Policy for Accepting Credit Card and eCommerce Payments
Approved: October 2012
Updated: September 2013
This policy has been approved by the Vice President for Finance and Treasurer.
- Privacy Statement
- Background and Purpose
- Authority and Responsibility
- Policy Statement
- Process to Implement Acceptance of Credit Card and eCommerce Payments
- Infrastructure Considerations for Credit Card and eCommerce Processing
- Process for Responding to a Security Breach
- Ongoing Policy Management
- Related Documents/Links
Middlebury College and Monterey Institute of International Studies, a Graduate School of Middlebury College, (herein after referred to as “Middlebury”) recognizes the importance of privacy and abides by the privacy requirements of PCI-DSS standards. Any information gathered in the process of a payment card transaction will be classified in accordance with the Middlebury Data Classification Policy and handled in compliance with the PCI-DSS standard and all Middlebury privacy policies.
Background and Purpose
Middlebury’s acceptance of credit cards to pay for gifts, goods and services has been growing over the past several years. Increased interest in accepting payments over the Internet (eCommerce) has also grown, spurring the need to establish business processes and policies that protect the interests of the College and its customers.
While the costs for accepting credit card payments can be significant (1.5%-3.0% of every transaction, depending on the card type), it often makes sense to accept this type of payment for business reasons, which include control of receivables, competitive position and efficient processing. To the extent that it makes economic sense to do so, the College would like to support this activity. In order to ensure that credit card activities are consistent, efficient and secure, the College has adopted the following policy and supporting procedures for all types of credit card activity transacted in-person, over the phone, mail or the Internet. Security breaches can result in serious consequences for the College, including release of confidential information, damage to reputation, added compliance costs, the assessment of substantial fines, possible legal liability and the potential loss of the ability to accept credit card payments. This policy provides guidance so that credit card acceptance and eCommerce processes comply with the Payment Card Industry Data Security Standard (PCI DSS) and are appropriately integrated with the College’s financial and other systems.
The PCI DSS is a set of comprehensive requirements for credit card account data security, developed by the credit card industry in response to an increase in identity theft and credit card fraud. As a merchant who handles credit card data, Middlebury is obliged to safeguard that information and adhere to the standards established by the Payment Card Industry Council including setting up controls for handling credit card data, computer and internet security and completing an annual self- assessment questionnaire. The College and all departments that process payment card data have a contractual obligation based on our merchant agreement with our payment processor and/or acquiring bank, to adhere to the PCI DSS Data Security Standard (PCI-DSS).
The purpose of this policy is to define the guidelines for accepting and processing credit cards and storing cardholder information to comply with the PCI DSS.
Account Number: The unique number identifying the cardholder’s account which is used in financial transactions.
ASV: Approved Scanning Vendor
Cardholder data: Cardholder data is any personally identifiable data associated with a cardholder. Examples include but are not limited to an account number, expiration date, name, address, social security number, etc.
CDE: Cardholder data environment
Credit Card Processing: Act of storing, processing, or transmitting credit cardholder data.
E-Commerce Application: Any network-enabled financial transaction application.
POS Device: Point of Sale (POS) computer or credit card terminals either running as standalone systems or connecting to a server either at Middlebury College, the Monterey Institute, or at a remote off site location.
SAQ: Self-Assessment Questionnaire
Sensitive Cardholder data: Sensitive Cardholder data is defined as the account number, expiration data, CVC2/CVV2 (a three-digit number imprinted on the signature panel of the card), and data stored on track 1 and track 2 of the magnetic stripe of the card.
Any Middlebury employee, contractor or agent who, in the course of doing business on behalf of the College, is involved in the acceptance of credit card and eCommerce payments for the College is subject to this policy. Failure to comply with the terms of this policy may result in disciplinary actions and could also limit a department’s credit card acceptance privileges.
