Policy No: 2041 Responsible Office: Tax Accounting Office Last Review Date: 06/08/2020 Next Required Review: 06/08/2023
USA Payment Card Industry (PCI) General Merchant Policy
During the normal course of business, many departments and organizations within the University, including its Hospitals and other affiliates of the University, process credit card transactions subject to the Payment Card Industry Data Security Standard (PCI DSS). Mishandling cardholder data associated with payment card transactions may result in the loss of customer data, leading to possible reputational damage or financial loss for the University. USA adheres to the highest standards related to the security of cardholder data and must follow the guidelines set by the PCI DSS.
Compliance with this policy is mandatory for all USA faculty, staff, students, merchants, departments, organizations, third-party vendors, individuals, systems, and networks involved in accepting, processing, transmitting, storing, disposing, or accessing cardholder data.
For purposes of this Policy and the USA Payment Card Industry (PCI) General Merchant Procedures, the following terms and definitions apply:
USA: University of South Alabama and all affiliated organizations including USA Health University Hospital, USA Health Children’s and Women’s Hospital, USA Mitchell Cancer Institute, USA Health Care Authority, and all USA clinics.
Cardholder: Someone who owns and benefits from the use of a membership card, particularly a credit card.
Cardholder Data: Any personally identifiable information associated with a person who has a credit or debit card. Cardholder data includes the primary account number along with any of the following data types: cardholder name, expiration date or service code. The term cardholder data is interchangeable with payment card data throughout this policy.
Cardholder Data Environment: Is a computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. A cardholder data envornment also includes any component that directory connect to or supports this network.
Disposal: Cardholder data must be disposed of in a manner that renders all data un-recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices. The approved disposal methods are: Cross-cut shredding, incineration, or approved shredding or disposal services.
Merchant or Department: A USA department or operating unit that has applied for and been approved to accept credit/debit card payments for goods and/or services. A merchant is assigned a specific merchant account, which is used to process all credit/debit card transactions via a USA-approved payment card processor.
Payment Card: Refers to both credit and debit cards. Payment card processing is defined as using any application or device to process a credit/debit card transaction as payment for goods and/or services from a USA merchant.
Payment Card Industry Data Security Standard: A mandated set of requirements agreed upon by the five major credit card companies: VISA, MasterCard, Discover, American Express and JCB. These security requirements apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment.
Self-Assessment Questionnaire: A validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard. This must be completed annually by the PCI Coordinator.
4. Policy Guidelines
The University of South Alabama (USA) is required by the credit card associations to be compliant with the PCI DSS and is committed to providing a secure environment to protect cardholders and USA against both loss and fraud. This policy outlines USA’s commitment to securely process, store, transmit and dispose of cardholder data by complying with the PCI DSS. The PCI General Merchant Operating Procedures will provide further guidance on properly processing, storing, and transmitting payment cards while fulfilling the University’s responsibility to comply with the PCI DSS. Additional Cardholder Data Environment Policies are referenced in section 7.1 below.
Adherence to this policy will help ensure that cardholder data is protected and kept secure from unauthorized access. A copy of this policy must be read and signed annually by all individuals involved in the payment card process. Signed copies of this policy will be maintained by the respective departments and USA’s PCI Coordinator.
All merchants accepting payments cards on behalf of USA must be authorized by the PCI Coordinator or the Investment Manager. See USA PCI General Merchant Procedures for more details.
5.2 Cardholder Data Protection
Access to payment card data and system components will be limited to those employees whose jobs require such access. See USA PCI General Merchant Procedures for more details.
5.3 Hardware, Software, and Technology
Changes to hardware, software, or other payment card systems that process payment card transactions must be approved by the Department of Information Security, the PCI Coordinator, and the Investment Manager before implementation. In addition, each merchant shall maintain a list of all software, technologies, and any equipment/devices. See USA PCI General Merchant Procedures for more details.
5.4 Third Party Vendors and Service Providers
Third parties must be contractually required to adhere to the PCI DSS requirements. Contracts with third-party vendors and service providers must define each party’s roles and responsibilities with respect to the PCI DSS. Any agreements with third parties must be approved by the PCI Coordinator, Investment Manager, Director of Information Security, and a University Contract Officer such as the University Treasurer. See USA PCI General Merchant Procedures for more details.
5.5 Security Incident and Identification
Employees must be aware of their responsibilities in detecting security incidents. All employees have a responsibility to assist in the incident response within their departments. See USA PCI General Merchant Procedures for more details.
5.6 Reporting and Responding to an Incident
Alert the PCI Coordinator immediately of any suspected security incidents involving cardholder data. The PCI Coordinator will contact the necessary parties and, if necessary, law enforcement. See USA PCI General Merchant Procedures for more details.
5.7 Security Awareness
Employees with access to cardholder data or involved in any way with processing, storing, or transmitting cardholder data must acknowledge that they have read and understand the USA Payment Card Industry (PCI) General Merchant Policy on an annual basis. See USA PCI General Merchant Procedures for more details.
Non-compliance with the PCI DSS can mean that a merchant is vulnerable to breach. For this reason, banks and credit card institutions can apply additional monthly fees to non-compliant merchant accounts or even revoke their ability to accept payment cards.
Failure to meet the requirements outlined in this policy and its related procedures may result in suspension of the physical and, if appropriate, electronic payment capability with payment cards for affected departments/units. Additionally, if appropriate, any fines and assessments imposed by the affected payment card company will be the responsibility of the impacted departments/units.
Employees in violation of this policy are subject to sanctions, including loss of computer or network access privileges, disciplinary action, up to and including termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state or federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.
7. Related Documents
7.1 Related Regulations and/or Policies
Cardholder Data Environment Policies:
7.2 Other Related Documents and/or Procedures
USA PCI General Merchant Procedures:
Payment Card Industry Data Security Standard:
- PCI Coordinator and Cash/Investment Assistant: Drew Underwood 341-4998;
- Investment Manager: Terry Albano 460-6373;
- Director of Information Security: Mark Wilson 460-7767.