1.0 Background Information
The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for credit card account data security, developed by the credit card industry in response to an increase in identity theft and credit card fraud. As a merchant who handles credit card data, Binghamton University is obliged to safeguard that information and adhere to the standards established by the Payment Card Industry Council including setting up controls for handling credit card data, computer and internet security and completing an annual self assessment questionnaire.
Without adherence to the PCI DSS, the university would be in a position of great reputational risk and financial liability. Merchant account holders who fail to comply are subject to:
a) Fines imposed by the payment card industry.
b) Additional monetary costs associated with remediation, assessment, forensic analysis, or legal fees.
c) Suspension of the merchant account.
The purpose of this policy is to define the guidelines for accepting and processing credit cards and storing personal cardholder information to comply with the Payment Card Industry Data Security Standards.
3.1 Cardholder Data (CHD)
Cardholder data represents any personal information of the cardholder. This
could be an account number, expiration date, name, address, telephone number, social security number, card validation code (CVC), or any other cardholder’s identifying information.
3.2 Cardholder Information Security Program (CISP)
The Visa Cardholder Information Security Program (CISP) is designed to ensure that all merchants that store, process, or transmit Visa cardholder data, protect it properly.
3.3. Data Security Standards
Standards developed by the PCI Council which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.
3.4 Merchant Account
An account established for a unit by a bank to credit sale amounts and debit processing fees.
An organization, department, institution or unit that accepts credit cards as a method of payment for goods, services, information, or gifts.
3.6 Payment Card Industry Council (PCI)
The PCI is a group formed by the credit card industry (VISA, MasterCard, Discover and American Express) to establish Data Security Standards (DSS) for the industry. https://www.pcisecuritystandards.org/
The PCI Self-Assessment Questionnaire (SAQ) is a validation tool that is primarily used by merchants to demonstrate compliance to the PCI DSS. The SAQ here,
https://www.pcisecuritystandards.org/tech/supporting_documents.htm, is based on the current version of the Payment Card Industry Data Security Standard (PCI DSS).
3.8 Sensitive Data
Sensitive Data include, the account number, magnetic stripe data, CVV2/CVC2 and expiration date.
4.0 Authority and Responsibility
Binghamton University (including the Foundation and Research Foundation) is responsible for processing credit card payments for students, staff and other customers within the university’s SIS (Student Information System) and for coordinating and overseeing policies and procedures regarding payment processing. Information Technology Service (ITS) is responsible for the operation of the university’s data networks including all merchant services systems.
In order to accept credit card and debit card transactions on behalf of Binghamton University, including web-based transactions and those processed via third party vendors, authorization must be obtained in advance from the Revenue Accounting department in the Business Office. Only the Revenue Accounting department may issue merchant accounts. Additionally, to ensure that all transactions are handled according to this Policy, sale of goods and services to entities outside the university must be reviewed and approved by the Business Office.
Departments who need to accept credit/debit cards must either obtain a physical terminal to swipe or key transactions or utilize the campus web payment processing system. Use of alternative methods may be approved by the Revenue Accounting department on a case by case, interim exception basis only. Any alternative interim method approved must implement one of the two accepted means for payment noted above within 6 months or service will be discontinued. All transactions that Binghamton University processes must meet the standards outlined in the Policy.
- All in-person credit card payments must have the actual card present.
- All electronic credit/debit card processing will be handled via the campus web payment system and in no case will any cardholder data be stored on any office computer, laptop, spreadsheet, portable media (such as CDs and USB drives), or on local or network shared drives.
- Cardholder data will never be accessed to provide lists and will be retained within the governing provision under card issuer, state and/or federal requirements. Cardholder data should only be retained as long as there is a business need (such as for reconciliation purposes) and may not exceed a one-year maximum.
- Cardholder data will not be accepted via email or other messaging systems (such as chat or instant messaging) from person or entity and the corrective action is to reject the message and notify the submitter that the information cannot be accepted in this manner.
- Phone payments carry increased banking fees due to the increased risk of not being able to verify the signature, etc. Therefore, phone order payments are discouraged and efforts should be made to utilize swipe transactions or the campus web payment processing system instead.
- Computer terminals and paper storage areas must be locked when left unattended.
- Physical cardholder data must be locked in a secure area and access will be limited to individuals that require business use of the data.
