in this policy are defined in the Credit/Debit Card Policy as post at http://policy.cofc.edu/documents/2.2.3.2.pdf#pdf. All campus users of payment card information and processors of credit/debit card payments are required to know and fully understand all terms associated with these policies and procedures.

Payment Card Usage

The College of Charleston accepts American Express, Discover, MasterCard and Visa payment cards for College business. (Debit card transactions that require a PIN number are acceptable payment options for walk-in payments where available.) The College accepts payment ONLY via walk-in traffic or an online portal approved by The Treasurer’s Office. Acceptance via email, fax, telephone or other end-user messaging technologies is prohibited. Walk-in payments are to be processed on equipment and/or software supplied by the Treasurer’s Office. The use of TouchNet’s Marketplace is for customer-facing e-commerce sites only.

Any department facing a unique set of circumstances that do not conform to the standard business practices of the College should contact the Treasurer prior to contracting with any entity other than the College approved vendors.

Acceptable Technology

The Treasurer’s Office provides most technology and/or devices for credit/debit card payments. Departments are responsible for any merchant fees associated with credit card payments. Payment processing devices must be configured and implemented as instructed by The Treasurer’s Office, including limiting access on the device to only applications needed for payment processing.  Payment card processing must be completed only on devices approved or provided by The Treasurer’s Office.

All departments MUST supply The Treasurer’s Office with a device inventory of all equipment to be used in the processing environment prior to authorization and implementation of the system. The inventory shall include: the physical location of the device, a description of the device, the model number, operating system or firmware information, and a DNS/IP address, if applicable. Departments must notify The Treasurer’s Office within seven days of any changes in processing equipment.

Departments are responsible for the physical security of all devices used in payment card processing within the department. Processing devices must be secured from tampering and/or attended at all times. This requirement also includes access to network jacks that are dedicated to any of the secure commerce networks. Departmental users may not plug a non-commerce device into a network jack on the secure commerce networks or in any other way modify those networks without first gaining approval from The Treasurer’s Office and involving the IT department.

The use of wireless technology for payment card processing is prohibited. The Treasurer’s Office can provide analog credit card processing machines as needed.  Access to a phone line is required.

User Access to Processing Environments

  • Departments authorized to accept payment card transactions will have one or more payment card merchant accounts established by the Treasurer’s Office. All payment card transactions for the department will flow through this account. As a condition of merchant account assignment, all requirements detailed in these policies and procedures MUST be met.

Access to the cardholder data environment will be restricted by job duties of each individual.  Every user must be assigned a unique user ID and password to access the cardholder data environment, where applicable. Departments are responsible for ensuring staff are validated to handle payment information prior to assignment of job duties involving cardholder data. System IDs and shared IDs are not permitted for staff use. Passwords for users MUST be changed every 90 days. User accounts must also be locked after a maximum of three failed login attempts and remain locked out for either 30 minutes or until an administrator verifies the user’s identity and re-activates the account. Accounts inactive for at least 90 days must be removed or locked. Credentials for automated services and service accounts must have a password change every 90 days. Departments are required to submit an Access Control List (ACL) to The Treasurer’s Office semi-annually on August 15 and February 15. The ACL must include all accounts in the payment processing system, including sponsored/service accounts.

 Vendors that require access to the department processing environment must be granted access by The Treasurer’s Office and Information Security before modifying any campus equipment. Depending on the access requested, this may require the vendor to install software to make a secure connection through the commerce firewall environment. Vendor accounts for this type of connection are managed by The Treasurer’s Office and are only enabled for one business day upon request. Departmental staff are responsible for monitoring the activity of the vendor while handling campus equipment.

Refund Handling

All payment card processing departments must display a refund notification for customers.  The refund notification must state that all refunds will be processed back to the card used during the sale. Departmental refund notification must be displayed at point-of-sale locations or on the departmental website (for e-commerce applications). The Treasurer’s Office will provide guidance on creating this notification.

All departments engaged in any form of payment card processing must comply with the procedures listed below for the department payment acceptance method. Each department will assign refund approval duties to a responsible party.

