Payment Card Compliance - Data Security Standards Policy (PCC-DSS)

The University of Wisconsin Oshkosh
Payment Card Compliance – Data Security Standards Policy (PCC-DSS)
View policy as PDF

Original Issuance Date: December 17, 2019

Last Revision Date: October 21, 2024

Next Review Date: October 20, 2027

1. PURPOSE

The purpose of this policy is to ensure that credit card payments and card data storage are executed according to UW System Policy 350.

2. RESPONSIBLE OFFICER

Chief Information Security Officer

3. SCOPE

This policy applies to all divisions and departments throughout the university that wish to take credit cards as a form of payment, including the Oshkosh and Fox Cities campuses.

4. BACKGROUND

UW System institutions can reduce the risk of processing cardholder data by meeting all applicable Payment Card Industry (PCI) compliance requirements by securing the network, hardware, applications, and processes. Payment Card Industry compliance requirements include the Data Security Standards (PCI DSS), Software Security Framework (SSF), and Point-to-Point Encryption Standards (P2PE). PCI compliance means that all entities accepting credit or debit cards operate in a way that protects cardholder data such as card number, expiration date, name of cardholder, and security code. Protection of cardholder data reduces the risk of this data from being released to anyone other than the acquirer of the transactions going into the payment card processing network.

The Payment Card Industry Data Security Standard (PCI DSS) is the global data security standard adopted by the payment card brands for all entities that process, store, or transmit cardholder data. These security requirements apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as form of payment. The PCI DSS is comprised of twelve requirements grouped into six goals:

Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy

Information protected from unauthorized disclosure by the PCI DSS is classified by the UW System as High Risk data, per UW System Administrative Procedure 1031.A, Information Security: Data Classification.

5. DEFINITIONS

Card Brands: Credit card networks including Visa, Mastercard, Discover, JCB International and American Express

Cardholder: The person to whom a payment card is issued or any individual authorized to use the payment card.

Cardholder Data: At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.

Division/Department: Includes all UW Oshkosh campuses, departments, and units.

Payment Application Data Security Standard (PA-DSS): For software vendors and others who develop payment applications that store, process or transmit cardholder data and/or sensitive authentication data, for example as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.

Payment Card: A financial transaction card (credit, debit, etc.) issued by a financial institution; also called Bankcard/Payment Card/Charge Card/Credit Card/Debit Card.

Payment Card Industry Data Security Standards (PCI DSS): A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. PCI DSS represents a common set of tools and measurements to help ensure the safe handling of sensitive information. The standard comprises 12 requirements that are organized in 6 logically related groups or “control objectives.”.

Point-to-Point Encryption (P2PE): A comprehensive set of security requirements for point-to-point encryption solution providers, this PCI standard helps those solution providers validate their work. Using an approved point-to-point encryption solution will help merchants to reduce the value of stolen cardholder data because it will be unreadable to an unauthorized party. Solutions based on this standard also may help reduce the scope of their cardholder data environment – and make compliance easier.

Sensitive Authentication Data: Security-related information (including but not limited to card validation codes/values, full track data from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.

Service Provider: A business entity that is not a payment brand but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data. Examples include service providers that provide managed firewalls, intrusion detection systems (IDS), and other services.

MOTO: Mail orders and telephone orders. Cardholder data that is collected on mail forms for later processing. Cardholder data that is collected via phone call for processing.

6. POLICY STATEMENT

Departments at UW-Oshkosh that accept payment cards are required to do so in accordance with PCI DSS; UW System Administrative Policy 350, Payment Card Compliance Policy, and the following procedures. Information protected from unauthorized disclosure by the PCI DSS is classified by the UW System as High Risk data, per UW System Administrative Procedure 1031.A, Information Security: Data Classification.

Card Acceptance and Handling
The opening of a new merchant account for accepting and processing payment cards is done on a case- by-case basis. Any fees associated with the acceptance of the payment card in that department will be charged to the individual merchant.

1.1. Interested departments or merchants should contact the UW Oshkosh PCI Team (pci@uwosh.edu) to begin the process of accepting payment cards. Steps include:
1.1.1. Approval from the Software Review Team
1.1.2. Completion of PCI training
1.1.3. Review and acknowledgement of the UW System Administrative Policy 350, Payment Card Compliance Policy, including proof of ongoing compliance with all requirements of the policy

1.2. Any department accepting payment cards on behalf of the institution must designate an individual within the department who will have primary authority and responsibility within that department for oversight of payment card transactions. The department should also specify a back-up, or person of secondary responsibility, should matters arise when the primary is unavailable.

1.3. Specific details regarding processing and reconciliation will depend on the method of payment card acceptance and type of merchant account. Detailed instructions will be provided when the merchant account is established and are also available by contacting the UW-Oshkosh PCI Team (pci@uwosh.edu).

1.4. All service providers and third-party vendors providing payment card services must be PCI DSS compliant. Departments who contract with third-party service providers must maintain a list that documents all service providers and:
1.4.1. Ensure contracts include language stating that the service provider or third-party vendor is PCI DSS compliant and will protect all cardholder data.
1.4.2. Annually verify the PCI DSS compliance status of all service providers and third-party vendors. A lapse in PCI DSS compliance could result in the termination of the relationship.
1.4.3. Collect a responsibility matrix from the service provider or third-party vendor annually to ensure that all PCI requirements are met by both the entity and UW-Oshkosh for the payment channel.

Payment Card Data Security
All departments authorized to accept payment card transactions must have their card handling procedures documented and made available for periodic review. Departments must have in place the following components in their procedures and ensure that these components are maintained on an ongoing basis.