Authority and Responsibility
The Treasury Office is responsible for issuing credit card merchant accounts and for overseeing policies and procedures regarding payment processing. Library and Information Services (LIS) is responsible for the operation of the College’s data networks including all merchant services systems.
Finance and LIS will constitute a cross-functional PCI Compliance Team to establish and ensure continued compliance with PCI DSS. To that end, this team will: 1) inventory every merchant that accepts credit or debit cards on campus, 2) verify the PCI DSS compliance of these transaction points and the payment applications used, 3) enforce this Policy for Accepting Credit Card and eCommerce Payments, and 4) educate all entities in the College’s payment environment so they know how it works and how to conduct business within our guidelines.
Any department accepting credit card and/or electronic payments on behalf of Middlebury for gifts, goods or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for eCommerce and credit card transaction processing within that department. This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible Person or “MDRP”.
All MDRPs must:
- Execute on behalf of the relevant Merchant Department the Process to Implement Acceptance of Credit Cards for Payment detailed below.
- Ensure that all employees (including the MDRP), contractors and agents with access to payment card data within the relevant Merchant Department complete the Training & Agreement, at http://go.middlebury.edu/pcidss, to acknowledge on hire and on an annual basis and to sign the PCI Confidentiality Statement electronically that they have read and understand this Policy for Accepting Credit Card and eCommerce Payments. The MDRP should forward the PCI Confidentiality Statement to HR to be filed in the personnel or student file and keep a copy on file to submit upon request to the PCI Compliance Team.
- Ensure that all credit card data collected by the relevant Merchant Department in the course of performing Middlebury business, regardless of how the payment card data is stored (physically or electronically, including but not limited to account numbers, card imprints, and Terminal Identification Numbers (TIDs)) is secured. A TID is a unique number assigned and linked to a specific point-of-sale (POS) terminal or workstation that can be used to identify the merchant operating the terminal during credit card sales transaction processing.
- Ensure that all credit card transactions are reviewed and reconciled to daily merchant reports.
- Ensure all Point of Sale (POS) devices deploy anti-virus software. Ensure all anti-virus mechanisms are current, actively running and generating audit logs. Retain audit trail history for a minimum of one year.
- Ensure all POS devices are updated and patched with the latest vendor supplied security patches on a weekly basis.
- Ensure Point of Sale devices are physically secured. Inspect Point of Sale devices on a weekly basis, for tampering or substitution. Non-production systems must be secured in a locked facility and regularly inventoried. Retain inspection log for a minimum of one year.
- Verify and collect PCI DSS Compliance Certificate or PA-DSS Validation certificate (POS systems) on all service providers within the relevant Merchant Department on an annual basis. The MDRP should retain a copy of the certificates and submit a copy to the PCI DSS Compliance Operations Team upon receipt.
- Ensure user access to cardholder data environment, within the relevant Merchant Department, is revoked when the individual’s job no longer requires access to the CDE. Maintain an audit log of user access to cardholder data environment for a minimum of one year.
Data is considered to be secured only if the following criteria are met. Furthermore, failure to follow the requirements below can result in severe penalties, including fines and prohibition from further acceptance of the credit cards.
- Only those with a need-to-know are granted access to credit card and electronic payment data.
- Email/Fax must not be used to transmit credit card or personal payment information. If it should be necessary to transmit credit card information, only the last four digits of the credit card number can be displayed.
- Credit card or personal payment information is never downloaded onto any portable devices such as USB flash drives, compact disks, laptop computers or personal digital assistants.
- The processing and storage of personally identifiable credit card or payment information on College computers and servers is prohibited.
- The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form.
- The full contents of any track from the magnetic stripe (on the back of a credit card, in a chip, etc.) are never stored in any form.
- All but the last four digits of any credit card account number are always masked, should it be necessary to display credit card data.
- Credit card information received for manual processing must be processed in a credit card merchant account (ex. CyberSource) the same day it is received if possible; but absolutely no later than 1 business day (excluding calendar and fiscal year periods).