  • Refunds must be processed on the same Merchant ID account as the original sale.
  • Refunds cannot exceed the original sale amount.
  • Refunds must be processed back to the same card used in the original sale.
  • Departments will account for refunds for processing terminals and third-party systems per the Treasurer’s Office departmental deposit requirements.
  • Refund requests for TouchNet (including MarketPlace) transactions will be submitted the designated refund agent in the processing department or a request for a refund can be sent to the Treasurer’s Office.

Fees

Each department is responsible for the costs incurred by the College to process its transactions, plus setup fees, if applicable, for any new merchant account. Processing fees will be expensed to the appropriate index monthly by the Controller’s Office.

In addition, each department is responsible for any hardware, software, setup and/or maintenance costs to maintain the processing environment.

Audit Procedures

All processing departments undergo a payment card processing security audit annually. The date of the audit is determined by Treasurer’s Office in coordination with department availability. In order to prepare for the audit, department personnel involved in payment card processing need to ensure that:

1. All approved employee merchant personnel are current with annual training offered by Treasurer’s Office.

2. Departmental employee merchants must:

  • Complete a Departmental Self-Assessment Questionnaire
  • Prepare a Device Inventory
  • Prepare an Access Control List
  • Review/Revise Departmental Processing Procedures
  • Examine the credit card processing units regularly for tampering.

Incident Reporting

All departments engaging in payment card processing are responsible for immediately reporting a suspected incident of any machine or system used in card processing. For additional information, please refer to the Payment Card Incident Policy.

Cease use of any suspect machine. Do not turn off the machine. Immediately report an incident to the Treasurer. The Treasurer’s Office will begin an investigation into the incident. Do not resume processing until approved by the Treasurer’s Office. Purposefully filing a false report will make the employee subject to disciplinary action.

Listserv Information

All College of Charleston employees approved to handle credit card data will be part of the PCI-DSS listserv. The purpose of the listserv is to update employee merchants and other authorized persons on training requirements, policy updates and changes to the PCI-DSS as they occur.  Changes to the listserv will occur only as employees are approved to act as a merchant or as employees cease to serve in this role.

PCI DSS Requirements

The Payment Card Industry Data Security Standard (PCI DSS) outlines the requirements for all merchants, banks and payment processors that handle payment card data. The following outlines the basic requirements of PCI DSS. Please note that many of the requirements below are met by the Information Technology Dept.  and are NOT the responsibility of individual departments accepting credit card payments.

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

The PCI standard requires all merchants to complete a Self-Assessment Questionnaire (SAQ) every year. All departments accepting payment card information will complete an annual SAQ as part of the audit process. The appropriate SAQ will be assigned to the department on a yearly basis. The departmental SAQ will be online and departments will be notified via email the annual due date of completion.

Processing Best Practices

1. Never accept payment card transactions through mail, email or by fax. If your department has no other means, immediately contact Treasurer’s Office.

2. If accepting a payment card transaction over the phone, and you have been approved to accept telephone payments to be processed through a dedicated computer, process directly into the approved system while the customer is on the phone. Never write down cardholder information to process later.

3. If accepting a payment card transaction over the phone, never repeat back to the customer the payment card number, or other cardholder information.

4. Never retain paper or electronic data that contains the customer's payment card number. Storage of cardholder data is NOT permitted at the College of Charleston.

5. All employees processing credit card payments, reconciling department credit card revenue, and those who supervise these operations MUST maintain a copy of all College credit card policies and departmental credit card policies at their workstations. Annual training is required to retain job duties involved with handling credit card payments.

6. Separation of Duties should be clearly mandated. No single individual should be processing payments, creating refunds, reconciling credit card revenue and/or preparing deposits.

7. All credit card processing units must encrypt at the poiint of sale/swipe/or any transmission.  No credit card information, especially unprotected PANs, should be sent through end-user messaging technology.

8. Access to any system that processed credit cards is restricted to the lowest level that needs such access according to the employee's role(s).  Access should also be restricted to processing areas to personnel and visitors that have no function in these secured areas.    Access to these areas can be granted only by the department supervisor, in writing, and in conjuction with the Treasurer if there are any concerns.

