Credit Card Policy

Chapter 3410

Issued August 22, 2012

Table of Contents

• .010 Purpose
• .020 Scope
• .030 Effective Date
• .040 Authority
• .050 Policy
• .060 Definitions
• .070 Roles and Responsibilities
• .080 Implementing Procedures
• .090 Related Laws, Regulations, or Policies
• .100 Questions/Waivers

.010 Purpose

The purpose of this policy is to govern the acceptance of payment cards (e.g. Visa, MasterCard, American Express, and Discover credit cards or debit cards) for payment by Kansas State University in accordance with the security standards set forth by the Payment Card Industry Security Standards Council (PCI SSC). Ultimately, the purpose is to ensure cardholder data is properly protected.

.020 Scope

This policy applies to all university colleges, departments, administrative units, and affiliated organizations that store, process, or transmit cardholder data. This policy is not applicable to University procurement cards, but procurement card information should be protected according to Payment Card Industry Data Security Standards (PCI DSS).

.030 Effective Date

Approved December 2011.

.040 Authority

Any University merchant accepting payment cards (credit or debit) must adhere to the PCI DSS. This standard defines detailed requirements to secure system components (servers, network, applications, etc.) that support cardholder data environments.

.050 Policy

1. University merchants accepting payment cards as a method of payment must conform to PCI DSS, state and federal laws, contractual obligations of the University's acquiring bank, and relevant university policies, procedures, and standards.

2. University merchants that fail to comply may be denied the ability to accept payment cards.

3. University merchants must be registered with and approved by the Division of Financial Services prior to accepting payment cards.

4. Any servers in the cardholder data environment must reside in the Information Technology Services (ITS) data center.

5. All systems in the cardholder data environment that use K-State’s data network, including but not limited to servers, kiosks, card swipe payment stations, point-of-sale registers, etc., must connect to and use the secure Credit Card Network (CC Net).

6. All systems in the cardholder data environment must join K-State’s central Active Directory domain, where technically feasible.

7. University merchants must not store cardholder data, in either electronic or in paper format, after the transaction has been authorized.

8. University merchants must annually validate their PCI DSS compliance by completing a PCI DSS Self Assessment Questionnaire (SAQ) and completing PCI security awareness training.

9. Request for Proposals (RFPs) and contracts with third parties handling cardholder data on behalf of Kansas State University must specify responsibilities for security of cardholder data, including PCI DSS compliance and timely notification in the event of a suspected breach.

10. Affiliated organizations must annually provide validation of PCI compliance.

.060 Definitions

1. Acquiring bank – The financial institution that accepts credit or debit card payments for products or services on behalf of the University.

2. Central Active Directory domain – The group of computers and other network resources connected to the enterprise-wide Microsoft Windows Active Directory Service managed by K-State’s Information Technology Services unit.

3. Affiliated organization – Any organization associated with the University that uses university information technology resources to create, access, store or manage University Data to perform their business functions.

4. Cardholder data – Information identifying the cardholder account consisting of the Primary Account Number (PAN) or full magnetic stripe content, plus any of the following: cardholder name, expiration date, or Service Code (the three digit security code on the back of the card, also known as the Card Validation Code (CVC) or Card Verification Value (CVV)).

5. Cardholder data environment – The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data, including any connected system components. This includes cardholder data written or printed on paper-based products.

6. Credit Card Network (CC Net) – A secure network within the University’s network, developed according to PCI DSS for devices that store, process, or transmit payment card transactions and data.

7. Primary Account Number (PAN) – Payment card number (credit or debit), typically 16 digits in length, which identifies the issuer and the particular cardholder account.

8. Payment card – Credit or debit card with a logo of Visa, MasterCard, American Express, or Discover.

9. Payment Card Industry Data Security Standard (PCI DSS) – The PCI DSS is a security standard to protect customer account data.

10. Payment Card Industry Security Standards Council (PCI SSC) – The PCI SSC is responsible for the development, management, education, and awareness of the PCI Security Standards.

11. PCI DSS Self Assessment Questionnaire (SAQ) – The PCI DSS SAQ is a validation tool produced by the PCI SSC and used by merchants to self-evaluate compliance with PCI DSS.

12. Report on Compliance (ROC) – A report submitted to an acquiring bank to verify PCI compliance.

13. University merchant – Any University entity that accepts payment cards for goods and/or services.

.070 Roles and Responsibilities

1. The Division of Financial Services is responsible for overseeing policies and procedures regarding payment processing and submitting an annual Report on Compliance (ROC) to the University’s acquiring bank.

2. The Office of Information Security and Compliance is responsible for overseeing the implementation of the technical controls of PCI DSS.

3. Internal Audit is responsible for reviewing University merchant credit card handling processes.

4. University merchants are responsible for complying with PCI DSS to ensure the security of cardholder data.

.080 Implementing Procedures

Kansas State University Credit Card Processing (https://www.k-state.edu/policies/ppm/6100/6115.html)

.090 Related Laws, Regulations, or Policies

1. PCI Security Standards Council (www.pcisecuritystandards.org)

2. Kansas Statutes Annotated 50-7a Unfair Trade and Consumer Protection – Protection of Consumer Information (http://kansasstatutes.lesterama.org/Chapter_50/Article_7a)

3. Kansas State University Data Classification and Security Policy (www.k-state.edu/policies/ppm/3400/3433.html)

4. Kansas State University IT Security Incident Reporting and Response Policy (www.k-state.edu/policies/ppm/3400/3434.html)

5. K-State IT Security Incident Management Procedures (https://www.k-state.edu/its/security/procedures/incidentmgt.html)

6. Kansas State University Media Sanitization and Disposal Policy (https://www.k-state.edu/policies/ppm/3400/3436.html)

.100 Questions/Waivers

The Chief Information Officer (CIO/VP-ITS) is responsible for this policy. The Division of Financial Services or designee must approve any exception to this policy. Questions relating to this policy should be directed to K-State's Chief Information Security Officer.