Middlebury PCI DSS – Policy for Accepting Credit Card and eCommerce Payments V1.3
V1.0 October 2012, V1.1 September 2013, V1.2 August 2014, V1.3 August 2015
Table of Contents
This policy document provides information to ensure the College complies with the Payment Card Industry Data Security Standard (PCI DSS). This policy addresses the Standards that are contractually imposed by the major credit card brands on merchants that accept payment cards. The purpose of the PCI DSS is to protect cardholder data.
Any College employee, contractor, individual, entity (herein after referred to as agent), systems, and networks involved with the transmission, storage and/or processing of credit card numbers at Middlebury, in the course of doing business on behalf of the College, is subject to this policy, administrative and technical policies located in the College Handbook.
The PCI DSS is a mandated set of requirements agreed upon by the five major credit card companies: VISA, MasterCard, Discover, American Express and Japanese Credit Bureau. These baseline security requirements apply to all transactions surrounding the payment card industry whether electronically driven or hard copy format. There is an annual reporting requirement, Self-Assessment Questionnaire (SAQ) that must be completed by the holder of the merchant ID. Further details about this reporting requirement can be found at the PCI Security Standards Council Web site: https://www.pcisecuritystandards.org.
Only departments who have been approved by the PCI Compliance Team may accept payment via credit card. Student Organizations and Clubs are prohibited from obtaining a merchant account. Please direct questions regarding the use of payment card services, by Student Organizations and Clubs, to the Student Activities office. Individuals found to have violated this policy, whether intentionally or unintentionally, may be subject to disciplinary action and possible termination of employment.
This policy was approved by Patrick J. Norton, Vice President for Finance & Treasury, in October 2012. The PCI Compliance Team may modify this policy from time to time and as required annually. This policy is distributed annually in the Middlebury College Handbook. The most current version, V1.3, of this policy is to be readily available and accessible http://go.middlebury.edu/handbook.
Middlebury is committed to complying with the Payment Card Industry Data Security Standards. Compliance by Middlebury requires:
➢ Follow Middlebury’s PCI DSS administrative and technical policies.
➢ Any department accepting credit card payments on behalf of Middlebury (“Merchant Department”) must designate an individual to serve as a Merchant Department Responsible Person (MDRP) within that department who will have primary authority and responsibility for payments made over the internet (eCommerce) and credit card transaction processing within that department.
➢ All Middlebury departments accepting payment cards and all agents of the College designated to accept payments cards will be trained upon hire and annually on this Middlebury PCI Policy and will sign the PCI Training & Confidentiality Agreement prior to performing that work.
➢ Middlebury ITS staff will be trained upon hire and annually on the Middlebury PCI WISP and this Middlebury PCI policy. ITS staff will acknowledge and electronically sign the PCI Training & Confidentiality Agreement prior to performing that work.
➢ MDRP’s for all merchant departments accepting card present transactions, will be trained annually on Physical Security of Point of Sale Devices – Skimming Best Practices. MDRP’s are responsible for training employees in their area on these practices.
➢ Middlebury will perform a background check on potential personnel who will handle payment card data (except cashiers) prior to hire to minimize the risk of attacks from internal sources.
➢ Any Middlebury department accepting payment cards will utilize only dedicated, PCI Compliance Team approved equipment to process card payments.
➢ Any Middlebury department accepting payment cards will not store cardholder data except as defined by this policy.
➢ Cardholder data is classified as Extremely Sensitive Data as noted in the Data Classification policy.
➢ Cardholder data (Media) can be in hardcopy or electronic format.
- Limit access to system components and cardholder data to only those individuals whose job requires such access
- The level of access is determined by job requirements; based on the least privilege model
- Physical access to the Data Center(s) is physically secured
- Sufficient controls are in place to identify individuals entering/exiting
- Each Merchant Department must retain the signed PCI Training & Confidentiality Agreements and maintain a current list of employees and review monthly to ensure that the list reflects the most current access needed and granted.
- Each Merchant Department must maintain a current list of equipment authorized to be used to process CHD. Each equipment item must be identified by make, model, serial number (or other method of unique identification) and location of device. The equipment list must be submitted to the PCI Compliance Team quarterly.
