University at Buffalo Crest.

Policy Information

Date Established: 8/19/2019
Date Last Updated:
Category:
Financial
Responsible Office:
Office of the Controller
Responsible Executive:
Vice President for Finance and Administration
Vice President and Chief Information Officer

Policy Contents

Payment Card Industry (PCI) Compliance Policy

Summary

This policy provides guidance about the importance of protecting payment card data and customer information. Failure to protect this information may result in financial loss for customers, suspension of credit card processing privileges, fines, and damage to the reputation of the unit and the university.

Policy Statement

The University at Buffalo (UB, university) is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored. All members of the university community must adhere to these standards to protect our customers and maintain the ability to process payments using payment cards.

The university prohibits the retention of complete payment card primary account numbers (PAN) or sensitive authentication data in any university system, database, network, computer, tablet, cell phone, or paper file. Storing truncated numbers, in approved formats (first six digits or last four digits) is permissible.

The Credit Card Handling Chart details the acceptable use of payment card data and security requirements. The PCI DSS requirements do not supersede local, state, and federal laws or regulations.

Payment Card Industry Data Security Standards (PCI DSS) V3.2

Goals and PCI DSS Requirements

Goals

PCI DSS Requirements

Build and Maintain a Secure Network and Systems

1.  Install and maintain a firewall configuration to protect cardholder data

2.  Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3.  Protect stored cardholder data

4.  Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5.  Protect all systems against malware and regularly update anti- virus software or programs

6.  Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7.  Restrict access to cardholder data by business need to know

8.  Identify and authenticate access to system components

9.  Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

The university is required to comply with all relevant standards. However, not all of the PCI DSS requirements are relevant to UB. Certain university policies reduce the compliance scope, including prohibiting electronic storage of payment card information, restricting transmission through fax and email, and utilizing third-party vendors for web-based payment card processing rather than university networks. 

Background

The PCI DSS is a mandated set of requirements agreed upon by the major credit card companies. The security requirements apply to all transactions surrounding the payment card industry and the merchants or organizations that accept these cards as a form of payment.

The university must comply with the PCI DSS in order to accept card payments and avoid penalties. This policy and additional supporting policies:

  • Provide the requirements for processing, transmission, storage, and disposal of cardholder data transactions
  • Reduce the institutional risk associated with the administration of payment cards
  • Promote proper internal control
  • Promote compliance with the PCI DSS

Applicability

This policy applies to those involved with payment card handling including faculty, staff, students, third-party vendors, individuals, systems, networks, and other parties with a relationship to the university including auxiliary service corporations, alumni associations, student associations and governments, Research Foundation (RF), UB Foundation (UBF) and any unit using third-party software to process payment card transactions. This includes transmission, storage, and processing of payment card data, in any form (electronic or paper) on behalf of UB.

Definitions

Cardholder

Individual who owns and benefits from the use of a membership card, particularly a payment card.

Cardholder Data (CHD)

Elements of payment card information that must be protected, including primary account number (PAN), cardholder name, expiration date, and the service code.

Cardholder Name

The name of the individual to whom the card is issued.

Expiration Date

The date on which a card expires and is no longer valid. The expiration date is embossed, encoded, or printed on the card.

Service Code

Permits where the card is used and for what.

Disposal

CHD must be disposed of in a certain manner that renders all data un-recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices in accordance with the Record Retention and Disposition Policy. The approved PCI DSS disposal methods include cross-cut shredding, incineration, and approved shredding and disposal service.

Merchant

A department or unit (including a group of departments or a subset of a department) approved to accept payment cards and assigned a merchant identification number.

Payment Card Industry Data Security Standards (PCI DSS)

The security requirements defined by the Payment Card Industry Data Security Standards Council and the major credit card brands including Visa, MasterCard, Discover, American Express, and JCB.

PCI Compliance Committee

Group composed of representatives from Financial Management, Information Security Office, Office of the Vice President and Chief Information Officer, Internal Audit, and UB merchants.