9. If the software and/or department has a hierarchy in role assignment, access should be granted only on the basis of that hierarchy and job description.

10. No outside personnel should be granted access to processing areas without written consent from the department supervisor, and if necessary, in conjunction with IT and the Treasurer.

Processing Equipment

In addition to accepting online payment via TouchNet, departments may have Point of Sale (POS) systems that utilize vendor equipment for payment card processing. Departments are prohibited from purchasing processing equipment. No processing equipment that could cause risk to the College of Charleston will be approved for use. Departments are required to contact the Treasurer’s Office who will purchase approved equipment.

Departments accepting walk-up (in office) payments or telephone payments MUST use a counter-top swipe terminal device supplied by the Treasurer’s Office. Please contact Treasurer’s Office for additional information.

Kiosks, where the keyboard is used to enter credit card information, are not PCI compliant.  Keyboards do not encrypt the data upon being entered.   Only certified card processing equipment, attached to the PC, can potentially be viable, provided that the station meets all other PCI-DSS standards.

Any department wanting to offer customers a way to make online credit card payments may contact Treasurer’s Office for additional information regarding a TouchNet eCommerce account.

TouchNet Information

TouchNet is the College of Charleston's official on-line payment application for processing payment card transactions. All departments accepting online payments are required to use TouchNet, unless a waiver is granted by Treasurer’s Office.

The Treasurer, or named delegate(s), must approve all requests to begin accepting credit cards at the College of Charleston. This requirement applies regardless of the transaction method used (e.g. e-commerce, POS device, or e-commerce outsourced to a third party).Departments are charged eCommerce transactions fees imposed by the bank monthly.

To add a user to TouchNet to view reports or view transactions, the TouchNet Security Request (PDF) form MUST be completed and filed with the Treasurer’s Office. The form MUST also be completed and filed with Treasurer’s Office for any change of TouchNet security or to remove a user's access.

Training Information

Training and re-certification is required for all approved employee merchants handling payment card information on behalf of the College of Charleston and is offered throughout the year. For additional information regarding the Treasurer’s Office training program for departmental users, please contact Treasurer’s Office.

Due to the secure nature of payment card data, training updates and course offerings will be distributed through the PCI-DSS listserv.

Course Offerings:
 Data Security Basics-this is the annual course required for all College of Charleston approved employee merchants involved in the handling of payment card data. The course material each year exposes staff to world of payment card security and acceptance. A knowledge assessment exam is required to complete the course each year and is based on the course material for that year. Staff are notified via email when it is their designated time to complete annual training. If an employee required to complete this course fails to do so, penalties can include the loss of access to handle payment card data.

Credit Card Policies Training-This course if mandatory yearly for all employees involved with credit card processing.

Payment Card Processing

Any office engaged in any form of payment card processing (e.g., POS/swipe or e-commerce) must have the approval of the Treasurer’s Office prior to engaging in commerce activity. No department may enter into any contracts or otherwise arrange for payment transaction processing or obtain any related equipment, software or services without the involvement and approval of the Treasurer’s Office.

All payment activity must be established within the centralized banking and accounting environment with receipts deposited into designated College bank accounts.

The College of Charleston’s official online payment system is TouchNet. All departments wishing to accept online payment card transactions must use TouchNet unless a waiver by the Treasurer’s Office is granted to that department. (See Payment Card Usage section below for additional information.)

The purpose of this policy is to outline the payment card acceptance methods suitable for college business and the usage restrictions for payment card transactions. The Treasurer’s Office is responsible for campus compliance with payment card processing and security regulations and is granted authority to take appropriate action to ensure conformity with College policies and procedures. Appropriate action up to and including immediate termination of payment card processing activities will be imposed for any department that violates provisions outlined in the College’s Policies and Procedures related to payment card processing, security and incident reporting.

Definitions

All terms mentioned in this policy are defined in the Policy glossary. All campus users of payment card information are required to know and fully understand all terms associated with these Policies and Procedures.

