Payment Card Security
University Policy Number 2110
- Payment Card Control and Security Procedures
- Departmental/Merchant Payment Card Procedures and General Guidelines
- Incident Response Plan for PCI DSS Incidents
- Password Complexity Standard
Related Law & Policy:
- Policy 1114: Data Stewardship
- Policy 1304: Public Internet Address
- Policy 1305: Reporting Electronic Security Incidents
- Policy 1312: Physical and Logical Access Security
- Policy 2103: Internal Controls
- Policy 2105: Cash Handling
- Policy 2221: Background Investigations
This policy applies to all George Mason University faculty, staff, students, organizations and individuals who, on behalf of the university, handle electronic or paper documents associated with payment card receipt transactions or accept payments in the form of payment cards. The scope includes any payment card activities conducted at all George Mason University campuses and locations.
II. Policy Statement
Mason units/departments may operate as merchant departments accepting payment card data for goods and services provided, after receiving advance written approval from the Associate Vice President and Controller in accordance with the University Cash Handling Policy 2105 and following the key compliance elements set forth in this policy.
This policy addresses Payment Card Industry Data Security Standards (PCI DSS) that are contractually imposed by the payment card associations (e.g. Visa and, MasterCard) on merchants that accept these cards as forms of payments. The policy covers the following specific areas contained in the PCI DSS related to cardholder data: collecting, processing, transmitting, storing and disposing of cardholder data.
III. PCI DSS Key Compliance Elements
Procedures must be documented by merchant departments and be available for periodic review. Merchant departments seeking final authorization must ensure that the following objectives are met:
- Access to cardholder data (CHD) must be restricted to only those users who need it to perform their jobs. Each merchant department must maintain a current list of employees who are granted access. In order to certify their understanding of handling procedures, all personnel with access to CHD must annually sign the Payment Card Control and Security Procedures document and must participate in the annual PCI DSS training. Merchant departments are responsible for assuring that background checks are requested for applicable personnel per Policy 2221.
- Cardholder data, whether collected on paper or electronically, must be protected against unauthorized access.
- All equipment used to collect data must be secured against unauthorized use in accordance with the PCI DSS. Payment card devices should be included on the Payment Card Industry Council’s approved PIN Transaction Security (PTS) Device list and authorized by Fiscal Services prior to purchase.
- Physical security controls must be in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment or documents containing cardholder data.
- Cardholder data must not be processed, stored or transmitted using the university’s network unless the IT Security Office (ITSO) has verified the technical controls, including firewalls and encryption, in accordance with the PCI DSS.
- Email must never be used to transmit payment card or personal payment information, nor should it be accepted as a method to supply such information.
- If a fax machine is used to transmit payment card information to a merchant department, the fax machine must be a standalone machine with appropriate physical security; receipt or transmission of payment card data using a multi-function facsimile is not permitted.
- Cardholder data must not be retained after authorization unless a legitimate, authorized and documented business need exists. This data must be properly protected and subsequently destroyed in accordance with PCI DSS.
- Sensitive authentication data including the card validation code/value printed on the card or full track data from the stripe or chip must never be stored after authorization, even if this data is encrypted.
- University staff may not store cardholder data and/or the card validation code/value using any electronic method including but not limited to storage in databases or spreadsheets or storage on portable electronic media devices.
- Cardholder data collected on paper must be properly destroyed immediately after processing using approved PCI DSS methods.
- Merchant departments desiring to use a third party service provider to handle CHD or be involved with the payment process must conduct proper due diligence and must obtain advance approval from the Associate Vice President and Controller and ITSO prior to engaging a service provider. Merchant departments are responsible for ensuring compliance with PCI DSS requirements related to third party service providers including:
a. Maintaining a written agreement that includes an acknowledgement that the service provider is responsible for the security of CHD they possess, store, process or transmit, or that could impact the security of the CHD environment. All contracts for third party service providers must be authorized by the Associate Vice President and Controller. Merchant departments cannot negotiate their own contracts with payment card processing companies or third party vendors accepting card payments on their behalf, including acceptance of on-line click-through end user license agreements (EULAs).
b. Monitoring the provider’s PCI DSS compliance status annually by either obtaining an attestation of compliance, or by verifying that the provider is listed on the Visa Global Registry of compliant service providers.
c. Maintaining information about which PCI DSS requirements are managed by the provider and which are managed by Mason.
d. For payment applications used to process cardholder data, the payment application should be listed on the Payment Application Data Security Standard (PA-DSS) database of compliant payment applications.
13. In the event of an actual or suspected data breach, report the incident to Fiscal Services and ITSO. If fraud is suspected, also contact the University Police.
Cardholder: The customer to whom a payment card has been issued or the individual authorized to use the card.
Cardholder Data: Personally identifiable data about the cardholder gathered as a direct result of a payment card transaction. At a minimum, it consists of the full primary account number (PAN). It may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code.
Card-Validation Code/Value: The three-digit or four-digit value printed on the payment card used to verify card-not-present transactions. On a MasterCard payment card this is called CVC2. On a Visa card this is called CVV2. On an American Express card this is called CID.
Encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information from unauthorized disclosure between the encryption process and the decryption process (the inverse of encryption).
Firewall: Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources.
Magnetic Stripe or Chip Data (Track Data): Data encoded in the magnetic stripe or chip used for authorization during a card present transaction.
Network: A network is defined as two or more computers connected to each other so they can share resources.
PAN: Acronym for “primary account number” and also referred to as “account number.” Unique payment card number that identifies the issuer and the particular cardholder account.
Payment Application: In the context of PA-DSS, a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
Payment Card Receipt Transactions: Any collection of cardholder data to be used in a financial transaction whether by facsimile, paper, card presentation or electronic means.
Sensitive Authentication Data: Security data used to authenticate a cardholder and/or authorize payment card transactions. Includes full track data from magnetic stripe or chip, card validation code/value, and PINs/PIN blocks.
Third Party Service Provider: Business entity that is not a payment brand, directly involved in the collecting, processing, storage or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.
Fiscal Services: Fiscal Services is responsible for the review of departmental procedures and practices in connection with payment card receipt transactions.
Information Technology Services: The IT Security Office (ITSO) is responsible for coordinating the university’s compliance with the PCI Standard’s technical requirements. Where technical control requirements are the responsibility of or are enforced by Information Technology Services, the IT Security Office will validate that the controls are enforced. The ITSO will provide technical control guidance on requirements to merchant departments. It will also maintain the attestation of compliance self-assessment questionnaire or SAQ guideline for all merchant departments. The ITSO will coordinate with Fiscal services in assessing systems and merchant departments for compliance.
Heads of departments and units: Department and unit heads are responsible for documenting departmental procedures, for working with ITSO to ensure proper technical controls exist and for ensuring that payment card activities are in compliance with this policy. They are responsible for adhering to all PCI DSS requirements and for annually certifying their continued compliance by submitting the appropriate PCI DSS Self-Assessment Questionnaire (SAQ) and supporting university-required documents. Departments/units will be responsible for any fines levied against the university that result from noncompliance.
The Associate Vice President and Controller will terminate payment card collection privileges for any department/unit not in compliance with this policy.
A. Effective Date
This policy will become effective upon the date of approval by the Senior Vice President for Administration and Finance and the Provost and Executive Vice President.
B. Date of Most Recent Review:
VIII. Timetable for Review
This policy, and any related procedures, shall be reviewed and revised, if necessary, annually to become effective at the beginning of the university’s fiscal year, unless otherwise noted.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: December 13, 2006
Revised: January 9, 2013
Revision approved: June 9, 2016