Body
Profile
To protect the credit card data of our students, faculty, staff, donors, and guests – as well as to comply with the Payment Card Industry Data Security Standards (PCI-DSS), the State University of New York at New Paltz must set standards and procedures for secure and reliable processing of credit card data.
Scope
This policy applies to all employees of the State University of New York at New Paltz who have access to credit or debit card numbers accepted for payments to the University.
Protecting cardholder data is something all employees involved must be part of – it is not just something Information Technology Services takes care of on their own.
Policy
Departmental Acceptance of Credit Card Payments
-
A department can only accept credit cards with the explicit written approval of the Vice President of Finance & Administration, or the Assistant Vice President of Finance & Administration.
-
New credit card processing devices such as credit card readers must be reviewed and approved by the Chief Information Officer, or the Information Security Officer, prior to purchase.
-
New vendors or payment processors involved in credit card processing must be reviewed and approved by the Vice President of Finance & Administration, or the Assistant Vice President of Finance & Administration, as well as the Information Security Officer before contracts are signed.
Access to Customer Credit Card Data
-
Access is authorized only for University personnel who are responsible for processing or facilitating credit card transactions. Such authorization must be granted by the Vice President of Finance and Administration, or their designees.
-
Departments who have been approved for access must keep (and provide to the Internal Controls Coordinator and Information Security Officer) a list of staff who are involved in credit card processing. This list must be updated within a week of personnel changes.
-
Such access can only occur in specific locations approved by the Vice President of Finance and Administration, the Assistant Vice President of Finance & Administration, or their designees. A special exception may be granted for mobile card processing systems.
-
Only authorized University personnel may process credit card transactions or have access to documentation related to credit card transactions.
-
A copy of this policy must be read and signed by authorized personnel upon initial employment and annually thereafter.
-
Signed policies will be maintained by the department supervisor.
-
All electronic systems in the Cardholder Data Environment must require authentication. Such authentication must provide an account per user and should not have group accounts for more than one individual.
-
Access to systems in the Cardholder Data Environment for vendors and business partners will be granted only if absolutely necessary. Such access will be immediately disabled after the need for such access passes.
Transmission of Credit Card Information
-
Insecure transmission of cardholder data is prohibited. Cardholder data can only be transmitted via approved encryption protocols and methods, which may change over time due to newly discovered security vulnerabilities.
-
All card-present transactions must be entered into a point-to-point encrypted terminal. Special exemption may be considered - but will require significant additional compensating controls.
Receipt of Credit Card Information via Email and Messaging services
-
Under no circumstances should cardholder data be sent or requested via email or messaging services like instant messaging, SMS (text messages), or via web conferencing tools like Zoom, Teams, or WebEx.
-
If despite not offering credit card acceptance via email, a customer sends their credit card information via email, the following should be done:
-
Advise the sender that the transaction cannot be processed should be sent in reply (with the credit card information in the original email redacted). The email should offer acceptable methods for making payments through the departments existing approved procedures.
-
The message containing the cardholder data should then be immediately deleted (and deleted from the trash).
Telephone Payments
-
When recording credit card information for processing, only cardholder name, account number, expiration date, zip code, and street address may be recorded. It is not permissible to record and store the sensitive authentication data (including the Card Verification Code (CVC).
-
Sensitive authentication data can only be asked for over the phone if it will be immediately entered into a secure, approved Point-to-Point Encrypted terminal.
-
If cardholder data needs to be kept before processing, it should be stored in a secured (locked) area before processing.
Processing Credit Card Transactions on Campus Computing Devices
-
These computers must be setup and secured by the Desktop Support staff as per internal Information Technology Services procedures and placed on the restricted PCI VLAN (Virtual Local Access Network).
-
Card numbers must never be manually entered on any computer or device not on the PCI VLAN.
-
The credit card may only be swiped (or have its internal chip read) by systems on the PCI VLAN, or using an approved P2PE card reader.
-
The dedicated computers that are setup for credit card processing and handling should only be used for those tasks. They should not be used for general computer or Internet use. This does not apply computers/devices with attached P2PE card readers.
Storage of Credit Card Information
-
Electronic storage of cardholder data, or sensitive authentication data is expressly prohibited under any circumstance.
-
Cardholder data should be retained in a secure location only as long as is necessary for business purposes. Cardholder data must be destroyed when no longer needed (via cross-cut paper shredders, or by being placed in a shred box provided by Internal Controls).
-
Sensitive authentication data must be immediately destroyed after the transaction is processed.
Equipment Verification & Storage
-
Credit card processing equipment should be inspected and verified to detect any tampering. The procedure for such verification and the frequency of inspection will be determined by the Internal Controls Coordinator. If any tampering is detected or suspected, it must be reported as per the Incident Response Policy guidelines.
-
Mobile credit card processing equipment (any equipment not used exclusively at a specific desk), including any readers attached to laptop computers, smart phones, or tablets, should be kept in a secure location when not in use. Standards for securing this equipment will be set by Internal Controls and may differ depending on the usage and location of the devices.
Training
-
Staff with access to the cardholder data environment, or who are involved in any way with credit card processing, must complete PCI training annually. This includes all supervisors of staff who deal with credit card processing even if those supervisors do not process credit card information themselves. Training will be assigned via the University’s security training system by the ISO.
Self-Assessment, Testing, and Review
-
The ISO will conduct internal and external vulnerability scans of any systems in the CDE. The external scans will be performed by an Approved Scanning Vendor (ASV).
-
PCI compliance status of all payment processors and vendors that the University uses will be checked on an annual basis.
-
This policy will be reviewed at least on an annual by the ISO. If changes are warranted, they will be discussed with the Information Security and Risk Oversight Committee (ISRO) and submitted for approval to the President’s Cabinet.
Outside Entities Doing Business On-Campus
Outside entities are permitted to accept credit card payments on campus provided they attest to their own compliance with the PCI DSS. Such an entity should be able to provide proof of PCI DSS compliance. These organizations are encouraged to utilize their own network connections, such as wireless via the cellular network, ideally with point-to-point encrypted devices and a VPN tunnel. Data should be encrypted such that even if it traverses the SUNY New Paltz network, New Paltz staff are unable to decrypt it. If providers use the New Paltz network – SUNY New Paltz is not responsible for data loss on the network due to the inherent risk associated with public networks.
Though the SUNY New Paltz Foundation and the SUNY Research Foundation operations at SUNY New Paltz are separate legal entities, they are similarly bound by these policies as they are supported by SUNY New Paltz Information Technology Services and on their network.
Additional Policies & Documents
This policy supplements the following campus policies (as well as any department specific policies);
Acceptable Uses and Privacy Policy
Information Security Policy
Confidential Information Policy
Incident Response Policy
Definitions
-
Cardholder Data – At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
-
CDE - Cardholder Data Environment – The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
-
Card Verification Code (CVC) - Also known as Card Validation Code (CVC) or Value (CVV), or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features (such as the three- or four-digit code on the back of the card).
-
ISO - Information Security Officer – A staff member within Information Technology Services tasked with managing the University’s information security.
-
PCI-DSS – The Payment Card Industry Data Security Standard – an information security standard for organizations handling credit cards from the major brands.
-
P2PE – Point to Point Encryption. This refers to credit card processing terminals
-
Sensitive Authentication Data – Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Additional definitions are available at the PCI Security Council’s glossary.