Credit Card Acceptance and Handling
- In the course of doing business at Middlebury it may be necessary for a department or other unit to accept payment cards. The opening of a new merchant account for the purpose of accepting and processing of payment cards is done on a case by case basis. Any fees associated with the acceptance of payment cards in that unit, will be charged to the unit (including but not limited to; infrastructure, security and management, i.e. firewall, switch, network cables). Student Organizations and Clubs are prohibited from obtaining a merchant account, please contact the Student Activities office for available options.
- Interested departments should contact the PCI Compliance Team to begin the process of accepting credit cards. Steps include:
- Completion of an “Application to become a Merchant Department”
- Completion of training
- Read the Middlebury PCI Policy for Accepting Credit Card and eCommerce Payments and the Middlebury PCI WISP
- Completion of Security Awareness training
- Ensure that all credit card transactions are reviewed and reconciled to daily merchant reports. Upload daily reconciliation reports to a shared Finance folder.
- Employees must be discrete and use common sense when handling cardholder data.
- Credit cards may be accepted in the follow manner:
- In person (card present)
- Direct telephone contact (telephone order); the constituent on the telephone should verify the payment card information twice, agents of the College should not read the payment card data back to constituent
- Through a PCI-DSS compliant automated system that is entirely hosted by a PCI DSS compliant third party organization (eCommerce)
- Physical mail
- Cardholder data must not be accepted or sent via end user messaging technologies; email, text message, SMS, chat etc. If an email is received containing cardholder data, a snapshot of the email header must be sent to the PCI Compliance Team at firstname.lastname@example.org for logging. DO NOT FORWARD or PRINT the cardholder data. Delete the email from Inbox and Deleted Items folder. It is also necessary to delete it from the “Recover Deleted Items” folder. Follow up with the constituent and advise this method of transmitting cardholder data is not secure. Advise the constituent we cannot process the payment and educate him/her on the appropriate methods of conveying a credit card payment.
- Cardholder data must not be accepted or sent via fax. If a fax is received with cardholder data, immediately shred in a crosscut shredder. Notify the PCI Compliance Team with the name, date, location the cardholder data was received. Follow up with the constituent and advise this method of transmitting cardholder data is not secure. Advise the constituent we cannot process the payment and educate him/her on the appropriate methods of conveying a credit card payment.
- Merchant departments must maintain strict control over the internal and external distribution of any kind of media that contain cardholder data. All media moved from a designated secure area (department the cardholder data is delivered to) must be marked confidential, documented on a triplicate copy media removal tracking log, and transported in a secure bag by Public Safety or a document service. No media containing cardholder data may leave the premises of the department that accepted it for processing. Materials sent to constituents, with a designated area for written cardholder data, to be returned to Middlebury must have the return address of the department that will process the cardholder data on the return vehicle. Every effort should be made to eliminate the area for written cardholder data on appeals, instead noting a secure means to make a credit card payment on a secure online forms, by check, or phone.
- In the rare instance that an agent of the College is offered payment card information during an off-site visit, the agent will provide the donor with a transmittal form or direct the constituent to an approved method of payment (i.e. online donation site, phone). The constituent may then fill out the form and mail it directly to the appropriate office at Middlebury.
- For compliancy and security Middlebury employees must not store or take possession of cardholder data (CHD) while off-site.
- Cardholder Data received for manual processing (mail, hand delivered) must be processed in a credit card merchant account the same day it is received if possible; **but no later than 1 business day (excluding calendar and fiscal year periods). Cardholder data in written form is redacted immediately following authorization in the payment gateway.
- Acceptable forms of redaction are crosscut shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
- Refunds for donations must be processed using the same credit card for the transaction. A different card may not be used.
- Mask the Primary Account Number (PAN) when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.
- **Middlebury does not store authorized cardholder data (media), in hardcopy or electronic form**
- Cardholder data that is collected but has not yet been processed (pending authorization in payment gateway), in addition to any USPS mail that hasn’t been opened, must be stored in a secure location (locked safe, locked file cabinet), see Processing above. Only authorized staff shall have access to the keys/combination.
- Middlebury does not store Sensitive Authentication Data; including the primary account number (PAN), expiration date and service code (CVV).
- Cardholder data may not be stored on any portable devices including but not limited to USB flash drives, cellular phones, personal digital assistants and laptop computers.
- Cardholder data may not be stored in logs (for example, transaction, history, debugging, and error), history files, trace files or database contents.
- A quarterly process for identifying and securely deleting stored cardholder data is maintained in the Information Security - Auditing and Penetration Test - Standard Operating Procedures (SOP).