- Only essential information should be stored. Under no circumstances should the Card Validation Code (also known as the Security Digits, V Code, or CID), users PIN or the full data from a card’s magnetic stripe be stored in any system being utilized by the university.
- Credit card information should be destroyed by cross-cut shredding and/or disposed of within the rules of the university immediately after the retention time frame (one year or less) has expired.
- Credit card receipts may only show the last four digits of the credit card number.
- All credit card processing equipment to be discarded must be properly disposed of. POS terminals should be returned to the Revenue Accounting office and computer terminals should be turned over to ITS.
- Staff with access to the card data environment must complete annual PCI training.
- Each individual must maintain a unique ID and password for computer access. Under no circumstances can an ID or password be shared with another individual. In addition, all vendor supplied default passwords must be changed before moving into production.
- Third party vendors must be contractually obligated to comply with PCI standards.
- Departments must report security incidents to the PCI Incident Response Team (Information Security Officer, Director of Finance, and ITS Network Assistant Director) which will work in conjunction with the department to investigate and handle potential compromises in accordance with Information Security’s Incident Response Policy.
- All departments must comply with the Payment Card Industry Data Security Standard including the annual completion of the Self-Assessment Questionnaire (SAQ).
- The Revenue Accounting department is responsible for submitting the annual Report on Compliance with our acquiring bank.
6.0 Financial Implications
The merchant account department shall bear the costs associated with ensuring compliance with this policy and the requirements (such as secure cabinets, locks, etc.) as well as any fines imposed by the payment card industry for non-compliance and any additional monetary costs associated with remediation, assessment, forensic analysis or legal fees.
7.0 Compliance Certification Process
Staff responsible for processing, storing or transmitting credit card data must sign a PCI confidentiality statement which can be found in Appendix A as well as at
Appendix A - Binghamton University Confidentiality / Non-Disclosure Statement
RESPONSIBLE USE/CONFIDENTIALITY AGREEMENT COMPLIANCE FORM
Personnel, student, financial, medical, patient and other sensitive information1 contained within Binghamton University or Binghamton University’s Information Systems and/or external SUNY and State Systems are considered confidential. Access to this confidential information and any other information made confidential by law and Binghamton University policy is limited to those individuals whose position requires use of this information. By signing the statement below, you are acknowledging your acceptance and adherence to the confidentiality requirements imposed by federal and state law and Binghamton University policy.
By virtue of my position at Binghamton University or my position as/through an external party providing services to Binghamton University, I may have access to information which is confidential and is not to be disclosed to any person or entity without appropriate authorization, subpoena, or court order. In order to access confidential information, I agree to adhere to the following itemized guidelines listed below: If I have questions or need guidance, I will consult with my supervisor to determine appropriate action.
1. I understand and acknowledge that improper or inappropriate use of data in the University’s Information Systems is a violation of University procedures and may also constitute a violation of federal and state laws.
2. I will only use confidential information in a manner consistent with my authorized access, and the duties and responsibilities of my position.
3. I will not provide or release confidential information to any individual or entity without proper authorization.
4. I will not access or review records or files for which I do not have a legitimate need to know in order to perform my duties.
5. I will not make copies of any records or data except as required in performance of my duties.
6. I will destroy any confidential information for which I no longer have an official business use in a manner appropriate to the medium and consistent with the applicable New York State, Federal, and University Record Retention policies.
7. I will not share any User ID and Password used to access Binghamton University resources with anyone, unless I have specific authorization to do so from my supervisor, or there is a need for an authorized technician to troubleshoot a system problem with my password. In this latter case, I will change my password when the technician’s task is complete.
8. I will not use the data for personal use or for commercial purposes.
9. I will refer all requests for information for which there is not an established office procedure to the Office of University Counsel.
10. I will refer external requests for University statistical, academic, or administrative data to the Office of Institutional Research and Assessment, University Counsel, Human Resources, Financial Services or those departments that have been authorized to respond to such requests.
11. I agree to report any unauthorized access to confidential data immediately to my supervisor.
12. I understand that violations of this agreement may result in the revocation of my access privileges to University information systems, may result in appropriate administrative action, including, but not limited to, disciplinary action, and may also subject me to prosecution by state or federal authorities.
13. I understand and agree that my obligation to maintain confidentiality will continue even after I leave the employment of Binghamton University.
