Policy: Payment Card Data Security

Statement of Policy

Miami is obligated to comply with the Payment Card Industry Data Security Standards (PCI DSS) in order to receive payment via credit or debit cards. PCI DSS requires that certain elements of how we store, process, or transmit payment card data be codified in policy.

Entities Affected by Policy

This policy covers all units within Miami University that store, process, or transmit payment card data

Policy

Firewall and router configurations

IT Services will review all firewall and router configurations where applicable for any devices and networks that store, process, or transmit PCI DSS data every six months.

 

Storage of electronic payment card data

Miami University only allows card-not-present (outsourced to PCI DSS validated third parties, ecommerce) or PCI-listed P2PE solutions which do not require storage of payment card data.  Any unit wanting to store payment card data needs written approval from both the Associate Treasurer and the Chief Information Security Officer to do so. With those approvals, electronic payment card data can be stored for up to 60 days. If the unit needs to store electronic payment card data for a longer period of time, approval from the Assistant Vice President responsible for the operations of the unit in question, the Associate Treasurer, and the Chief Information Security Officer allows the electronic payment card data to be stored for up to 180 days.

Once payment card data is no longer needed, it will be disposed of in a secure fashion. Electronic data will be wiped via methods approved by the Chief Information Security Officer.

Under no circumstances can any office store the full contents of any magnetic stripe data, the card verification code, the personal identification number (PIN), or the encrypted PIN block.

Any programs storing payment card data will encrypt the data in accordance with current applicable PCI DSS standards. Associated cryptographic keys will be generated, stored, and changed in accordance with vendor best practices and applicable PCI DSS standards.

 

Paper Records

Explicit written approval from the Information Security Officer is required to collect or store paper records containing full unmasked payment card data. All such records must be stored in a secure fashion, and must be destroyed with either a cross cut shredder or a confetti shredder as soon as the data is no longer needed. These records cannot be stored for more than 15 days. If paper records are accidentally created containing payment card data, that data will be destroyed with either a cross cut shredder or a confetti shredder. Credit card numbers that are partially masked (with no more than the first six and last four digits unmasked) may be retained as a cash receipting backup per the University’s retention policies. Follow this link to access the University General Counsel's Records Retention Policy Manual and guidelines.

 

Display of Payment Card Data

Any receipts or other print outs containing payment card data will display no more than the first 6 and last 4 digits of the payment card number.

 

Transmission of Payment Card Data

Payment card numbers will only be transmitted across encrypted channels or using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Payment card numbers may not be transmitted through any chat programs or via text messaging.

 

Access of Payment Card Data

All user accounts will be:

  • restricted to the least privileges necessary to perform job responsibilities;
  • assigned to individuals based on job classification and function;
  • granted only with documented approval from authorized parties and only with the privileges specified in that approval; and
  • linked to one specific user

Group accounts and shared passwords are not allowed to access payment card data.

 

Incident Response

The incident response plan that will be used to respond to any possible breaches to PCI systems or exposures of PCI data will be tested annually. Incident response for an issue involving PCI systems or PCI data will follow the timelines listed in the appendix to ensure compliance with the incident response procedures of the payment brands.

 

Incident Response Timeline

After consultation with the Miami University General Counsel, the card brands will be notified after detection of a breach of a PCI system or an exposure of PCI data. The forensic investigation will be completed within 72 hours of detection. A list of all compromised cards will be provided within 10 days of detection. A summary report outlining the incident, the number of cards compromised, our PCI DSS compliance at the time of the incident, and the steps taken to remediate the issue will be provided to the card brands within 72 hours of the issue being fully remediated.

 

Usage of New Technologies

Any technology to be used with payment card data requires approval from the Chief Information Security Officer. All such technologies are required to:

  • be card-not-present (outsourced to PCI DSS validated third parties, ecommerce) or PCI-listed P2PE solutions;
  • be labeled so the owner and use can be determined;
  • only be used for accepted business practices;
  • be placed on the network by IT Services;
  • be explicitly approved for use by the Chief Information Security Officer;
  • automatically disconnect remote-access sessions after a specific period of inactivity;
  • prevent copying, moving, or storing of payment card data onto local storage media when accessed remotely; and
  • be used in accordance with all PCI DSS requirements.

 

Security Awareness Program

Mandatory security awareness training for all staff using systems that store, process, or transmit payment card data will be provided annually by IT Services.