- Cardholder data must be disposed of in a certain manner that renders all data unrecoverable. This includes hard copy (paper) documents and any electronic media including computers, hard drives, magnetic tapes and USB storage devices.
- The approved methods of disposal for hardcopy media are:
- Cross-cut shredding
- The approved method of disposal, rendered unrecoverable, for electronic media:
- Secure wipe program
- In accordance with industry-accepted standards for secure deletion
- Physically destroying the media is rendered unrecoverable
Media Device Protection- Protect card present processing devices from tampering and substitution
Middlebury will maintain an up-to-date inventory of all devices that capture payment card data. Middlebury will protect card present processing devices from tampering or substitution. The MDRP, or designee, is to conduct the following:
- Maintain a list of all devices that capture payment card data, for which the list is to include the following:
- Make, model, serial number (or other method of unique identification) and location of device
- Ensure that the list of devices is updated when devices are added, relocated, decommissioned
- Physically secure all devices that capture payment card data
- Portable payment card processing devices must be stored securely in a locked area when not in use.
- Cashiers must perform a daily visual inspection of devices that capture payment card data.
Merchant departments accepting card present transactions will be trained, by Information Security, annually on Physical Security of Point of Sale Devices – Skimming Best Practices. The MDRP, or designee, is responsible for training employees in their department on these practices.
- A Terminal Characteristics form must be completed for each terminal annually and upon any significant change
- A Monthly Physical Inspection must be performed, documented and retained
The Terminal Characteristics and Monthly Physical Inspection forms must be retained for a period of one year. MDRP or designated staff are to submit the Monthly Physical Inspection forms to the PCI Compliance Team on a quarterly basis.
Security Awareness Program
All persons with physical and logical access to Middlebury’s environment, whether employees, third-parties, service providers, contractors, temporary employees, and/or other staff members, must be trained on their role in protecting Middlebury from threats to help safeguard Middlebury’s finances, operations, and brand name.
- Upon hire and at least annually, all users connected to Middlebury’s cardholder data environment (in any way), are to complete the Information Security Awareness Training program.
- The training program consists of a Security Awareness video, the Middlebury PCI Policy for Accepting Credit Card and eCommerce Payment, and a PCI Training and Confidentiality Statement to be electronically signed by all agents.
- Upon hire and at least annually, MDRP’s in departments with card present processing hardware, are to complete Physical Inspection and Skimming Prevention training administered by Information Security.
- All agents of the College must read and electronically sign the Confidentiality agreement in agreement with Middlebury’s terms and conditions and acknowledgment of their role in safeguarding Middlebury’s environment on an annual basis.
- In addition to the above, those who have admin or privileged access (ITS staff) or roles with systems which transmit, process, and store cardholder data must receive additional technical training to further reinforce and supplement their knowledge of security practices.
- ITS staff are required to read the Middlebury PCI WISP and acknowledge their role in safeguarding Middlebury’s environment, by electronically signing the ITS version of the PCI Training and Confidentiality Agreement upon hire and on an annual basis.
- Attendance logs for Security Awareness and Physical Inspection-Skimming Prevention training must be kept by Information Security and provided to the PCI Compliance Team upon request.
In the event of a breach or suspected breach of security, the department must immediately execute each of the relevant steps detailed below:
- The MDRP or any individual suspecting a security breach must immediately notify the Incident Response Team at email@example.com, in accordance with the Technical Incident Response Policy, of an actual breach or suspected breach of credit card information. Email should be used for the initial notification and to provide a telephone number for the Incident Response Team to respond to. Details of the breach should not be disclosed in email correspondence.
- Notify the MDRP and the department head of the unit experiencing the suspected breach.
- The MDRP or any individual suspecting a security breach involving ecommerce also must immediately ensure that the following steps, where relevant, are taken to contain and limit the exposure of the breach:
- Prevent any further access to or alteration of the compromised system(s). (i.e., do not log on at all to the machine and/or change passwords)
- Do not switch off the compromised machine; instead, isolate the compromised system(s) from the network by unplugging the network connection cable.
- Preserve logs and electronic evidence.