I certify that I have read this “Access and Compliance Form,” and the attached information pertaining to access to and use of information contained in employee, applicant, student or donor records, that I understand both, and that I agree to comply with the above terms and conditions.
Employee / External Party Signature and Date
Employee / External Party Name (Printed) and Employee Department / External Company Name
I have reviewed this document with the employee and answered all employee questions.
Supervisor or Designated Department Representative Signature and Date
Supervisor or Designee Name (Printed)
1 The disclosure of information from student records is governed by the Federal Family Educational Rights and Privacy Act (FERPA) [20 U.S.C. § 1232g]. Health information is governed by and protected by state and federal statutes including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Public Health Law §18. Financial information is protected by the Gramm-Leach-Bliley Act (GLBA). Social Security Number disclosure is governed by the Federal Privacy Act of 1974 and NY State law, which tracks the Federal Privacy Act and limits the collection and use of social security numbers by colleges/universities. Payment Card Industry (PCI) Data Security Standard, applicable to cardholder information, is defined by the Payment Card Industry Security Standards Council.
Appendix B - Binghamton University Procedure for Credit Card Transactions via POS Terminal
- Payer enters BU # or SSN into terminal to queue up their account or the account they want to pay on (Student Accounts only).
- Cashier verifies that the queued up screen is the correct account for this transaction (Student Accounts only).
- Cashier verifies cardholder matches the payer at the counter.
- Cashier checks for signature.
- Cashier swipes card into data machine.
- Data machine prompts for amount.
- Cashier enters amount of transaction, presses enter key.
- Data machine attempts to contact host for authorization.
- Data machine returns a response of authorization, decline or call center. If declined, cashier returns card to payer. If call center, cashier calls the call center at 1-800-228-1122 for an authorization. If authorized by bank, cashier follows instructions given.
- Data machine prints our copy of the receipt.
- Cashier has payer sign receipt. This receipt is kept in the cashiers’ secure cash drawer until “End of Day Cash Out”.
- Cashier hits reprint button for payer copy.
- Cashier applies transaction to the account on Banner or other system if applicable.
- Cashier saves transaction and prints Banner or other system receipt.
- Cashier staples payer copy of the credit card receipt to the Banner/other system receipt and gives to payer.
Appendix C - Binghamton University Procedure for Credit Card Transactions via Fax/Mail
- Binghamton University Office receives faxed/mail credit card authorization to pay. The payer will supply credit card information to process the charge including:
- A brief statement stating the purpose of the charge and giving Binghamton University authorization to charge the card,
- Dollar amount to be charged,
- Card number,
- Expiration date,
- Signature and date, and
- Contact phone number(s).
- Cashier enters card number, dollar amount and expiration date into data machine.
- Data machine prompts for “Cardholder present?” Cashier presses key “6” for NO.
- Data machine returns a response of authorized or declined.
- If declined, cashier will notify payer of the decline. Cashier will either re-enter transaction or destroy fax. If cashier can’t contact the payer, the cashier will write “Declined”, the date of the attempted phone contact and their initials on the fax. Fax is then stored securely.
- Completion of authorized transaction.
- Cashier prints 1 copy of the transaction from the data machine.
- Cashier applies transaction to the student account or other applicable record.
- Cashier writes Banner or other receipt number on the top margin of the data machine receipt.
- Cashier turns in this receipt at “End of Day Cash Out”.
- Cashier prints Banner or other receipt showing application of the transaction.
- Cashier staples the fax authorization to the receipt.
- The stapled fax/receipt is interfiled numerically with the daily receipts.
- The daily receipts are stored securely until removal to long term storage or they are destroyed.
Appendix D - End of Day Cash Out
- Cashier places the data machine credit card receipts into item number order. These are now batched.
- Cashier runs a detail tape for a total dollar amount of all credit card transactions.
- Cashier presses key 9 to close batch total.
- Cashier is prompted to enter total amount into data machine.
- Cashier enters total into machine and hits enter to send batch to bank.
- Data machine will close or reply with “Does not balance”. We will not close out until we balance.
- Cashier presses “6” key to not print report.
- Data machine prints out batch slip. Batch slip is stapled to the front of the batched credit card slips. These slips are stored in a locked cabinet for no longer than one year and then destroyed.
- Cashier prints 2nd copy of the batch total.
- Cashier turns in this copy at cash out. This copy is then given to Student Accounts which will be forwarded to the Revenue Accounting department.