Middlebury

 

 

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.  Essentially any merchant that has a Merchant ID (MID).
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.  The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
A copy of the PCI DSS is available here.

We want to start accepting credit cards, what is the process?

To request a new Merchant Account please follow these steps:

  1. Click here to proceed to the Merchant Account/Service Provider Change Request form and follow the outlined steps.
  2. Choose a Service Provider that is verified PCI Compliant on the Visa Global Registry of Service Providers.
  3. If purchasing a POS (Point of Sale) system; the system and specifications must be on the PA-DSS Validated Payment Applications listing on the PCI SSC website.  
  4. New systems and vendors must be approved by the PCI Compliance Team, LIS Security Team, Finance and Risk Management before a purchase is made or a contract is signed.

We want to change service providers and we process credit cards, what is the process?

If you have an existing merchant account and are contemplating changing vendors; please follow these steps:

  1. Click on the PCI DSS Request link and follow the outlined steps.
  2. Choose a Service Provider that is verified PCI Compliant on the Visa Global Registry of Service Providers.
  3. If purchasing a POS (Point of Sale) system; the system and specifications must be on the PA-DSS Validated Payment Applications listing on the PCI SSC website.  
  4. New systems and vendors must be approved by the PCI Compliance Team, LIS Security Team, Finance and Risk Management before a purchase is made or a contract is signed.

What do I do if I suspect a breach?

The MDRP or any individual suspecting a security breach must immediately notify the Director of Investment & Treasury Operations, or designee,and the Information Security Team at
infosec@middlebury.edu of an actual breach or suspected breach of credit card information. Email should be used for initial notification and to provide a telephone number for the Director of Investment & Treasury Operations, or designee, to call in response.
Details of the breach should not be disclosed in email correspondence. 
 
Please refer to the PCI Policy - Process for Responding to a Security Breach for additional requirements. 

Who is responsible for security updates and patches on our POS (Point of Sale) system?

The Merchant Department/Functional Area is responsible for ensuring their POS systems are up to date with security patches and anti-virus.  POS systems should be shut down/restarted on a nightly basis to allow for automatic updates to install.

Please contact the Help desk if you have questions regarding the necessary maintenance required on all payment processing software/hardware.

Is my card reader terminal in a secure location?

The functional area must be vigilant and maintain a secure environment at all times, especially around cash registers, POS PEDs (Point-of-Sale PIN Entry Device) and credit card terminal’s (Verifone). To encourage such vigilance, the PCI SSC has published skimming prevention best practices that include:
  • Visually inspecting terminals on a regular basis to identify anything abnormal, such as missing or altered seals or screws, extraneous wiring, holes in the device, or the addition of labels or other materials that could be used to mask damage from device tampering.
  • Physically securing terminals and PIN pads to counters to prevent removal
  • Physically securing all cable connections.
  • Physically securing (under lock and key) stored terminals awaiting deployment
  • Periodically validating the inventory on hand against asset records.
  • The MDRP, or any individual suspecting tampering or a security breach, must immediately notify the Director of Investment & Treasury Operations, or designee, and the Information Security Team at infosec@middlebury.edu of an actual breach or suspected breach of credit card information.

Credit Card Terminals must not be utilized as a mobile/portable payment processing device.  These terminals must be connected to a Middlebury network jack and process the payment information on the secure subnet set up specifically for payment processing. 

If your department determines a need for a mobile payment device, please contact the PCI DSS Compliance Team for guidance.

What are my responsibilities as the MDRP for my department?

The MDRP (Merchant Department Responsible Person) is an individual within that department who will have primary authority and responsibility for eCommerce and credit card transaction processing within that department.  Please refer to the PCI Policy for responsibilities. 

Can an IP based card reader terminal (Verifone) be connected into any network jack?

All point-of-sales systems, credit card processing stations, or IP based credit card reader terminals must be connected to a specific network jack on a subnet specified for payment processing only.  This equipment may not be connected to any network not on the payment processing subnet.

IP based Credit Card Terminals must not be utilized as a mobile/portable payment processing device.  If your department determines a need for a mobile payment device, please contact the PCI DSS Compliance Team for guidance.

Mobile/Portable Payment Options?

The VeriFone Vx610 Cellular Credit Card Terminal is a PCI approved portable PoS device.  Please contact the PCI Compliance Team to discuss. 

All Point of Sales (POS) devices, including cellular based VeriFone terminals and point of sale systems, must be maintained under a state of consistent control and supervision. Approval from the PCI Compliance Team must be obtained and additional instruction may be provided before an MDRP or functional area may grant another functional area or organization access to their payment system.

What if I receive credit card data by email or fax?

It is against the PCI Policy to process credit card data received by email or fax. 