Payment Card Usage

College of Charleston accepts American Express, Discover, MasterCard and Visa payment cards for college business. (Debit card transactions that require a PIN number are acceptable payment options for walk-in payments.) The College accepts payment ONLY via walk-in traffic or an online portal approved by the Treasurer’s Office. Acceptance via email, fax or other end-user messaging technologies is prohibited. Walk-in payments are to be processed on counter-top terminal devices supplied by the Treasurer’s Office. The use of TouchNet is for customer-facing e-commerce sites only.

If a department has a specific business operational need that the approved, official college processing methods cannot meet, the department should contact the Treasurer to discuss options. A written justification to the Treasurer’s Office should explain their need and why TouchNet or other approved methods cannot adequately support the operation. These requests must be submitted annually to the Treasurer’s Office and are evaluated on a case-by-case basis. As part of the waiver application process, the Treasurer’s Office will conduct a full evaluation of proposed equipment, network structure and remote access privilege use.

In addition, departments applying for a system usage waiver must achieve and maintain full compliance with these Policies and Procedures, as well as the legal and industry regulations. A full list of requirements is available in the system usage waiver supplement document provided by the Treasurer’s Office.

Acceptable Technology

The Treasurer’s Office provides all technology/devices for telephone and walk-in payments in the form of counter-top payment terminals. Payment processing devices must be configured and implemented as instructed by the Treasurer’s Office, including limiting access on the device to only applications needed for payment processing.

Technology usage for system waiver environments is evaluated on a case-by-case basis. Payment card processing must be completed only on devices approved or provided by the Treasurer’s Office.

All departments MUST regularly supply the Treasurer’s Office with a device inventory of all equipment used in its processing environment. The inventory shall include: the physical location of the device, a description of the device, the model number, operating system or firmware information, and a DNS/IP address, if applicable.

Departments are responsible for the physical security of all devices used in payment card processing within the department. Requirements for physical security of devices can be found on this CofC PCI website. Processing devices must be secured from tampering and/or attended at all times. This requirement also includes access to network jacks that are dedicated to any of the secure commerce networks. Departmental users may not plug a non-commerce device into a network jack on the secure commerce networks or in any other way modify those networks without first gaining approval from the Treasurer’s Office and involving the IT Network Engineering Team.

The use of wireless technology for payment card processing is prohibited. If a department requires a mobile processing terminal, the Treasurer’s Office should be contacted to discuss the available options. Applicable fees will be assessed to the department. Any wireless capable equipment used in the processing environment MUST have the wireless radio disabled while processing transactions.

User Access to Processing Environments

Departments authorized to accept payment card transactions will have one or more payment card merchant accounts established by the Treasurer’s Office. All payment card transactions for the department will flow through this account. As a condition of merchant account assignment, all requirements detailed in these Policies and Procedures MUST be met.

Access to the cardholder data environment will be restricted by job duties of each individual.  Every user must be assigned a unique user ID and password to access the cardholder data environment, where applicable. Departments are responsible for ensuring staff are validated to handle payment information prior to assignment of job duties involving cardholder data. System IDs and shared IDs are not permitted for staff use. Passwords for users MUST be changed every 90 days. User accounts must also be locked after a maximum of three failed login attempts and remain locked out for either 30 minutes or until an administrator verifies the user’s identity and re-activates the account. Accounts inactive for at least 90 days must be removed or locked. Credentials for automated services and service accounts must have a password change every 90 days. Departments are required to submit an Access Control List (ACL) to the Treasurer’s Office and IT Information Security semi-annually on May 15 and November 15. The ACL must include all accounts in the payment processing system, including sponsored/service accounts.

Vendors that require access to the department processing environment must be granted access by the Treasurer’s Office before modifying any campus equipment. Depending on the access requested, this may require the vendor to install software to make a secure connection through the commerce firewall environment. Vendor accounts for this type of connection are managed by the Treasurer’s Office and IT Information Security and are only enabled for one business day upon request. Departmental staff are responsible for monitoring the activity of the vendor while handling campus equipment.

Refund Handling

All payment card processing departments must display a refund notification for customers.  The refund notification must state that all refunds will be processed back to the card used during the sale. Departmental refund notification must be displayed at point-of-sale locations or on the departmental website (for e-commerce applications). The Treasurer’s Office will provide guidance on creating this notification.