I. Processing and Collection
2.1. Access to cardholder data (CHD) is restricted to only those users who need the data to perform their jobs. Each merchant department must maintain a current list of employees with access to CHD and review the list periodically to ensure that the list reflects the most current access needed and granted.

2.2. Equipment used to collect cardholder data is secured against unauthorized use or tampering in accordance with the PCI DSS. This includes the following:
2.2.1. Maintaining an inventory/list of devices and their location;
2.2.2. Periodically inspecting the devices to check for tampering or substitution;
2.2.3. Training for all personnel to be aware of suspicious behavior and reporting procedures in the event of suspected tampering or substitution.

2.3. Email and end user messaging (Teams, SMS, Zoom, instant messaging, etc.) must never be used to transmit payment card or personal payment information, nor should it be accepted as a method to supply such information. In the event that it does occur, disposal as outlined below is critical. If payment card data is received in an email then:
2.3.1. The email should be replied to immediately with the payment card number deleted stating that, “UW-Oshkosh does not accept payment card data via email as it is not a secure method of transmitting cardholder data”.
2.3.2. Provide a list of the alternate, compliant option(s) for payment.
2.3.3. Delete the email from your inbox and delete it from your email Trash.

2.4. Fax machines used to transmit payment card information to a merchant department must be standalone machines with appropriate physical security and a dedicated POTS telephone line; receipt or transmission of payment card data using a multi-function fax machine is not permitted.

2.5. MOTO (mail order / telephone order) is not an approved method of collecting cardholder data.
2.5.1. No paper forms should include fields for a customer to enter in their cardholder data.
2.5.2. Campus IP-phones, Teams, Zoom, or personal/work cellular phones are not allowed to be used for collecting cardholder data.

2.6. Workstations/Laptops are not permitted to be used to enter in cardholder data into a backend web form or customer facing ecommerce site
2.6.1. The use of a validated P2PE solution that encrypts the CHD on swipe/key-in/EMV is acceptable when approved by the UW-Oshkosh PCI team.

II. Storage and Destruction
3.1 Cardholder data, whether collected on paper or electronically, is protected against unauthorized access.

3.2 Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents, or electronic files containing cardholder data.

3.3 No database, electronic file, or other electronic repository of information will store the full contents of any track from the magnetic stripe or the card validation code.
3.4 Portable electronic media devices should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives.

3.5 Cardholder data should not be retained any longer than that defined by a legitimate business need. CHD must be destroyed immediately following the required retention period using a PCI DSS-approved method of destruction. The UW System defined maximum period of time that credit card receipts and/or deposit transactions documents may be retained is three years from the date of transaction, unless a longer retention time period is required by contract or law. The maximum period of time that PCI Operator Training forms and corresponding PCI Compliance Logs may be retained is three years from the date of creation. A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no cardholder data is kept beyond the required retention period. For more detail regarding record retention, please see the University of Wisconsin System Fiscal and Accounting General Records Schedule.

Risk Assessment
Implement a formal risk assessment process in which current threats and vulnerabilities to the institution’s network and processing environment, including staff, are analyzed. Risk assessments must be conducted annually and must commence no later than two years after the initial adoption of UW System Administrative Policy 350, Payment Card Policy. Information Technology should conduct the risk assessment of the infrastructure and threats; departments that accept payment cards should also conduct an assessment of their physical environments and assess risks to the payment environment.
Address all threats with mitigation tasks, timelines, and/or acceptance statements. Prepare and maintain documented output from the risk assessment exercise(s).

Incident Response
In the event of a breach or suspected breach of security, the department or unit must immediately notify the UW-Oshkosh Information Technology Help Desk to execute UWO Information Technology Policy 1033. This plan must meet or exceed the requirements of UW System Administrative Policy 1033, Information Security: Incident Response and should be reviewed at least annually.

Policy and Training
Ensure policy and procedure documentation governing cardholder data exists and that it covers the entirety of the PCI DSS. Document users’ acknowledgement of understanding and compliance with all policies and procedures annually. Ensure training on the PCI DSS and overall information security is

provided to all staff members with access to cardholder data and/or the processing environment upon hire, and at least annually thereafter. Staff members are not allowed to access CDE (cardholder data environment) until they have successfully completed training and passed the certification exam.

Sanctions
Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability for the affected merchant(s). In the event of a breach or a PCI violation the payment card brands may assess penalties to the institution’s bank which will likely then be passed on to the institution. Any fines and assessments imposed will be the responsibility of the impacted merchant. A one-time penalty of up to $500,000 per card brand per breach can be assessed as well as on-going monthly penalties thereafter until compliance is achieved.
Persons in violation of this policy are subject to sanctions, including loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws. UW-Oshkosh will carry out its responsibility to report such violations to the appropriate authorities.

7. REFERENCES

Regent Policy Document 25-5, Information Technology: Information Security

UW System Administrative Policy 350, Payment Card Compliance Policy

(RESCINDED) UW System Administrative Policy 1110, Information Technology Acquisitions Approval

UW System Administrative Policy 1030, Information Security: Identity and Access Management

UW System Administrative Procedure 1030.A, Information Security: Identity and Access Management Standard (Procedure)

UW System Administrative Policy 1031, Information Security: Data Classification and Protection

(RESCINDED) UW System Administrative Procedure 1031.A, Information Security: Data Classification

(RESCINDED) UW System Administrative Procedure 1031.B, Information Security: Data Protections

UW System Administrative Policy 1032, Information Security: Awareness

UW System Administrative Policy 1033, Information Security: Incident Response

Current PCI DDS Requirements and Supporting Documentation