- Upon successful entry into the Payment Processor; all credit card data must be redacted from the documentation.
- Acceptable methods for credit card data redaction: 1). Cut the credit card data out of the document and immediately crosscut shred. 2). Mask the credit card data with a wide tip black marker, photocopy the document and immediately crosscut shred the original.
- Any credit card data; number, expiration date and CSV code, that has not been processed through a credit card merchant account (ex. CyberSource) (pending entry in payment processor) shall be housed in a secure/locked location. Only essential personnel to have access to the secure location. Credit card data shall not be stored electronically; this includes on a laptop, PC or network file.
- Only authorized staff shall have access to the keys/combination.
- All credit card receipts and credit card authorizations must be kept in a locked and secure area. Individuals responsible for collecting the monies are responsible for proper handling of all related items.
- All media containing credit card and personal payment data that is no longer deemed necessary or appropriate to store are destroyed or rendered unreadable
- The Cashiers Office will act as the central drop offfor all monies and credit card data transfers. Credit Card data being conveyed out of the facility (your building) must be transported in a secure manner.
No Middlebury employee, contractor or agent who obtains access to payment card or other personal payment information in the course of conducting business on behalf of Middlebury may sell, purchase, provide, or exchange said information in any form including but not limited to imprinted sales slips, carbon copies of imprinted sales slips, mailing lists, tapes, or other media obtained by reason of a card transaction to any third party other than to Middlebury’s acquiring bank, depository bank, Visa, MasterCard or other credit card company, or pursuant to a government request. All requests to provide information to any party outside of your department must be coordinated with the Director of Investment & Treasury Operations, or the PCI Compliance Team chair.
Each department responsible for credit card processing must complete an Annual Self-Assessment Questionnaire (SAQ) with our PCI compliance partner(s). All systems processing cardholder data must comply with the credit card processing (PCI) policy and the associated procedures. Finance and the LIS Network Security Group will assist in the initial self- assessment. To combat the loss of payment card information to hackers, e-commerce sites must comply with all security requirements. Self-assessment and certification forms will be sent to the PCI Compliance Team upon request.
Finance and Library and Information Services (LIS) will coordinate and oversee the Quarterly Network Scan.
Process to Implement Acceptance of Credit Card and eCommerce Payments
The MDRP must follow the steps below in order to implement payment card processing and eCommerce at Middlebury. These steps must also be completed in the event of a significant system or service provider change in payment card and eCommerce processing systems.
- Notify the PCI Compliance Team of a need to accept credit card payments and/or conduct eCommerce.
- Review the Middlebury PCI DSS information at http://go.middlebury.edu/pcidss . Complete an Application to Become a Merchant Department; (Attached as Appendix A). Applications must be signed by the MDRP as well as the department Budget Director. It is the responsibility of the department Budget Director to approve the business case for the department to become a merchant department, the Banner information provided, and the designated Merchant Department Responsible Person.
- Note: Accepted payment gateway’s for the College are CyberSource and Mercury Payment Systems. Acceptable payment methods at Middlebury are the HOP (Hosted Order Page) or Secure Acceptance method. Payment methods such as SCMP, SOAP, SOAP Toolkit API (service provider transmit the credit card data) will require prior approval from the PCI Compliance Team, based on justification around critical functionality. A Credit Card data flow diagram must be obtained from the service provider and submitted to the PCI Compliance Operations Team.
- Submit the application and credit card data flow diagram for review and approval to the PCI DSS Compliance Team at email@example.com. Applications that request eCommerce capabilities will also require approval of the LIS Network Security group.
- Systems that contain multiple functionality, inclusive of credit card transactions and requires a separate server will require secure physical storage of the server component. Prior approval from Central Systems and Network Services is required due to specific physical considerations in the server environment.