- Document every action you take from the point of suspected breach forward, preserving any logs or electronic evidence available. Include in the documentation:
- Date and time
- Action taken
- Person performing action
- Person performing documentation
- All personnel involved
- Be on HIGH alert and monitor all ecommerce applications
- Log all actions taken
If a suspected or confirmed intrusion / breach of a system has occurred, the Incident Response Team will alert the merchant bank, the payment card associations, Internal Risk Department, General Counsel, and the Vice President for Finance and Treasury. A detailed incident response plan will be maintained by ITS Information Security. This incident response plan shall be in accordance with the parameters set forth by the Card Brands.
Service Provider Management
Service Providers (third parties) are contractually required to adhere to the PCI DSS requirements. Due diligence must be exercised before engaging with any service providers that may affect or have a relationship or function associated with Middlebury‘s cardholder data environment. The written agreement shall include an acknowledgement by the service providers of their responsibility for securing cardholder data and breach liability language, see Data Privacy and Breach Notification.
Note: This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities.
- Each Merchant Department must obtain the appropriate PCI Compliance documentation, from Service Providers, on an annual basis (prior to expiration date of the current documentation).
- The MDRP is responsible for sending the updated PCI Compliance documentation to the PCI Compliance Team upon receipt from the Service Provider.
- Information Technology Services is responsible for obtaining the appropriate PCI Compliance documentation from managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities.
- Service Providers must provide either an SAQD-Service Provider AOC or an On-Site Assessment AOC for Service Providers. AOC’s must note specific requirements Service Provider is attesting to.
- Service Providers must provide a current quarterly vulnerability scan from their ASV.
- Verify Payment Applications are validated on the PA DSS List of Validated Payment Applications at https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php .
The PCI Compliance Team will maintain a collective, current and accurate list of Service Providers with the following information:
- Service Provider Name
- Service being provided - description
- PCI Validation Required
- Validation Date
- Expiration Date
- Functional Area
- MDRP Responsible
Breach - Any payment card data exposed by negligence or malice constitutes a reportable breach
CDE - Cardholder data environment - Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission.
CHD – Cardholder Data - Credit Card components that are required to be protected. These include: Primary Account Number, Cardholder Name, Expiration Date, Service Code, and Card Verification Code
Ecommerce - The buying and selling of products or services over the Internet
Managed Service Providers: A managed services provider (MSP) is most often an information technology (IT) services provider that manages and assumes responsibility for providing a defined set of services to its clients either proactively or as the MSP (not the client) determines that services are needed. Managed Services can include, but are not limited to: Backup, Data Recovery, Storage, Security, Network Management, Management Information Systems, Systems Management and Data Management.
MDRP – Merchant Department Responsible Person - Any department accepting credit card payments on behalf of the College for gifts, goods, or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for ecommerce and credit card transaction processing within that department.
Media - refers to all paper and electronic media containing cardholder data.
Merchant - Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.
Merchant Account/ID - A bank account that allows businesses to accept payments by payment cards. A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions.
Payment Gateway - An e-commerce application service provider service that authorizes credit card payments
Payment Processor - A company, often third party, appointed by a merchant to handle credit card transactions for merchant acquiring banks.
PCI DSS COMPLIANCE - The Payment Card Industry Data Security Standard (PCI DSS) is mandated set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholder against misuse of their personal information.
Point of Sale (POS) - The location where a credit card transaction occurs through a terminal or register.
SaaS Survey - Middlebury Security and Compliance Survey; required for all new Service Providers.
Self-Assessment Questionnaire (SAQ) - A validation tool to help merchants validate their compliance with PCI-DSS
Service Provider - Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
Third Party - Credit card transactions are processed through an external party to Middlebury. Software may or may not be owned by Middlebury.
- Middlebury PCI Written Information Security Policy http://go.middlebury.edu/PCIWISP
- Middlebury PCI DSS Information Pages http://go.middlebury.edu/pcidss
- The web site for the PCI DSS Security Standards Council https://www.pcisecuritystandards.org/
- PCI DSS Overview https://www.pcisecuritystandards.org/security_standards/index.php
- PCI DSS Self-Assessment Questionnaire Overview and instructions https://www.pcisecuritystandards.org/merchants/self_assessment_form.php
- For a list of Visa validated service providers see http://usa.visa.com/merchants/risk_management/cisp_service_providers.html
- For a list of validated Payment Applications see
V1.0 October 2012
V1.1 September 2013
V1.2 August 2014
V1.3 August 2015
Appendix A: Checklist for Process for Merchant Account Request or Service Provider Change
Appendix B: Merchant Account Request Form or Service Provider Change
Appendix C: Project Plan (PCI Related)
Appendix A: Checklist for Process for Merchant Account Request or Service Provider Change
A Contract, that includes payment card processing, must not be signed without approval from the PCI Compliance Team and in adherence to the College Contract Policy.
