Print this page
Contents
Share

Policy Number: BA-14

Effective: 10/05/2020

Last Revised: 10/05/2020

Responsible Executive: Executive Vice President & CFO, Business Affairs

Contact Information: 765-677-2947; controller@indwes.edu

Credit Card Acceptance and Handling Policy

I. Scope

The policy applies to all University personnel and any Third Party Service Provider acting on behalf of the University who handle Cardholder Data or can impact the security of the IWU Cardholder Data Environment.

II. Policy Statement

This policy establishes the requirements for the acceptance and processing of credit card payments and requirements for the protection of Cardholder Data in accordance with the Payment Card Industry Data Security Standards (PCI DSS). 

 

Indiana Wesleyan University acknowledges the importance of its data security and regulatory responsibilities and has established a framework to protect Cardholder Data.  All processes, operational procedures and related technologies used for accepting credit cards must comply with the PCI DSS and relevant University policies.

III. Reason for the Policy

The reason for this policy is to set the standard for protecting Cardholder Data supplied to the University or any Third Party Service Provider acting on behalf of the University.

IV. Procedures

Processor Set-up

  • All Third-Party service providers (TPSP) must be approved by Business Affairs Controller’s Office and the Information Security Officer (ISO). Currently approved providers are denoted in the Related Information section of this policy.  All requests to establish an account must be submitted in writing to the Controller’s Office at least three months in advance of the desired start date.
  • IWU Departments coordinate with the ISO to properly document and maintain a current diagram illustrating the IWU Merchant’s Cardholder Data Environment (CDE). The diagram must include all data flows, POS devices, network devices, servers, computing devices, applications and any other component or device located within or connected to the IWU Merchant’s CDE.

Information Security

  • All IWU Departments are expected to protect Cardholder Data (CHD) and prevent any unauthorized use.
  • IWU strictly prohibits CHD and Sensitive Authentication Data (SAD) from being captured, stored, processed, or transmitted on University servers or networks with the following exceptions:
    • Transmission of encrypted CHD is permitted through a PCI validated Point-to-Point Encryption (P2PE) Solution (see Approved Methods of Accepting Credit Cards).
    • Storage of paper forms and digital images of CHD is permitted only when CHD is redacted (see Data Retention/Storage).
    • VDI is permitted as provided by the University.  VDI can only be used on an approved wired network.  Connecting to a wireless network and utilizing VDI is prohibited.
  • Credit card processing via Wi-Fi is prohibited unless approved by the Controller’s Office and ISO.
  • If a P2PE solution is implemented, the IWU Department must follow the security guidelines established by the P2PE solution provider as well as any IWU data security requirements. 
  • Roles and responsibilities associated with credit card processing must be assigned and acknowledged within the IWU Department that is processing credit card.

University Approved Methods of Accepting Credit Cards

The preferred method of payment acceptance is through the IWU payment portal.  If this is not feasible then the following methods are permitted.

  • Card-Present
    • Point-of-Sale (POS) (face-to-face)
    • Stand-alone terminal with internet connections are permitted as long as they meet the required network segmentation as required by PCI-DSS guidelines. 
  • Card-not-Present
  • Mail order/telephone order (MOTO)
    • University personnel are required to enter CHD into IWU VDI environment.
    • Connection to the VDI environment must be made via a wired network connection.
    • As the person speaks their credit card numbers into the phone, do not write it down.  Directly type the information into an authorized credit card reader connected to the IWU-PCI network, dial-up phone network, or cell phone wireless system. 
    • For credit card information that is mailed in, the information is to be typed into an authorized credit card reader.  After the transaction is processed, the written card information is to be destroyed by shredding or redacting the cardholder data.
    • Enter the information required to complete the transaction.
    • Print the receipt as needed.
  • Voicemail
    • Do not process any request received via voicemail which includes card holder data unless you are able to follow these 3 steps:
      • Requests received via voicemail which include card holder data should be charged the same day they are received by typing the information into an authorized credit card reader connected to the IWU-PCI network, dial-up phone network, or cell phone wireless system.
      • The voicemail must then immediately be deleted. The voicemail box must be purged to destroy the message.
  • By Fax / Credit card processing accepted only if adherence to special processing is followed:
    • Do not process any request received via fax which includes card holder data unless you are able to do the following:
      • Requests which contain credit card data can only by received via fax machine set up as an approved fax machine that has been segmented from the IWU network.  The office where the approved fax machine is located must be locked whenever IWU employees are not in the room.
      • Requests must be charged the same day they are received.
      • Credit card information is then immediately cut out of the form and cross-cut shredded to destroy it.
  • E-Commerce:
    • Outsource all e-commerce functions and technology support to a University approved PCI compliant vendor.
    • Process on University developed websites that utilize an approved Payment Application. 

Data Retention/Storage 

  • Under no circumstances should card holder data be maintained in an electronic format. This includes but is not limited to being saved on a computer, CD, removable drive, cloud file storage or any other form of electronic media.
  • The storage of paper records containing credit card information should be limited to that needed to conduct business. These records will be stored in a locked filing cabinet or safe in a locked room. The portion of the paper containing the credit card number will be destroyed via crosscut shredding, incineration or pulped either by the merchant or through a contract with an ISO approved-vendor after the transaction is processed.  All paper transactions containing credit card numbers should be processed as soon as possible, preferably within 24 hours.
  • Under no circumstances should the CVV code be stored or recorded on paper.

