Date Established: 8/19/2019
Date Last Updated:
Office of the Controller
Vice President for Finance and Administration
Vice President and Chief Information Officer
This policy provides guidance about the importance of protecting payment card data and customer information. Failure to protect this information may result in financial loss for customers, suspension of credit card processing privileges, fines, and damage to the reputation of the unit and the university.
The University at Buffalo (UB, university) is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored. All members of the university community must adhere to these standards to protect our customers and maintain the ability to process payments using payment cards.
The university prohibits the retention of complete payment card primary account numbers (PAN) or sensitive authentication data in any university system, database, network, computer, tablet, cell phone, or paper file. Storing truncated numbers, in approved formats (first six digits or last four digits) is permissible.
The Credit Card Handling Chart details the acceptable use of payment card data and security requirements. The PCI DSS requirements do not supersede local, state, and federal laws or regulations.
PCI DSS Requirements
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti- virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
The university is required to comply with all relevant standards. However, not all of the PCI DSS requirements are relevant to UB. Certain university policies reduce the compliance scope, including prohibiting electronic storage of payment card information, restricting transmission through fax and email, and utilizing third-party vendors for web-based payment card processing rather than university networks.
The PCI DSS is a mandated set of requirements agreed upon by the major credit card companies. The security requirements apply to all transactions surrounding the payment card industry and the merchants or organizations that accept these cards as a form of payment.
The university must comply with the PCI DSS in order to accept card payments and avoid penalties. This policy and additional supporting policies:
This policy applies to those involved with payment card handling including faculty, staff, students, third-party vendors, individuals, systems, networks, and other parties with a relationship to the university including auxiliary service corporations, alumni associations, student associations and governments, Research Foundation (RF), UB Foundation (UBF) and any unit using third-party software to process payment card transactions. This includes transmission, storage, and processing of payment card data, in any form (electronic or paper) on behalf of UB.
Individual who owns and benefits from the use of a membership card, particularly a payment card.
Cardholder Data (CHD)
Elements of payment card information that must be protected, including primary account number (PAN), cardholder name, expiration date, and the service code.
The name of the individual to whom the card is issued.
The date on which a card expires and is no longer valid. The expiration date is embossed, encoded, or printed on the card.
Permits where the card is used and for what.
CHD must be disposed of in a certain manner that renders all data un-recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices in accordance with the Record Retention and Disposition Policy. The approved PCI DSS disposal methods include cross-cut shredding, incineration, and approved shredding and disposal service.
A department or unit (including a group of departments or a subset of a department) approved to accept payment cards and assigned a merchant identification number.
Payment Card Industry Data Security Standards (PCI DSS)
The security requirements defined by the Payment Card Industry Data Security Standards Council and the major credit card brands including Visa, MasterCard, Discover, American Express, and JCB.
PCI Compliance Committee
Group composed of representatives from Financial Management, Information Security Office, Office of the Vice President and Chief Information Officer, Internal Audit, and UB merchants.
Primary Account Number (PAN)
Number code of 14 or 16 digits embossed on a bank or credit card and encoded in the card's magnetic strip. PAN identifies the issuer of the card and the account, and includes a check digit as an authentication device.
Self-Assessment Questionnaire (SAQ)
Validation tools to assist merchants and service providers report the results of their PCI DSS self-assessment.
Sensitive Authentication Data
Additional elements of payment card information required to be protected but never stored. These include magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, and PIN or PIN block.
CAV2, CVC2, CID, or CVV2 data
The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card-not-present transactions.
Magnetic Stripe (i.e., track) data
Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization.
PIN or PIN block
Personal identification number entered by the cardholder during a card-present transaction, or encrypted PIN block present within the transaction message.