|Definition:||This policy is intended to ensure that payment card and eCommerce activities are consistent, efficient and secure to protect the interest of the University and its customers. This policy applies to all types of payment card activity transacted in-person, over the phone, via fax, mail or the Internet. This policy provides guidance to ensure that payment card acceptance and eCommerce processes comply with the Payment Card Industry Data Security Standards (PCS DSS) and are appropriately integrated with the University's financial and other systems.|
|Scope:||This policy applies to all persons, organizations and activities which, in the course of doing business on behalf of the University or Auxiliary, accept, process, trans,it, or otherwise handle cardholder information in physical or electronic format.|
|Responsible Division:||Academic Affairs|
|Signature Page/PDF:||View eCommerce Policy Policy|
A) In response to increasing incidents of identity theft, the major payment card companies created the Payment Card Industry Data Security Standard (PCS DSS) to help prevent theft of customer data. PCS DSS applies to all business that accept payment cards to procure goods or services. Compliance with this Standard is enforced by the payment card companies and generally, non-compliance is discovered when an organization experiences a security breach which includes card member data.
B) Security breaches can result in serious consequences for the University, including release of confidential information, damage to reputation, the assessment of substantial fines, possible legal liability and the potential loss of the ability to accept payment card and eCommerce payments.
A) Every college or administrative area accepting payment cards and/or electronic payments on behalf of the University for goods or services (Merchant Department) must designate a management employee within that organization who will have primary authority and responsibility for payment card and eCommerce transaction processing within that Merchant Department. This individuals is referred to in the remainder of this policy as the Merchant Department Responsible Person (MDRP).
B) All MDRPs are responsible for:
C) Responding to a security incident.
III. PAYMENT CARD ACCOUNT ACQUISITION OR CHANGE PROCEDURES
A) To acquire or change a payment card account, the MDRP or his/her designee must submit a Payment Card Account Application to the appropriate organization's designated Administrative Services Manager (ASM). The application must be signed by the MDRP, the appropriate ASM and appropriate Associate Vice President or Dean. Applications for new eCommerce activities must also be signed by the Chief Information Officer. All eCommerce activities shall be processed by a third party vendor authorized by the University.
B) All requests shall be reviewed and approved by the appropriate ASM and the campus Information Security Officer. When an application to acquire a payment card account is approved, the ASM will assist the MDRP in establishing the new merchant account activity.
C) The MDRP may appeal a decision to deny an application to acquire or change a payment card account to the Vice President, Finance & Administrative Services.
IV. WIRELESS TECHNOLOGY
A) The University prohibits the use of campus wireless technology to process or transmit cardholder data unless explicitly authorized by the ISO. Requests for Payment Card Account Acquisition or Change which include the use of wireless technology will be reviewed on a case by case basis and the ISO shall carefully consider the need for the technology against the risks of a wireless payment environment.
B) Cellular wireless technology used to process payment cards must be provided by a vendor approved by the campus the ISO. These systems must comply with the criteria identified in Section III.B above. Activation of network access equipment for vendors will be permitted only when necessary and be immediately deactivated after use.
V. POLICY MANAGEMENT
A) California State University San Marcos may modify this policy as required. All modifications shall be consistent with the current Payment Card Industry Data Security Standard.
B) Instructional & Information Technology Services (IITS) shall regularly monitor and test the University Network, coordinate the University's compliance with the PCI Standard's technical requirements and verify the security controls of systems authorized to process payment cards.
C) The Information Security Office shall monitor the changes in the PCI DSS and related requirements to ensure that this policy remains current and shall coordinate and lead any campus response to a security breach involving cardholder data.
D) The Information Security Office shall conduct the University PCI DSS Self-Assessment and complete the University's Attestation of Compliance.
A) The Chief Information Officer may suspend payment card account privileges of any college or administrative unit not in compliance with this policy. Any college or administrative unit engaged in payment card activities will be responsible for financial loss due to poor internal or inadequate controls or negligence in adhering to the PCI Data Security Standard.
B) Faculty, staff, and student employees who fail to comply with this policy may be subject to appropriate disciplinary and/or personnel action up to and including termination, consistent with University policies, rules, and collective bargaining agreements.
A) Cardholder: The customer to whom a payment card has been issued or the individual authorized to use the card.
B) Cardholder Data: All personally identifiable data about the cardholder (i.e., account number, expiration date, cardholder name, address, telephone number, social security number, etc.)
C) Card - Validation Code or Value: Refers to either (1) magnetic-stripe data or (2) printed security features. Data element on a card's magnetic strip that uses a secure process to protect data integrity on the strip, and reveals any alteration or counterfeiting. The following list provides the terms for each card brand:
D) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment card. The code is uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The following provides an overview:
E) Encryption: The process of converting information into an unintelligible form to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure.
F) Magnetic Stripe Data (Track Data): Data encoded in the magnetic stripe used for authorization during payment transaction.
G) Merchant: For the purposes of the PCI DSS and this policy, a merchant is defined as any university department or other entity that accepts payment cards bearing the logos of any for the five members of PCI SCC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
H) Payment Card: Any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc.
I) Merchant Department Responsible Person (MDRP): A management employee within a department with primary authority and responsibility for payment card and eCommerce transaction processing within that Merchant Department.
J) Administraitve Services Manager (ASM): A management employee wiith broad oversight responsibility for financial matters within the campus or auxiliary organization.
K) Payment Card Account Change
L) Payment Card Industry (PCI) Data Security Standard (DSS): A multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
A) Employees who are expected to be given access to cardholder data shall be required
to complete upon hire and at least annually security awareness training focused on
cardholder data security. Employees shall be required to acknowledge at least annually
that they have received training, understand cardholder security requirements, and
agree to comply with these requirements.