Department Responsibilities 

  • Responsibilities include but are not limited to the following:
    • Required training must be completed by all individuals with access to the IWU Merchant CDE, first upon hire or upon assuming a new role that requires such access, then on an annual basis thereafter, for as long as the individual has access to the IWU Merchant CDE.  Training will include an annual PCI-DSS security awareness learning module and attestation that the employee has reviewed this policy.
    • Assign roles and responsibilities to individuals with access to the IWU Merchant CDE to ensure appropriate internal controls and compliance with PCI DSS and IWU’s related policies.
    • Maintain chain of custody records for all equipment that has direct physical interaction with CHD.
    • Maintain Current list and location of MIDs, terminals and authorized users, operating procedures, data flow diagrams, staff training and equipment inspection logs available for review upon request.
    • Maintain copies of TPSP documentation indicating which PCI DSS requirements will be met by the TPSP and which will be the responsibility of the IWU Merchant.
    • Obtain proof of TPSP's PCI DSS compliance on an annual basis.
    • Take immediate action to respond to a suspected or confirmed security compromise of the IWU Merchant CDE or any IWU Merchant CHD by notifying individuals identified in below section “Responding to a Suspected Credit Card Security Breach.” 

Enforcement

IWU Merchants are subject to periodic audit. Any IWU Merchant in violation of PCI DSS or University policies can result in the termination of the Merchant’s ability to accept credit cards as a method of payment. Individuals may also be subject to disciplinary action.

Responding to a Suspected Credit Card Security Breach

Anyone with knowledge or suspicion that the IWU Merchant CDE or any IWU Merchant CHD has been compromised in any way must immediately report the incident to each of the following:

  • Immediate supervisor
  • Controller’s Office
  • Information Security Officer

IWU Merchant must also take immediate steps to preserve all business records, logs and electronic evidence.

The Office of the Controller will coordinate with the Office of General Counsel and other appropriate departments to determine if notification laws are applicable and will notify the acquiring bank.

Annual Policy Review

In compliance with PCI DSS requirements, this policy will be reviewed at least annually and updated as needed to reflect changes to industry standards and/or business objectives and to address new or evolving threats to IWU Merchants.

Contacts

Office of the Controller

Information Security Officer 

V. Definitions

  • ISO – Information Security Officer
  • Card Brands – American Express, Discover, JCB, MasterCard or Visa.
  • CHD – Cardholder Data - At minimum, consists of the full PAN but may also include the full PAN with cardholder name, expiration date, or service code.
  • CDE – Cardholder Data Environment - The people, processes and technology that capture, store, process or transmit CHD or SAD, including any system components that may affect the security of such data.
  • Credit Cards – Credit and debit cards issued by one of the five Card Brands.
  • IWUMerchant – Any individual/school/department that accepts credit cards bearing the logos of any of the five Card Brands as payment for goods and/or services on behalf of the University.
  • MID – Merchant ID - Unique ID associated with each IWU Merchant account used for transaction processing and billing.
  • Payment Application – Software application that stores, processes, or transmits CHD as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
  • PAN – Primary Account Number – and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account, and consists of 16 to 19 digits.
  • PCI SSC – Payment Card Industry Security Standards Council made up of five Card Brand members that set the standards to enhance CHD security.
  • PCI DSS – Payment Card Industry Data Security Standards – provides a baseline of technical and operational requirements designed to protect CHD which applies to all entities that store, process or transmit CHD or SAD and/or are involved in credit card processing.
  • SAD – Sensitive Authentication Data - Security related information used to authenticate cardholders and/or authorize credit card transactions, includes full track data, equivalent data on the chip, three- or four-digit code (e.g., CVV2), or Personal identification number (PIN) entered by cardholder during a card present transaction, and/or encrypted PIN block present within the transaction message.
  • TPSP – Third Party Service Provider – business entity that is not a Card Brand and is directly involved in the processing storage or transmission of CHD, or that provide services that control or could impact the security of the CDE.
  • VDI – Virtual Desktop Interface – a virtual desktop or browser that is accessible via a remote desktop application or web browser.  Information on VDI use can be obtained via the IWU Support Center and must be approved by the Controller’s Office and the ISO.

VI.Sanctions

IWU may be subject to the following for PCI negligence:  monthly penalties up to $100,000, per transaction credit card fees, credit monitoring or other theft prevention for customers, lawsuits, and reputational damage.  Employees who have to knowingly disregard this policy could face disciplinary action up to and including termination.

VII. Related Information

Approved Third Party Service Providers

ACI Worldwide (Official Payments)
Eventbrite
Square
Stripe
Vendini

Payment Card Industry Data Security Standards (PCI-DSS)

PCI DSS is an industry standard which protects credit card customer account data. It requires specific control objectives be met by any organization that accepts credit cards for payment.  These control objectives include secure network, server, and desktop standards, as well as procedures to ensure that credit card data is properly protected during the transaction.

Failing to comply with PCI DSS can result in significant fines.  Credit card providers can fine merchants up to $500,000 per compromise when the merchant was not compliant at the time of the compromise. Merchants may also be banned from accepting certain types of credit cards. Additional information can be found at https://www.pcisecuritystandards.org/tech/index.htm .

GLBA

GLBA protects consumers’ personal financial information held by financial institutions. It requires that financial institutions provide customers with a privacy notice explaining what information is collected, how it is used, and how it is protected.

The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution and of up to $10,000 for the officers and directors of the institution.

Additional information can be found at http://www.ftc.gov/privacy/privacyinitiatives/glbact.html .