All departments engaged in any form of payment card processing must comply with the procedures listed below for the department payment acceptance method. Each department will assign refund approval duties to a responsible party.

  • Refunds must be processed on the same Merchant ID account as the original sale.
  • Refunds cannot exceed the original sale amount.
  • Refunds must be processed back to the same card used in the original sale.
  • Departments will account for refunds through processing terminals and third-party systems per the Treasurer’s Office departmental deposit requirements.
  • Refund requests for TouchNet transactions will be submitted to and processed by the Treasurer’s Office.

Fees

Each department is responsible for the actual costs incurred by the College to process its transactions. Processing fees will be charged monthly.

In addition, each department is responsible for any hardware, software, setup and/or maintenance costs to maintain the processing environment, including the cost of required security scans, if applicable. Departments may also be required to pay for training and background checks as required.

Payment Card Security

The Treasurer’s Office is responsible for campus compliance with payment card processing and security regulations and is granted the authority to impose appropriate sanctions to ensure conformity with College policies and procedures. Appropriate action up to and including suspension or termination of payment card processing privileges will be imposed for any department that violates provisions outlined in these PCI Policies and Procedures related to payment card processing, security and incident reporting.

The purpose of this policy is to establish procedures for securing payment card transaction data, so that the College of Charleston can seek to ensure that sensitive account and personally identifiable information customers provide is protected against theft and/or improper usage. Additionally, the policy seeks to ensure that the College complies with credit and banking industry security regulations related to credit card processing and reporting, including Payment Card Industry Data Security Standard (PCI DSS). This policy applies to all College of Charleston departments, employees (including temporary), contractors and consultants.

Definitions

All terms mentioned in this policy are defined in at the end of this page. All campus users of payment card information are required to know and fully understand all terms associated with the Policies and Procedures.

Reporting and Monitoring Responsibilities

Treasurer’s Office and Information Technology staff will perform regular internal assessment of systems, security, policies and controls in place related to College payment card processing. Additionally, departments will complete a compliance questionnaire to be used by the Treasurer’s Office and IT for preparation of the PCI DSS Self-Assessment Questionnaire. The Treasurer will report annually to the VP for Fiscal Services on the status of campus compliance with College of Charleston Policies and Procedures related to PCI DSS requirements.

Sanctions

Departments that do not comply with requirements of these Policies and Procedures or other supplemental documents related to the policies must take necessary action to become compliant or be subject to sanctions up to and including suspension or termination of payment card processing privileges. The Treasurer’s Office will notify departments when remedial action is necessary to achieve compliance with campus and industry requirements. If compliance is not achieved in a time deemed reasonable by Treasurer, payment processing privileges will be suspended and the department will no longer be an authorized payment card merchant. Within the institution, departments engaged in payment card processing may be charged for any financial loss incurred by the College resulting from inadequate controls or lack of adherence to PCI DSS and other industry security requirements. Any appeals of actions taken by the Treasurer’s Office regarding suspensions or cost recovery will be considered by the VP for Fiscal Services and the EVP for Business Affairs.

Department Responsibilities

All departments engaged in any form of payment card processing must comply with the general procedures listed below. Procedures for suspected or actual compromise of a card processing environment are detailed in these Policies and Procedures. Additional procedures are required for departments that have been granted a system usage waiver to use an alternate processing system.

