Policy: Payment Card Data Security

Tags SCRM

Statement of Policy

Miami is obligated to comply with the Payment Card Industry Data Security Standards (PCI DSS) in order to receive payment via credit or debit cards. PCI DSS requires that certain elements of how we store, process, or transmit payment card data be codified in policy.

Entities Affected by Policy

This policy covers all units within Miami University that store, process, or transmit payment card data

Policy

Firewall and router configurations

IT Services will review all firewall and router configurations for any devices touching networks containing PCI DSS data every six months.

Storage of electronic payment card data

Any unit wanting to store payment card data needs written approval from both the Chief Investment Officer and the Information Security Officer to do so. With those approvals, electronic payment card data can be stored for up to 60 days. If the unit needs to store electronic payment card data for a longer period of time, approval from the Assistant Vice President responsible for the operations of the unit in question, the Chief Investment Officer, and the Information Security Officer allows the electronic payment card data to be stored up to 180 days.

Once payment card data is no longer needed, it will be disposed of in a secure fashion. Electronic data will be wiped via methods approved by the Information Security Officer.

Under no circumstances can any office store the full contents of any magnetic stripe data, the card verification code, the personal identification number (PIN), or the encrypted PIN block.

Any programs storing payment card data will encrypt the data in accordance with current applicable PCI DSS standards. Associated cryptographic keys will be generated, stored, and changed in accordance with vendor best practices and applicable PCI DSS standards.

IT Services will confirm quarterly that payment card data is being stored and destroyed in accordance with this policy.

Paper Records

Explicit written approval from the Information Security Officer is required to collect and/or store paper records containing full unmasked payment card data. All such records must be stored in a secure fashion, and must be destroyed with either a cross cut shredder or a confetti shredder as soon as the data is no longer needed. These records cannot be stored for more than 15 days. If paper records are accidentally created containing payment card data, that data will be destroyed with either a cross cut shredder or a confetti shredder. Credit card numbers that are partially masked (with no more than the first six and last four digits unmasked) may be retained as cash receipting backup per the University’s retention policies. Follow this link to access the University General Counsel's Records Retention Policy Manual and guidelines.

Display of Payment Card Data

Any receipts or other print outs containing payment card data will display no more than the first 6 and last 4 digits of the payment card number.

Wireless Networks

Any use of wireless networks to store, process, or transmit payment card data requires explicit approval from the Information Security Officer. IT Services will conduct quarterly scans to confirm that there are no unauthorized wireless access points in the data center.

Transmission of Payment Card Data

Payment card numbers will only be transmitted across encrypted channels. Payment card numbers may not be transmitted through any instant message programs or via text messaging.

Access of Payment Card Data

All user accounts will be:

  • restricted to the least privileges necessary to perform job responsibilities;
  • assigned to individuals based on job classification and function;
  • granted only with documented approval from authorized parties and only with the privileges specified in that approval; and
  • linked to one specific user

Group accounts and shared passwords are not allowed to access payment card data.

Backup Media

All backup media will be stored in a location that the Information Security Officer deems to be physically secure. All backup media will be assigned to a backup group so the sensitivity of the data can be determined. Backup media will be inventoried on an annual basis.

Security Logs

Logs of relevant security events for systems storing, processing or transmitting payment card data will be sent to a central log server and reviewed daily. All such logs will be stored for one year. Issues of note will be escalated to the Information Security Officer.

Incident Response

The incident response plan that will be used to respond to any possible breaches to PCI systems or exposures of PCI data will be tested annually. Incident response for an issue involving PCI systems or PCI data will follow the timelines listed in the appendix to ensure compliance with the incident response procedures of the payment brands.

Risk Assessment

IT Services will conduct a formal risk assessment for all systems that store, process, or transmit payment card data each year using the process described in the PCI Risk Assessment Process document.

Software Upgrades

Applications that store, process, or transmit payment card data need approval from the Information Security Officer before they can be upgraded or patched.

Usage of New Technologies

Any technology to be used with payment card data requires approval from the Information Security Officer. All such technologies are required to:

  • required authentication to use
  • have a list of authorized users
  • be labeled so the owner and use can be determined
  • only be used for accepted business practices
  • be placed on the network by IT Services
  • be explicitly approved for use by the Information Security Officer
  • automatically disconnect remote-access sessions after a specific period of inactivity
  • only be usable by vendors and business partners when needed
  • prevent copying, moving, or storing of payment card data onto local storage media when accessed remotely
  • be used in accordance with all PCI DSS requirements

Security Awareness Program

Mandatory security awareness training for all staff using systems that store, process, or transmit payment card data will be provided annually by IT Services.

Service Providers

A list of all service providers storing, processing, or transmitting payment card information on behalf of Miami University will be maintained. Each year all service providers will have their PCI DSS compliance status verified.

Responsibilities

  • Creation and distribution of security policies, procedures, and the awareness program are the responsibility of the Information Security Officer
  • Creation and distribution of security incident response and escalation procedures are the responsibility of the Information Security Officer
  • Monitoring and analyzing security alerts generated by systems storing, processing, or transmitting payment card data and distributing that data to the appropriate personnel as needed are the responsibility of the Security, Compliance, and Risk Management team
  • User account administration and authentication management are the responsibility of the Enterprise Systems & Operations team
  • Maintaining and verifying necessary information from service providers is the responsibility of the Security, Compliance, and Risk Management team
  • Monitoring and controlling all access to data are the responsibility of the Security, Compliance, and Risk Management team, with assistance from the Enterprise Systems & Operations team as well as from the business units as needed

Exceptions

Any exceptions to this standard require explicit written approval from the Information Security Officer before they are implemented.

Review

This standard will be reviewed by the Information Security Officer on an annual basis.

Appendix

Definitions

  • Payment cards - either credit or debit cards
  • Payment card data - the payment card number when it consists of more than the first 6 and last 4 digits of the full number

Incident Response Timeline

After consultation with Miami's General Counsel, the card brands will be notified after detection of a breach of a PCI system or an exposure of PCI data. The forensic investigation will be completed with 72 hours of detection. A list of all compromised cards will be provided within 10 days of detection. A summary report outlining the incident, the number of cards compromised, our PCI DSS compliance at the time of the incident, and the steps taken to remediate the issue will be provided to the card brands within 72 hours of the issue being fully remediated.

Policy Administration

Next Review Date

  • 07/01/2020

Responsible Officer

  • Vice President for Information Technology & Chief Information Officer

Contact

  • Assistant VP for IT Services Security, Compliance, and Risk Management

Approval(s) and Date(s)

  • Version 1.0 Approval by: Information Security Officer on October 17, 2013
  • Version 1.1 Approval by: Information Security Officer on December 13, 2013
  • Version 1.2 Approval by: Information Security Officer on December 16, 2013
  • Version 1.3 Approval by: Chief Investment Officer and Information Security Officer on October 15, 2014

Recent Revision History and References

  • 17 October 2013: Version 1.0 approved
  • 13 December 2013: Version 1.1 approved
  • 16 December 2013: Updated to align with the University's Credit Card Security Policies and Procedures  Version 1.2
  • October 15, 2014: Updated to explicitly prohibit instant message and text messaging, Version 1.3
  • Updated to reference risk assessment document, to add third-party annual validations and software upgrades, and to change approval processes for storing both paper and electronic payment card numbers
  • 25 May 2017: links updated and corrected
  • June 2019: Information Security Officer reviewed and approved for use for FY19–20

 

Was this helpful?
0 reviews

Details

Article ID: 7276
Created
Mon 6/29/15 1:24 PM
Modified
Tue 6/11/19 12:43 PM