  • if you receive credit card data via email the email must be purged from the email system.  To purge please delete the email and then delete it from your deleted/trash folder immediately.
  • if received via fax, shred the document immediately.
  • A log must be kept of these transactions.
  • The donor/constituent should be contacted and advised that we cannot process the credit card data received.  Obtain information by other means, cc over the phone or by us mail, check etc.**

What If I receive credit card data and my department does not process credit card's?

See What is the "Transfer of Media"?

What is the "Transfer of Media"?

Transferring Credit Card Data “Media” on the Middlebury Campus:

This is a working draft:  If credit card data is received in a department and must be transported to another department for processing; the following Policy shall apply.

The Cashiers Office will act as the central drop off or Hub for all monies and credit card data transfers.  When credit card data is received at the department level and must leave that department (transfer of media) to be processed; the following procedure must be adhered to. 

Credit Card data being conveyed out of the facility(your building) must be logged and transported in a secure manner that can be tracked.  Each department will receive a numbered lockable security bag in which to transport the credit card data to the Cashiers Office.  The person performing the transfer will document each item in the bag on a Money Receipt in triplicate copy.  The “triplicate copy” will be retained in the facility initiating the transfer.  The “original” and “duplicate” will be placed in the security bag with the credit card data.  The security bag will then be locked and delivered to the Cashiers Office.  Upon receipt of the security bag at the Cashiers Office, the Cashier or designee, will unlock the bag, verify the items and sign off on the Money Receipt.  The Cashier will retain the “original” receipt.  The “duplicate” receipt will be given back to the person making the transfer.  The Money Receipt will act as the traceable log for all transfers of credit card data.  The Money Receipt retention is three years plus the current fiscal year.

How do I redact credit card information?

If you receive written credit card data for processing, the credit card data must be "redacted" immediately following a successful transactions.  Redaction can be accomplished by 1). cutting off the credit card data and shredding or 2). masking the credit card data with a wide tip black magic marker, photocopy the document and shred the original. 

Do not store credit card data that has not been redacted.

What are the penalties for non-compliance?

Issuing banks and credit card processors can be fined up to $500,000 for regulatory compliance violations; typically, these fines are passed along to individual merchants.  In addition to fines, non-compliant businesses that suffer a breach in security face card replacement costs, expensive forensic audits and damage to their reputation.

A non-compliant merchant may lose his or her merchant account and languish in the Terminated Merchant File for several years, during which time they cannot accept credit cards.  

What do the acronyms stand for?

  • MDRP - Merchant Department Responsible Person
  • Payment Card Industry (PCI) –  Denotes debit, credit, prepaid, e-purse, ATM and POS (point of sale) cards and associated businesses.
  • Payment Card Industry Data Security Standard (PCI DSS) – A set of comprehensive requirements for enhancing payment account data security on a global basis.
  • Payment Card Industry Security Standards Council (PCI SSC) – An open global forum whose mission is to enhance the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection through education and awareness of PCI Security Standards.
  • PCI Self-Assessment Questionnaire (SAQ) – A validation tool intended to assist merchants and service providers who are not required to undergo an on-site data security assessment to self-evaluate their compliance with the PCI DSS.  There are multiple versions of the PCI DSS SAQ to meet various scenarios.
  • PCI SSC Approved Scanning Vendor (ASV) – Organizations that validate adherence to certain DSS requirements by performing vulnerability scans of the Internet-facing environments of merchants and service providers.
  • POS - Point of Sale systems, cash registers, swipe terminals
  • Qualified Security Assessor (QSA) – Companies approved by the PCI SSC to conduct an audit.

What is the PCI DSS Compliance Team?

The PCI DSS Compliance Team is a cross functional compliance team established to ensure continued compliance with PCI DSS.

The PCI Compliance Team responsibilities include, but are not limited to:

  • Inventory every merchant that accepts credit or debit cards on campus
  • Verify the PCI DSS compliance of these transaction points and the payment applications used
  • Educate all entities in the College’s payment environment so they know how it works and how to conduct business within our guidelines.

What is the PCI DSS Compliance Operations Team?

The PCI DSS Compliance Operations Team is a sub-group of the PCI DSS Compliance Team.  The purpose of the PCI DSS Compliance Operations Team is to:

  • assist merchant departments on campus (functional areas processing, transmitting or storing credit card data) with obtaining and maintaining PCI DSS compliance.  
  • guide PCI DSS Project Request(s) (New Merchant Account applications and change in Service Providers) through the request process. 
  • present recommendations to the PCI DSS Compliance Team.
  • work as a cross functional team to ensure representation for functional areas, Finance and LIS. 
  • educate all entities in the College’s payment environment so they know how it works and how to conduct business within our guidelines.