Payment Card Security Policy 1015

I. PURPOSE

Longwood University accepts credit/debit cards as payment for various goods and services. The purpose of this policy is to establish appropriate procedures to ensure that all applicable University units conduct business in accordance with Payment Card Industry Data Security Standards (PCI DSS). This policy applies to all academic and administrative units and employees of Longwood University who accept credit/debit card payments and all external entities contracted by Longwood to provide outsourced services for credit/debit card processing for University business.

II. POLICY

The PCI requirements apply to all systems that store, process or transmit cardholder data. Longwood University will review annually its card processing services to determine the extent to which cardholder data is being collected, processed, transmitted, stored and disposed. The University will support unit compliance with card processing procedures and industry standards governing credit card transaction processing, specifically Payment Card Industry Data Security Standards (PCI DSS). The University’s PCI Project Team is responsible for developing strategies to ensure PCI DSS requirements are met. This Team has been granted the authority to govern PCI decisions and approve credit card acceptance practices.

The approval process for all credit/debit card processing activities will be as follows:

  1. An Application to Process Credit Cards must be completed and submitted to the Bursar.
  2. The Vice President for Administration and Finance must approve all credit/debit card processing activities, regardless of transaction method used (e-commerce, POS device, e-commerce outsourced to a third party, etc.). Any agreements/contracts made with third parties relative to credit/debit card transaction processing must be approved by the Vice President for Administration and Finance; departments are prohibited from negotiating third-party credit/debit card activities.
  3. All technology implementation associated with credit/debit card processing must be approved by the University’s Information Security Officer, to include the purchase of software and/or equipment (excluding verifone devices).

Units approved for debit/credit card processing activities must adhere to established procedures to promote compliance with standards governing credit/debit card transaction processing. Such procedures are applicable to payments deposited with the State Treasurer, in local accounts or with the Longwood University Foundation. The Vice President for Administration and Finance may terminate credit/debit card collection privileges for noncompliance with established procedures.

Departments are responsible for ensuring all individuals involved with credit/debit card transactions are aware of the importance of cardholder data security. Specific responsibilities include (1) documenting departmental procedures, (2) ensuring that credit/debit card activities are in compliance with established University procedures, (3) annual validation of PCI compliance with their acquirer, and (4) ensuring that appropriate individuals complete annual credit card security awareness training. Any confirmed or suspected breach will be reported immediately to the Information Security Office.

Financial Operations is responsible for ensuring the annual validation of PCI compliance with the University's acquiring bank is completed, the annual review of departmental procedures and practices in connection with credit/debit card transactions, and consulting with Information Technology prior to implementing any new credit/debit card transaction process.

Information Technology is responsible for verifying appropriate technical system security controls in accordance with PCI Data Security Standards and regular monitoring and testing of the Longwood University network. The Information Security Office is responsible for establishing security incident response and escalation procedures and initiating such procedures when necessary to ensure timely and efficient handling of all incidents.

 

Approved by the Board of Visitors, December 3, 2010.
Revised and approved by the Board of Visitors, March 22, 2013.
Revised and approved by the Board of Visitors, June 23, 2014.
Revised and approved by the Board of Visitors, April 01, 2016.
Revised and approved by the Board of Visitors, September 15, 2017.

 

PCI Project Team Charter

BACKGROUND

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that store, process or transmit cardholder data (CHD) in any format (e.g. electronic, paper-based, etc).  This standard was created to better assist entities increase overall security of CHD and reduce credit card fraud via its exposure.  The PCI DSS is comprised of 12 requirements that specify the framework for secure payment environments. 

Longwood University will undertake steps to ensure the University is compliant with the PCI DSS by developing and implementing a service offering that includes the technology, training, policies, procedures, processes and support to achieve compliance and mitigate risks, as outlined in the PCI DSS Compliance Roadmap Report.

The PCI Project Team is a cross-organizational working group of representatives from the University that have interaction with the handling of CHD.  This team will discuss findings and develop strategies that will ensure PCI DSS requirements are met.

PURPOSE

The PCI Project Team will assist the University in getting compliant with the PCI DSS and reduce the scope of items that will need to be compliant with the PCI DSS by implementing the changes set forth by the strategic direction of the University.

FUNCTIONS

  • Meet monthly to address issues and findings.
  • Develop strategies for remediation of non-compliant items.
  • Monitor, support and follow up with merchant areas to ensure any and all corrective actions are applied.
  • Report any feedback, concerns and proposals from the merchant areas to the project team.
  • Assist merchants in completing their annual Self-Assessment Questionnaires (SAQ).
  • Champion PCI DSS compliance across the University.

STRUCTURE

  • Edward Ko, Security Advisor – CampusGuard
  • Cat Mobley, Director of Financial Operations & Materiel Management  (Chair)
  • Tracy Nelson, Financial Operations – Special Projects
  • Bob Smith, Information Security Officer
  • Bruce Jenkins, Bursar
  • Crissy Sampier, LancerCard Office Manager
  • Aneicia Stimpson, Director of Application Services
  • David Overstreet, Internal Auditor   (non-voting member)

OPERATION

The PCI Project Team will meet at least monthly to discuss and act upon areas of non-compliance at the University.  The direction will be based on a consensus, incorporating the requirement to be compliant with the PCI DSS.  If consensus cannot be reached, the Chair will seek resolution with the PCI DSS Compliance Project Sponsor (Vice President for Administration and Finance).

The PCI Project Team will remain in place for the duration of the PCI DSS Compliance Project.

- See more at:http://solomon.longwood.edu/offices--departments/cashiering--student-accounts/policies--procedures/payment-card-security-policy.php#sthash.x4r8fIBr.dpuf