How is PCI Scope determined?
Middlebury has formally adopted the Open PCI DSS Scoping Toolkit, hereinafter known as “the Toolkit”, to guide Middlebury in accurately determining PCI Scope per the Payment Card Industry Data Security Standards (PCI DSS). The Toolkit is a set of principles, a structured thinking process, and tools to generate defensible and consistent scoping conclusions. Recognizing the importance of properly determining PCI scope, the PCI Council established a Scoping SIG in 2009. While that SIG never issued its final report, the participants did a lot of good work. Some members of the SIG, the Open Scoping Framework Group, released the Open PCI DSS Scoping Toolkit in 2012.
The PCI Compliance Team may modify the Toolkit based on emerging technologies such as P2PE.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
A copy of the PCI DSS is available here.
We want to start accepting credit cards, what is the process?
To request a new Merchant Account please follow these steps:
- Click here to proceed to the Merchant Account/Service Provider Change Request form and follow the outlined steps.
- Choose a Service Provider that is verified PCI Compliant on the Visa Global Registry of Service Providers.
- If purchasing a POS (Point of Sale) system; the system and specifications must be a validated solution and approved by the PCI Compliance Team. All POS systems must be validated on the PCI SSC website.
- New systems and vendors must be approved by the PCI Compliance Team, Information Security Team and Finance prior to the contract execution and purchase.
We want to change service providers and we process credit cards, what is the process?
If you have an existing merchant account and are contemplating changing vendors; please follow these steps:
- Click on the New Acct/Vendor Change link for the process.
- Choose a Service Provider that is verified PCI Compliant on the Visa Global Registry of Service Providers.
- If purchasing a POS (Point of Sale) system; the system and specifications must be on a Validated Solution listed on the PCI SSC website.
- New systems and vendors must be approved by the PCI Compliance Team, Information Security Team and Finance prior to contract execution and purchase.
What is PCI Scope?
PCI Scope is all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, or can impact the security of the CDE. “System components” include network devices, servers, computing devices, and applications.
What do I do if I suspect a breach?
The MDRP or any individual suspecting a security breach must immediately notify the Incident Response Team at firstname.lastname@example.org, in accordance with the Technical Incident Response Policy, of an actual breach or suspected breach of credit card information. Email should be used for the initial notification and to provide a telephone number for the Incident Response Team to respond to. Details of the breach should not be disclosed in email correspondence.
Who is responsible for security updates and patches on our POS (Point of Sale) system?
The Merchant Department/Functional Area is responsible for ensuring their POS systems are up to date with security patches and anti-virus. POS systems should be shut down/restarted on a nightly basis to allow for automatic updates to install.
Please contact the Help desk if you have questions regarding the necessary maintenance required on all payment processing software/hardware.
Is my card reader terminal in a secure location?
- Visually inspecting terminals on a monthly basis to identify abnormalities, such as missing or altered seals or screws, extraneous wiring, holes in the device, or the addition of labels or other materials that could be used to mask damage from device tampering.
- Physically securing terminals and PIN pads to counters to prevent removal
- Physically securing all cable connections.
- Physically securing (under lock and key) stored terminals awaiting deployment
- Maintain a current and comprehensive inventory of PCI assets.
- Notify the PCI Compliance Team and Information Security if you discover tampering.
Credit Card Terminals must not be utilized as a mobile/portable payment processing device. These terminals must be connected to a Middlebury network jack and process the payment information on a dedicated network specifically for payment processing.
If your department determines a need for a mobile payment device, please contact the PCI DSS Compliance Team for guidance.
What are my responsibilities as the MDRP for my department?
The MDRP (Merchant Department Responsible Person) is an individual within that department who will have primary authority and responsibility for eCommerce and credit card transaction processing within that department. Please refer to the PCI Policy for responsibilities.
Can an IP based card reader terminal (Verifone) be connected into any network jack?
All point-of-sales systems, credit card processing stations, or IP based credit card reader terminals must be connected to dedicated network jacks on the PCI network specified for payment processing only.
IP based Credit Card Terminals must not be utilized as a mobile/portable payment processing device. If your department determines a need for a mobile payment device, please contact the PCI DSS Compliance Team for guidance.