General Procedures

  • Each department engaged in payment card processing shall maintain formal, written operational procedures that demonstrate how compliance with these Policies and Procedures and PCI DSS is achieved and maintained. Operational procedures must include transaction processing methods, refund policies and reconciling procedures. The Treasurer’s Office will review the document, and upon approval a copy will remain on file. Departments MUST evaluate procedures annually and update with Treasurer’s Office as necessary.
  • An annual risk assessment will be performed by the Treasurer’s Office and Information Technology as part of the payment card processing audits. Departments must cooperate with requirements of the risk assessment process. 
  • Physical and electronic storage of sensitive personally identifiable information (PII) associated with payment card transactions is prohibited. The definition of PII may change as legal and industry regulations change. Examples of PII for which departmental retention is prohibited are: Primary Account Number (PAN), security code (CVV) or contents of magnetic track data from a payment card. Storage of the last 4 digits of the account number (PAN) is also prohibited.
  • Each department engaged in payment card processing shall ensure that all employees who have access to customer Personal Identifying Information (PII) associated with payment card transactions complete the annual data security training course and sign an acknowledgement, provided by Treasurer’s Office and Information Securiy, stating that they understand their responsibility to protect customer PII. Additional training may be required, depending on the processing method used by the department. Only persons who have completed all required training will be permitted to handle payment card data on behalf of the College of Charleston.
  • Each department engaged in payment card processing must be in compliance with College policies regarding employee background checks.
  • Each department engaged in payment card processing must establish segregation of duties among payment card processing, the processing of refunds, reconciliation of revenue, and preparation of deposits to the extent possible. Each such department shall immediately notify the Treasurer’s Office in writing, of any staff changes related to payment card processing.
  • Acceptable methods of payment card acceptance include: walk-in (face-to-face) or customer-initiated online payment (via TouchNet or an approved alternate payment system).  Phone payments must be processed while the customer is on the line and only in offices granted permission to accept such payments. Making note of a customer’s payment card number to process at a later time is prohibited. All walk-in payments must be processed using a counter-top payment terminal, provided by the Treasurer’s Office. Accepting payment card data via mail, email, fax or any end-user messaging technology is prohibited. Tuition/fee payments are accepted only as customer-initiated through the MyCharleston or in person in the Treasurer’s Office.
  • Customer PII associated with payment card transactions, especially account numbers, shall not be transmitted via any insecure method, especially email, fax, cell phone, vocally in a public location or any end-user messaging technology. 
  • Departments are prohibited from maintaining commerce servers within the department. All server-level machines required for processing systems must be maintained by Information Technology.
  • Visitors are not permitted to enter the IT Commerce Server Data Environment unless properly identified by a badge or token that is surrendered when the visitor leaves. Visitors MUST be accompanied by College staff at all times and must have a legitimate reason for being in the IT Commerce Server Data Environment. All visitors must sign in when entering and leaving the IT Commerce Server Data Environment.
  • All devices within a department’s cardholder data environment should be secured to the extent possible. Processing terminal devices should never be left unattended in an area where customers or visitors may have access to the device. When terminals are not in use, they must be secured in a locked office and/or drawer/cabinet. Registers must be locked or logged-off while not in use. The Treasurer’s Office will provide additional guidance to departments based on their specific needs.
  • All equipment used in payment card processing must be registered within the commerce environment domain. Security configuration settings and updates will be managed through the domain. The Treasurer’s Office is required to notify Information Technology of any change in payment card processing equipment to ensure proper domain registration of new devices. 
  • Each department engaged in payment card processing must complete all security enhancements to processing systems as required by the Treasurer’s Office and IT. All vendor supplied security patches to systems must be applied within three weeks of issue date.
  • Each department engaged in payment card processing must use disk wiping technology approved by IT Information Security to render unreadable any hard disk or other media which has ever stored or processed customer PII before retiring it from service.
  • Each department engaged in payment card processing must cooperate with all reporting and audit requirements by the Treasurer’s Office, including full compliance with the PCI DSS and all other industry security requirements, or be subject to the sanctions detailed above. Departments will be audited by Treasurer’s Office and IT at least annually to ensure compliance with all policies and PCI DSS related requirements.
  • Any changes to the departmental processing environment, including any software/hardware additions MUST be approved by the Treasurer’s Office prior to purchase. If this provision is violated, the department will be subject to the sanctions detailed above.
  • All Web application code must be approved by the Treasurer’s Office and IT prior to using in conjunction with TouchNet or any other Web-processing system.  Departments are prohibited from displaying or verbally sharing detailed transaction error messages with end-users of the application.
  • All departments MUST use the centralized TouchNet system for all customer-facing online card acceptance activity. Exceptions due to unique business needs may be requested through the Treasurer’s Office. The use of PayPal will not be approved and is strictly prohibited. If a system usage waiver to utilize another processing method is approved, the department requesting the waiver must demonstrate full compliance with the PCI DSS and all other industry security requirements and submit written documentation of adherence to the PCI DSS to the Treasurer’s Office. System usage waivers will be evaluated annually.