- If the application is approved the contract with the vendor/service provider must contain the Data Privacy & Breach Notification” (PCI version) as described below and be reviewed per the Middlebury Contract Policy.
Data Privacy & Breach Notification Contract Language:
Middlebury requires that [vendor] shall at all times maintain compliance with the most current Payment Card Industry Data Security Standards (PCI DSS). [vendor] will be required to provide written confirmation of compliance annually. [vendor] acknowledges responsibility for the security of cardholder data as defined within PCI DSS. [vendor] acknowledges and agrees that cardholder data may only be used for completing the contracted services as described in the full text of this document, or as required by the PCI DSS, or as required by applicable law.
In the event of a breach or intrusion or otherwise unauthorized access to cardholder data stored at or for [vendor], [vendor] shall immediately notify Middlebury’s Office of the VP for Administration and Treasurer to allow the proper PCI DSS compliant breach notification process to commence. [vendor] shall provide appropriate payment card companies, acquiring financial institutions and their respective designees access to the [vendor]’s facilities and all pertinent records to conduct a review of the [vendor]’s compliance with the PCI DSS requirements.
In the event of a breach or intrusion [vendor] acknowledges any/all costs related to breach or intrusion or unauthorized access to cardholder data entrusted to [vendor] deemed to be the fault of [vendor] shall be the liability of [vendor]. [vendor] agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify and hold harmless Middlebury, and its officers and employees from and against any claims, damages or other harm related to such breach.
- Director of Investment & Treasury Operations, or designee, will provide the requesting department any necessary equipment (swipe/key terminal), needed information (Merchant ID #), training, and directions for processing transactions for accounting purposes. The Director of Investment & Treasury Operations, or designee, will also provide additional information about processing, policies and what to do in the case of a security breach.
- Any Middlebury employee, contractor or agent (students, faculty, administrators, temporary employees, volunteers) responsible for processing, storing, or transmitting credit card data must complete the Training & Agreement upon hire and on an annual basis at http://go.middlebury.edu/pcitraining .
- Each Merchant Department must have a MDRP at all times. It is the responsibility of the MDRP and the MDRP’s direct supervisor to ensure this role is filled. The direct supervisor must record and track any change in MDRP’s.
Infrastructure Considerations for Credit Card and eCommerce Processing
The following considerations must be taken into account when implementing payment card processing and eCommerce systems.
- Payment card processing and eCommerce systems must be segmented in accordance with the standards (See Appendix C) set forth by LIS to comply with PCI DSS regulations and to support other Middlebury network operations.
- Payment card processing and eCommerce systems must be located on a segment of the network which can be managed in such a way as to support monitoring and management efforts by LIS and third party security agencies contracted by the college.
- Existing payment card processing and eCommerce systems must be audited within one year of the acceptance of this policy.
- All new systems must be processed through the SaaS and Confidential Data Survey developed by LIS at http://go.middlebury.edu/saas .
Process for Responding to a Security Breach
In the event of a breach or suspected breach of security, the Merchant Department must immediately execute each of the relevant steps detailed below:
- The MDRP or any individual suspecting a security breach must immediately notify the Director of Investment & Treasury Operations and the Incident Response Team at firstname.lastname@example.org, in accordance with the Technical Incident Response Policy, of an actual breach or suspected breach of credit card information. Email should be used for initial notification and to provide a telephone number for the Director of Investment & Treasury Operations the Incident Response Team to call in response. Details of the breach should not be disclosed in email correspondence.
- The MDRP or any individual suspecting a security breach involving eCommerce also must immediately ensure that the following steps, where relevant, are taken to contain and limit the exposure of the breach:
- Prevent any further access to or alteration of the compromised system(s). (i.e., do not log on at all to the machine and/or change passwords)
- Do not switch off the compromised machine; instead, isolate the compromised system(s) from the network by unplugging the network connection cable.
- Preserve logs and electronic evidence.
- Log all actions taken.