Mobile/Portable Payment Options?
What if I receive credit card data by email or fax?
Cardholder data must not be accepted or sent via end user messaging technologies; email, text message, SMS, chat, Fax, etc.
- If you receive credit card data via email the email must be purged from the email system. Please see the PCI Policy for the process to purge and document the event.
- If received via fax, shred the document immediately.
- A log must be kept of these transactions.
- The donor/constituent must be contacted and advised that we cannot process the credit card data received. Obtain information by other means, cc over the phone or by us mail, check etc.**
What If I receive credit card data and my department does not process credit card's?
See What is the "Transfer of Media"?
What is the "Transfer of Media"?
Transferring Credit Card Data “Media” on the Middlebury Campus:
This is a working draft: If credit card data is received in a department and must be transported to another department for processing; the following Policy shall apply.
The Cashiers Office will act as the central drop off or Hub for all monies and credit card data transfers. When credit card data is received at the department level and must leave that department (transfer of media) to be processed; the following procedure must be adhered to.
Credit Card data being conveyed out of the facility(your building) must be logged and transported in a secure manner that can be tracked. Each department will receive a numbered lockable security bag in which to transport the credit card data to the Cashiers Office. The person performing the transfer will document each item in the bag on a Money Receipt in triplicate copy. The “triplicate copy” will be retained in the facility initiating the transfer. The “original” and “duplicate” will be placed in the security bag with the credit card data. The security bag will then be locked and delivered to the Cashiers Office. Upon receipt of the security bag at the Cashiers Office, the Cashier or designee, will unlock the bag, verify the items and sign off on the Money Receipt. The Cashier will retain the “original” receipt. The “duplicate” receipt will be given back to the person making the transfer. The Money Receipt will act as the traceable log for all transfers of credit card data. The Money Receipt retention is three years plus the current fiscal year.
How do I redact credit card information?
If you receive written credit card data for processing, the credit card data must be "redacted" immediately following a successful authorization. Redaction can be accomplished by 1). cutting off the credit card data and cross cut shredding or 2). masking the credit card data with a wide tip black magic marker, photocopy the document and cross cut shred the original.
Middlebury PCI Policy prohibits storage of cardholder data.
What are the penalties for non-compliance?
Issuing banks and credit card processors can be fined up to $500,000 for regulatory compliance violations; typically, these fines are passed along to individual merchants. In addition to fines, non-compliant businesses that suffer a breach in security face card replacement costs, expensive forensic audits and damage to their reputation.
A non-compliant merchant may lose his or her merchant account and languish in the Terminated Merchant File for several years, during which time they cannot accept credit cards.
What do the acronyms stand for?
- MDRP - Merchant Department Responsible Person
- Payment Card Industry (PCI) – Denotes debit, credit, prepaid, e-purse, ATM and POS (point of sale) cards and associated businesses.
- Payment Card Industry Data Security Standard (PCI DSS) – A set of comprehensive requirements for enhancing payment account data security on a global basis.
- Payment Card Industry Security Standards Council (PCI SSC) – An open global forum whose mission is to enhance the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection through education and awareness of PCI Security Standards.
- PCI Self-Assessment Questionnaire (SAQ) – A validation tool intended to assist merchants and service providers who are not required to undergo an on-site data security assessment to self-evaluate their compliance with the PCI DSS. There are multiple versions of the PCI DSS SAQ to meet various scenarios.
- PCI SSC Approved Scanning Vendor (ASV) – Organizations that validate adherence to certain DSS requirements by performing vulnerability scans of the Internet-facing environments of merchants and service providers.
- POS - Point of Sale systems, cash registers, swipe terminals
- Qualified Security Assessor (QSA) – Companies approved by the PCI SSC to conduct an audit.
What is the PCI DSS Compliance Team?
The PCI Compliance Team responsibilities include, but are not limited to:
- Inventory every merchant that accepts credit or debit cards on campus
- Verify the PCI DSS compliance of these transaction points and the payment applications used
- Enforce the PCI WISP (Written Information Security Policy)
- Educate all entities in Middlebury's payment environment regarding secure process and practices within our guidelines.