Additional Procedures for Departments Granted Usage Waiver

Departments that have been granted a system usage waiver MUST abide by all regulations set forth in these Polices and Procedures and additional requirements not detailed above. A supplemental document containing all requirements for system usage waiver departments can be obtained from the Treasurer’s Office. All requirements MUST be met or the system usage waiver will be denied and the department will not be permitted to process payment card transactions via any POS/swipe or e-commerce channel.

Treasurer’s Office approval is required for any third-party processing agreement/contract.  All contracts and contract renewals for payment card processing MUST be approved by the Treasurer’s Office prior to execution. All contracts MUST contain PCI DSS contract language determined by the Treasurer’s Office and General Counsel.

Payment Card Incident Response

Treasurer’s Office and IT Information Security will coordinate all responses to suspected or confirmed payment card security incidents. Payment card security incidents are defined as malicious attempts to access a payment system, successful attacks to compromise personally identifiable information (PII), or any unauthorized access to a payment system, including internal access outside of an employee’s job duties (even if accidental). Upon notification of a payment card security incident, the Treasurer’s Office and IT will begin an immediate investigation into the reason for and scope of the incident. All processing for that payment acceptance channel will be suspended until after the investigation is completed, and it is deemed safe to resume processing transactions.

The purpose of this policy is to establish procedures to evaluate, contain and report any attempt to compromise any approved College processing method. All incidents will be reported immediately and in writing to the Treasurer. False reporting of an incident is considered unlawful and appropriate disciplinary action will be taken.

Definitions

All terms mentioned in this policy are defined in Policies and Procedures Glossary (below). All campus users of payment card information are required to know and fully understand all terms associated with the Policies and Procedures related to payment card processing, security and incident reporting.

Department Responsibility

In the event of a payment card data security breach, the affected department is required to immediately notify the Treasurer, regardless of time of day. Training for designated incident response personnel within each payment card processing department will be conducted annually by The Treasurer’s Office.

The affected department MUST discontinue processing transactions and disconnect all affected systems from the College network; DO NOT SHUT DOWN ANY EQUIPMENT.  All staff MUST remain logged off of the affected systems. The department MUST NOT resume normal business operations until notified by the Treasurer. This requirement is enforced for ALL College of Charleston departments, regardless of the payment system used.

If the breach is contained to one department, the Treasurer’s Office and IT will assist that department with any required Payment Card Industry Data Security Standard (PCI DSS) post-incident reporting. If the department is found to be responsible for any compromise, the department can be penalized up to the immediate revoking of their processing privileges. Any financial loss incurred by the College resulting from inadequate controls or lack of adherence to PCI DSS, other industry security requirements and these Policies and Procedures may be charged to the department at the time of the breach.

Departments with an active system usage waiver MUST have their own disaster recovery, business continuity, and risk assessment policies and procedures in place. Those policies must be approved by the Treasurer’s Office and IT prior to implementation. The Treasurer’s Office may assist departments in drafting and revising procedures as industry or processing environment changes occur. Departmental staff should immediately notify the Treasurer of a suspected compromise, and the Treasurer, Network Engineering, and IT Information Security will coordinate any and all investigations into an incident that results in a data breach to that system. If an incident occurs, all audit logging for the external processing system is to remain functional during and after an incident.

Treasurer’s Office Responsibility

The PCI DSS requires that the College of Charleston (as the merchant) MUST complete the following if a payment card data security breach is detected:

  • Immediately contain the exposure of the breach.
  • Immediately notify the necessary institutional parties.
  • Prepare the Incident Response Report and file with the merchant bank within three business days.
  • Prepare a list of compromised accounts and file with the merchant bank within ten business days.

The Treasurer will assess the situation and will immediately begin notifying necessary parties of the incident as appropriate. PCI DSS requires that the affected system be made unavailable until a forensic investigation is completed. The Office of Business Affairs in conjunction with the Treasurer and IT Information Security will make the determination whether the circumstances surrounding the incident require notification of law enforcement. All notification to law enforcement will be in accordance with Policy Notification Procedures in Case of Breach of Privacy <<COMING SOON>>.