 

Service Providers

A list of all service providers storing, processing, or transmitting payment card information on behalf of Miami University will be maintained by the Office of Investments and Treasury Services. Each year all service providers will have their PCI DSS compliance status verified by the Office of Investments and Treasury Services.

 

Inventory of PCI Systems

An inventory of all PCI Systems will be maintained in a central inventory aggregation system. A PCI System is defined as the collection of devices, software and environment that comprise a single service offering that stores, processes, or transmits cardholder data. Attributes for each system within the inventory will include:

  • the appropriate SAQ checklist questions and responses for the system;
  • the responsible business unit owner;
  • relationships to all hardware assets associated with the system;
  • relationships to any and all associated service providers of the system; and
  • relationships to any and all associated payment processors or banks.

 

Procedure Requirements

The Information Security Office shall document procedures to maintain PCI compliance, including instructions for reporting on PCI DSS compliance providing evidence that reviews are conducted periodically to assess PCI compliance via Self Assessment Questionnaires (SAQ) or Attestations of Compliance (AOC). Formal reports to senior management shall occur annually. The detailed procedures should include:

  • communication plan between IT Services and Treasury Services to ensure MU complies with PCI DSS requirements;
  • instructions for addressing any needed repair;
  • instructions for reaching a point of contact at the bank or payment card processor;
  • to include a contact list for each bank or payment card processor;
  • procedures for required reporting to the bank regarding PCI compliance, if applicable; and
  • procedures for required reporting to senior management including the Vice President for IT Services and the Senior Vice President for Finance and Business Services/Treasurer.

Follow this link to access the PCI DSS Annual Review Process.

Responsibilities

Miami University is obligated to comply with the Payment Card Industry Data Security Standards (PCI DSS) in order to receive payment via credit or debit cards. Specific responsibilities include:

  • creation and distribution of security policies, procedures, and the awareness program are the responsibility of the Chief Information Security Officer;
  • creation and distribution of security incident response and escalation procedures are the responsibility of the Chief Information Security Officer;
  • monitoring and analyzing security alerts generated by systems storing, processing, or transmitting payment card data and distributing that data to the appropriate personnel as needed are the responsibility of the Information Security Office;
  • user account administration and authentication management are the responsibility of the IT Services’ Enterprise Operations team;
  • maintaining and verifying necessary information from service providers is the responsibility of the Information Security Office; and
  • monitoring and controlling all access to data are the responsibility of the Information Security Office, with assistance from the Enterprise Operations team as well as from the business units as needed.
     

Exceptions

Any exceptions to this standard require explicit written approval from the Chief Information Security Officer before they are implemented.

 

Review

This policy and all associated procedures and knowledge base articles will be reviewed by the Chief Information Security Officer and the Office of Investments and Treasury every two years.

Appendix

Definitions

  • Payment cards - either credit or debit cards
  • Payment card data - the payment card number when it consists of more than the first 6 and last 4 digits of the full number

Policy Administration

Next Review Date

  • 07/01/2023

 

Responsible Officer

  • Vice President for Information Technology & Chief Information Officer

 

Contact

  • Assistant VP for IT Services Security, Compliance, and Risk Management

 

Approval(s) and Date(s)

  • Version 1.0 Approval by: Information Security Officer on October 17, 2013
  • Version 1.1 Approval by: Information Security Officer on December 13, 2013
  • Version 1.2 Approval by: Information Security Officer on December 16, 2013
  • Version 1.3 Approval by: Chief Investment Officer and Information Security Officer on October 15, 2014

 

Recent Revision History and References

  • 17 October 2013: Version 1.0 approved
  • 13 December 2013: Version 1.1 approved
  • 16 December 2013: Updated to align with the University's Credit Card Security Policies and Procedures  Version 1.2
  • October 15, 2014: Updated to explicitly prohibit instant message and text messaging, Version 1.3
  • Updated to reference risk assessment document, to add third-party annual validations and software upgrades, and to change approval processes for storing both paper and electronic payment card numbers
  • 25 May 2017: links updated and corrected
  • June 2019: Information Security Officer reviewed and approved for use for FY19–20
  • May 2022: Chief Information Security Officer reviewed and approved for use for FY23-24.

 

Details

Article ID: 7276
Created
Mon 6/29/15 1:24 PM
Modified
Thu 7/20/23 10:15 PM
Can you resolve this issue yourself?
Yes! This is self-service with a smile.