- Document all conditions, personnel and events around system at time of and leading up to suspected breach.
- Be on HIGH alert and monitor all eCommerce applications.
- Arrange for an independent forensic review.
- Arrange for a network and system vulnerability scan.
- Complete a compliance questionnaire and submit it to relevant card association(s).
Ongoing Policy Management
- Middlebury may modify this policy from time to time as required, provided that all modifications are consistent with PCI DSS then in effect. The Middlebury PCI policy was approved by Patrick J. Norton, VP for Finance and Treasurer, October 2012. This document will be modified as our experience with PCI DSS Compliance grows at least annually.
- The PCI Compliance Team is responsible for initiating and overseeing an annual review of this Policy, making appropriate revisions and updates and issuing the revised policy to appropriate Merchant Departments. The review will include reconfirmation of certified PCI DSS compliance of Middlebury’s third party vendors that accept credit card payments on behalf of the College.
- Middlebury’s PCI DSS Policy for Accepting Credit Card and eCommerce Payments
- PCI Compliance Team
- Application to Become a Merchant Accepting Credit Card and/or Online Payments:
· The Technology Incident Response Policy
- The web site for the PCI DSS Security Standards Council:
- PCI DSS Overview:
- PCI DSS Self-Assessment Questionnaire Overview and instructions:
- For a list of Visa validated service providers see: http://usa.visa.com/merchants/risk_management/cisp_service_providers.html .
- For a list of validated Payment Applications see: https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php .
Appendix A – Application to Become a Merchant Department or Service Provider Change
All Merchant Departments must complete the Application to Become a
Merchant Department if requesting to process credit cards, changing service providers or existing system changes.
Application Submission Date:
Describe the goods, services and/or gifts for which you will receive payments. Please be specific:
Is this an existing or new source of revenue?
Provide the Banner FOAPAL(s) where funds will be deposited and related fees will be assessed:
Explain why your department wants to accept credit card payments.
What economic benefits do you expect to gain by accepting credit cards? Please quantify and/or provide additional documentation to support this application.
Describe the frequency of credit card payments. Is this a one-time event? Are payments for seasonal or year-round activity? Provide detailed timeframes.
Will credit card be the sole method of payment? If not, what other methods of payment do you anticipate accepting for this specific purpose?
How do you plan to process these payments? (Check all that apply)
In-person (card present) Mail/phone/fax order* Internet
*Note: Credit card data should never be transmitted via email or fax correspondence.
If you are planning to accept credit card payments via the Internet, do you have a website?
If so, please provide the URL:
Please indicate the estimated annual dollar volume and number of transactions for each applicable credit card acceptance process:
In-person $ # transactions
Mail/phone/fax order $ # transactions
Internet $ # transactions
Who will be the Merchant Department Responsible Person (MDRP)? The MDRP, as referenced in the Middlebury Policy for Accepting Credit Card and eCommerce Payments, is responsible for managing credit card and/or eCommerce transaction processing. Include name, job title and phone extension and describe duties.
Please identify any additional staff who will be involved in processing credit card payments. Include name, job title and phone extension and describe duties.
Will any other departments, software packages or outside vendors be involved in the processing of credit card payments? If so, please identify all parties and describe their roles and responsibilities.
Is the payment gateway CyberSource or Mercury Payment Systems? If CyberSource, does the Service Provider support CyberSource HOP (Hosted Order Page) or Secure Acceptance payment method; the College’s preferred method of payment processing? Please attach a diagram of the cardholder data flow from the Service Provider.
Systems that contain multiple functionality inclusive of credit card transactions and leverage a separate server will require secure physical storage of the server component. This should be coordinated with Central Systems and Network Services before acquisition of the system and prior to any contract negotiations as they may place additional requirements on the server component of the design.