Notification to the acquiring banks and internally will be addressed as follows:

  • The Treasurer will notify the VP for Fiscal Services and the College’s payment processor.
  • The Treasurer will notify the College’s acquiring bank.
  • The VP for Fiscal Services will notify the EVP for Business Affairs, as well as any other internal or external contacts as necessary.

Annual testing of the College’s incident response plan is required to ensure all parties understand responsibilities for their area. The Treasurer’s Office and IT Information Security will guide departments through the testing procedures. Departments with an active system usage waiver will also have their system tested as part of the Treasurer’s Office annual incident response plan testing.

Payment Card Policies Glossary

This glossary defines certain terms utilized in these Policies and Procedures related to payment card processing, security and incident reporting. These definitions will periodically change as industry standards are modified.

Breach Notification Laws: Governing laws that require a merchant to notify customers of a data breach that results in loss or theft of that customer’s personally identifiable information (PII). 

Business Continuity Plan (BCP): A documented plan for maintaining business operations in the event of a disaster or breach. A supplemental document will be provided by the Treasurer’s Office, IT Information Security and IT Network Engineering to detail the required elements of a Business Continuity Plan. 

Cardholder Data Environment: The location where cardholder data is stored, processed or transmitted.

Commerce Server Data Environment: The location of a physical or virtual server machine used in the processing, transmitting or storing of cardholder data.

Data Compromise: The exposure of sensitive or personally identifiable information (PII) resulting from either intentional security breach (an “attack”) or human error.

Data Security Breach: The act of circumventing security controls on a system, thus allowing unauthorized access to data via an attack on the system. Data may or may not be compromised during a security breach. 

Disaster Recovery Plan: A documented plan for information technology continuity in light of a disaster, emergency or breach that details incident response testing procedures and data back-up procedures. A supplemental document will be provided by the Treasurer’s Office and Information Technology to detail the required elements of a disaster recovery plan.

Payment Application Data Security Standard (PA DSS): A set of requirements derived from and closely related to the PCI DSS, but intended to illustrate for payment software vendors what is required for their payment software applications to facilitate and not prevent their customers’ PCI DSS compliance.

Payment Card: Any credit, debit or pre-paid credit/debit card. All payment card activity for College of Charleston is monitored by the Treasurer’s Office.

Payment Channel: The hardware/software used to conduct a payment transaction.

Personally Identifiable Information (PII): Information that can be used to uniquely identify, contact or locate an individual, or information that can be used in conjunction with other sources to uniquely identify an individual. In the case of payment card data, PII can be all printed and non-printed information contained on a payment card that identifies the customer. The Treasurer’s Office and General Counsel will identify and periodically update PII applicable to these Policies and Procedures  as revisions to industry regulations and other security factors require.

In the context of payment card operations, it is strictly prohibited for a College of Charleston entity to retain the following elements of PII: credit/debit card number, Card Validation Code (CVC), customer’s PIN or contents of the magnetic stripe of a payment card.

Payment Card Industry Data Security Standard (PCI DSS): The Payment Card Industry Data Security Standard is the result of collaboration between the major credit card brands to develop a single approach to safeguarding sensitive data. The PCI DSS defines a series of requirements for handling, transmitting and storing sensitive data. Entities engaged in any form of payment card processing must comply with these standards as a condition of their payment card processing contracts.

Processing Method: The means by which authorized departments accept payment cards. Payment card transactions can only be accepted via walk-in (face-to-face) payment, telephone or customer-initiated online payment. Tuition/fee payments are accepted only as customer-initiated through the MyCharleston or in person. No department may accept a payment card transaction or payment card information via mail, email, fax, any end-user messaging technology or on a website that collects payment card information unless the site is authorized by the Treasurer’s Office via a system usage waiver.

Risk Assessment: A documented process used to identify and qualitatively and/or quantitatively evaluate risks and their potential effects, including brand damage and monetary effects. A supplemental document will be provided by the Treasurer’s Office and Information Technology to detail the required elements of a Risk Assessment.