1. ____ Functional area determines a need for a credit card/ecommerce account or new Service Provider for an existing process/merchant account.
2. ____ Functional area submits a request for above to the PCI Compliance Team by completing Appendix B: Merchant Account Request Form or Service Provider Change , Project Plan, the proposed contract, a point of access credit card diagram (obtained from the Service Provider), network configuration document (showing firewall configurations, Ports, IP addresses if this is a POS system) and Service Providers PCI Compliance documentation.
3.____ Functional area sends the Service Provider the SaaS and Compliance Survey to complete. Service Provider must provide a firewall configuration document showing the requested firewall, ports, and IP’s configuration. Network Security submits findings to PCI Compliance Team.
4.____ PCI Compliance Team gives conditional approval for the new application and then sends Project Plan to Information Technology Services for review and priority.
5.____ Information Technology Services department(s) sends approval/non-approval to the PCI Compliance Team for final Merchant Account/Information Technology Services Project Approval.
6.____ Contract is approved in accordance with the College Contract Policy and includes the Data Privacy and Breach Notification clause.
7. ____ Functional area, PCI Compliance Team and Information Technology Services to collaborate on prioritization and scheduling of project implementation.
8.____ PCI Compliance Team works with the MDRP to administer PCI training for staff/students that will handle cardholder data.
9.____ Functional area works with Finance to ensure the transactions are properly recorded in the general ledger and reconciliation reports are saved in the shared reconciliation file.
10.____ PCI Compliance Team to follow up with audits to ensure compliance with PCI policy.
PCI Compliance Team Final Approval:
Finance Representative Date
Kim Downs-Burns, AVP for Student Financial Services
Information Technology Services Representative Date
Chris Norris, ITS Director, Information Security & Systems and Infrastructure
Appendix B: Merchant Account Request Form or Service Provider Change
SUBMIT TO THE PCI Compliance Team @ PCIComplianceTeam@middlebury.edu
Date: Requesting Department: Name:
Title: Email: Extension:
Describe the goods, services, and/or gifts for which you will receive payments. Please be specific:
Is this an existing or new source of revenue?
Provide the Banner FOAPAL(s) where funds will be deposited and related fees will be assessed:
Explain why your department wants to accept credit card payments.
What economic benefits do you expect to gain by accepting credit cards? Please quantify and/or provide additional documentation to support this application.
Describe the frequency of credit card payments. Is this a one-time event? Are payments for seasonal or year-round activity? Provide detailed timeframes.
Will credit card be the sole method of payment? If not, what other methods of payment do you anticipate accepting for this specific purpose?
How do you plan to process these payments? (Check all that apply)
In-person (card present) Mail/phone Internet
*Note: Cardholder data should never be transmitted via email or fax correspondence.
If you are planning to accept credit card payments via the Internet, do you have a website?
If so, please provide the URL:
Please indicate the estimated annual dollar volume and number of transactions for each applicable credit card acceptance process:
In-person $ # transactions
Mail/phone $ # transactions
Internet $ # transactions
Who will be the Merchant Department Responsible Person (MDRP)? The MDRP, as referenced in the Middlebury (PCI) Policy for Accepting Credit Card and ecommerce Payments, is responsible for managing credit card and/or ecommerce transaction processing. Include name, job title, phone extension, and describe duties.
Please identify any additional staff who will be involved in processing credit card payments. Include name, job title, phone extension, and describe duties.
Will any other departments, software packages or outside Service Providers be involved in the processing of credit card payments? If so, please identify all parties and describe their roles and responsibilities.
Signatures: __________________________ Employee ID:
Signatures: __________________________ Employee ID:
, Budget Director
By signing this form, the Merchant Department Responsible Person acknowledges that he/she understands his/her role as outlined in the “Middlebury (PCI) Policy for Accepting Credit Card and ecommerce Payments” and accepts the responsibility of that role.
By signing this form, the Budget Director approves of the business case presented for the department to become a Merchant Department, the Banner information provided and the designated Merchant Department Responsible Person.