Select this to enable text only view

5.03.001.010 - Payment Card Industry (PCI) Compliance

image
image image
Approved: 1/21/2016
Approved By: President's Staff
Category: 5 - FINANCE FACILITIES AND TECHNOLOGY
Section: 03 - COMPUTER AND TECHNICAL RESOURCES
Policy: 001 - Computer and Technical Resources
image

In order to accept credit card payments, the College is required to comply with the Payment Card Industry Data Security Standards (PCI DSS).  PCS DSS protects merchants and cardholders from cardholder information theft.  The College must also comply with the Federal Trade Commission’s Fair and Accurate Credit Transactions Act (FACTA) to reduce identity theft.

All card processing activities at the College must comply with the Payment Card Industry Data Security Standard (PCI DSS) and the Community College of Beaver County PCI Standard.   Departments that take credit card payments on behalf of the College, the CCBC Foundation, or other College auxiliary organizations must receive approval to do so from the Vice President, Finance and Operations or his or her designee.  Each College department that processes credit card transactions is a merchant user and will appoint a management employee who will have authority and responsibility for payment card transaction processing within that department.

Procedures

Employee Access: Employees requiring credit card handling by the nature of their positions will only be granted access to the credit card processing devices and information required to complete their job-related tasks. 

Technology:  No additional services will be installed on point of sale devices handling credit card information. Default passwords will be changed. Remote-access technologies will automatically disconnect after a maximum of 30 minutes of inactivity. Credit card network transactions will be secure by the use of separate VLANs, data encryption and other techniques.

Reconciliation:  Authorized merchant users must obtain Transaction Detail and Transaction Statistics reports from the payment processing organization and submit them to Accounts Receivable daily.  A monthly reconciliation will also be completed and submitted to Accounts Receivable

Questionnaire Completion:  Authorized merchant users must collaborate with the Vice President of Finance and Operations or his/her designee in the Self-Assessment Questionnaire (“SAQ”) prior to accepting credit cards.  The SAQ must be completed at least annually thereafter, or more frequently in the case of a significant change to a business process or system application.  

Data Retention:  Authorized merchant users will not retain sensitive cardholder data. Limit storage amount and retention time to that which is required for legal or regulatory purposes.  No credit card data should be stored on laptops, PCs, or mobile devices.  Paper files with credit card information that must be retained for legal/regulatory purposes should be stored in a secure on-site area for 18 months to 3 years, with recommended disposal after a maximum of 3 years. Any paper containing credit card data must be shredded prior to disposal.

Incident Response:  Any known or suspected compliance issues should be reported immediately to the Vice President of Finance and Operations or his/her designee. 

Disputed charges:  Payment processors will notify authorized merchant users of any disputed charges.  The authorized merchant users must provide the bank with written proof of the customer’s authorization. Frequent issues with disputed charges should be reported to the du the Vice President of Finance and Operations or his/her designee to potential customer fraud. 

Refunds: Refunds will only be credited to the credit card account from which the initial purchase was made. Under no circumstances will cash refunds be issued for credit card payments.

Compliance: Failure to comply with the credit card processing policy and the associated required procedures will be deemed a violation of College policy and will result in suspension of electronic payment capability for the affected departments.  Technology that does not conform to PCI procedures is subject to disconnection of network services. 

Review: This procedure will be reviewed at least annually and will be updated as needed to reflect changes to the College’s business objectives or risk environment.