Primary Account Number (PAN)

Number code of 14 or 16 digits embossed on a bank or credit card and encoded in the card's magnetic strip. PAN identifies the issuer of the card and the account, and includes a check digit as an authentication device.

Self-Assessment Questionnaire (SAQ)

Validation tools to assist merchants and service providers report the results of their PCI DSS self-assessment.

Sensitive Authentication Data

Additional elements of payment card information required to be protected but never stored. These include magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, and PIN or PIN block.

CAV2, CVC2, CID, or CVV2 data

The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card-not-present transactions.

Magnetic Stripe (i.e., track) data

Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization.

PIN or PIN block

Personal identification number entered by the cardholder during a card-present transaction, or encrypted PIN block present within the transaction message.

Responsibility

All Members of the University Community

  • Safeguard cardholder data.
  • Report occurrences of possible incidents and data breaches to your supervisor or the UB Information Security Officer.
  • Review and comply with the following university policies:
    • UBIT Password
    • Protection of University Data

PCI Compliance Committee

  • Monitor the university’s compliance with PCI DSS requirements.
  • Act as a steering committee for PCI DSS.
  • Support PCI DSS compliance efforts.
  • Review the required annual SAQ self-assessment.

UB Information Technology (UBIT)

  • Maintain security standards required by PCI DSS.
  • Keep current with PCI DSS regulations and make changes to systems and processes, as appropriate.
  • Consult on technical PCI DSS issues.
  • Assist with mandatory annual training sessions.

Policy, Compliance and Internal Controls

  • Maintain an inventory of all UB schools and departments that process payment card transactions using an approved merchant account, UBF Checkout, or other compliant methods.
  • Provide and monitor annual training that meets the PCI DSS requirements.
  • Coordinate completion of the annual self-assessment documents (SAQs).
  • Collect departmental PCI procedures as part of the annual SAQs.
  • Evaluate compliance with PCI as part of scheduled cash handling reviews; this is a shared responsibility with Financial Management.

Financial Management

  • Keep current with PCI DSS regulations and make changes to processes, as appropriate.
  • Maintain the inventory of all State devices (i.e., analog, cellular, Bluefin), merchant ids, and terminal ids along with activation status.
  • Evaluate compliance with PCI as part of scheduled cash handling reviews; this is a shared responsibility with Policy, Compliance and Internal Control.

Department and Unit Heads (who accept payment card payments other than through approved online methods)

  • Review and comply with the following university policies:
    • Credit/Debit Card Merchant Requirements
    • Safeguarding Cash and Cash Equivalents
  • Complete the required annual PCI self-assessment (SAQ).
  • Complete the annual PCI training through Financial Management.
  • Require appropriate staff to complete the annual PCI training through Financial Management.
  • Maintain departmental Standard Operating Procedures (SPO) for PCI compliance and verify staff has an understanding of the procedures and their responsibilities.

Payment Card Handlers and Processors

  • Follow the established cash receipts procedures for the appropriate funding source.
  • Follow the Payment Card Processing Options and use PCI Compliant Devices for all card transactions.
  • Complete the Payment Card Authorization Form when appropriate.
  • Complete the annual PCI training through Financial Management.
  • Review and comply with the following university policies:
    • Credit/Debit Card Merchant Requirements
    • Safeguarding Cash and Cash Equivalents

Third Party Payment Card Processors

  • Provide confirmation of compliance.

Contact Information

Contact An Expert
Contact Phone Email
Tricia Canty 716-645-2639 tscanty@buffalo.edu
Financial Management   PCI_COMPLIANCE@buffalo.edu
PCI Compliance Committee   PCI@buffalo.edu

Related Information

University Links

Forms

Related Links

Presidential Approval

Signed by President Satish K. Tripathi

Satish K. Tripathi, President

8/19/2019

Date