Signatures: __________________________ __________________________
MDRP Employee ID:
Signatures: __________________________ __________________________
Budget Director Employee ID:
By signing this form, the Merchant Department Responsible Person acknowledges that he/she understands his/her role as outlined in the “Middlebury Policy for Accepting Credit Card and eCommerce Payments” and accepts the responsibility of that role.
By signing this form, the Budget Director approves of the business case presented for the department to become a Merchant Department, the Banner information provided and the designated Merchant Department Responsible Person.
Please submit completed form to: PCI DSS Compliance Team at PCIComplianceTeam@middlebury.edu . Questions can be directed to the PCI DSS Compliance Operations Team at PCIOperationsTeam@middlebury.edu .
Appendix B PCI DSS Confidentiality Statement
Please utilize the computer based Training & Agreement online at http://go.middlebury.edu/pcidss
As a member of the staff of Middlebury, I acknowledge that in the course of my employment I may have access to personal, proprietary, transaction-specific, and /or otherwise confidential data concerning faculty, staff, students, alumni and/or other persons through the processing of credit card transactions. As an individual with responsibilities for processing, storing and/or transmitting credit card data, I may have direct access to sensitive and confidential information in paper or electronic format. To protect the integrity and the security of the systems and processes as well as the personal and proprietary data of those to whom the College provides service, and to preserve and maximize the effectiveness of College’s resources, I agree to the following:
• I will maintain the confidentiality of my password and will not disclose it to anyone.
• I will utilize credit card data for College business purposes only.
• I have been provided a copy of the College’s Policy for Accepting Credit Card and eCommerce Payments regarding the proper storing, protection, and disposal of such confidential data and I will ensure that any such data is shredded or otherwise disposed of as per approved office policy when no longer needed.
• I have read, understand, and agree to abide by the College’s Policy for Accepting Credit Card and eCommerce Payments. Any violations to this Policy will be grounds for disciplinary action up to and including termination of employment from Middlebury.
Name (Print): __________________________
Appendix C – Architecture Standards for PCI DSS Compliance
There are a number of considerations for securing both systems and network architecture in respect to PCI DSS across the Middlebury campus’s. This section of the policy has been broken into three sections: core Infrastructure, systems and servers, and remote terminals. Each of these components of the policy reflects how the respective infrastructure must be configured for monitoring, access, and network connectivity in relation to the larger Middlebury network.
- Payment transactions will be isolated on a logically and physically isolated segment of the network.This segment will be used exclusively for payment card and eCommerce transactions.
- The PCI restricted network segment will only allow connections initiated from inside the secure segment or between the secure segment and 184.108.40.206/17.
- Outbound traffic from the PCI network segments will be limited appropriately.
- HTTP traffic will be prohibited from the PCI segments. HTTPS will be allowed on an as need basis.
- The PCI segment will be monitored and segmented from the general Middlebury network by technology compliant with the PCI standard.
- The PCI segment will be isolated from the campus wireless network and will be segmented off with appropriate ACL restrictions and firewall rule sets
- No devices which provide wireless access will be allowed to connect to the network inside of the PCI segment.
Servers and Systems:
- Work stations used for dual purposes, such as ecommerce and general business applications should use an RDP session to connect to a secured system inside of the PCI network segment for the ecommerce applications.
- Special events, such as phonathons should use systems located in the PCI segments of the network to gather and process ecommerce transactions.
- Vendor provided servers must be hardened and maintain a SLA that accounts for patch management and anti-virus solutions.
- All ecommerce servers and systems must maintain current and valid anti-virus software.
- Ecommerce servers and systems must be patched against current vulnerabilities and threats for both operating system and application vulnerabilities.
- Only Verifone or comparable approved PIN Acceptance Devices, https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php, may be used outside of the designated PCI segment of the network. Use of any device outside of the PCI segment of the network requires approval from the PCI Compliance Team.
- Use of Cellular phones, iPad and Tablet based payment processing is prohibited until such time as a formal standard is approved by the PCI SSC and adopted by the PCI Compliance Team.