Payment Card Security
University Policy Number 2110
- Payment Card Control and Security Procedures
- Departmental/Merchant Payment Card Procedures and General Guidelines
- Incident Response Plan for PCI DSS Incidents
- Password Complexity Standard
Related Law & Policy:
- Policy 1114: Data Stewardship
- Policy 1304: Public Internet Address
- Policy 1305: Reporting Electronic Security Incidents
- Policy 1312: Physical and Logical Access Security
- Policy 2103: Internal Controls
- Policy 2105: Cash Handling
- Policy 2221: Background Investigations
This policy applies to all George Mason University employees, students, organizations, contractors, affiliates, and individuals who accept payments in the form of payment cards or handle electronic or paper documents associated with payment card transactions, on behalf of the university. This includes all payment card activities conducted at any George Mason University campus or location.
II. Policy Statement
Mason units/departments may operate as merchant departments accepting payment card transactions for goods and services after receiving advance approval from the Vice President for Finance or his/her designee. The key compliance elements set forth in this policy must be followed.
This policy addresses Payment Card Industry Data Security Standards (PCI DSS) that are contractually imposed by the payment card associations (e.g. Visa and MasterCard) on merchants that accept these cards as a form of payment. This policy covers the following specific areas contained in the PCI DSS related to cardholder data: collecting, processing, transmitting, storing, and disposing of cardholder data.
Cardholder: The customer to whom a payment card has been issued or the individual authorized to use the card.
Cardholder Data (CHD): Personally identifiable data about the cardholder gathered as a direct result of a payment card transaction. At a minimum, it consists of the full primary account number (PAN). It may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code.
Card-Validation Code/Value: The three-digit or four-digit value printed on the payment card used to verify card-not-present transactions. On a MasterCard this is called CVC2. On a Visa card this is called CVV2. On an American Express card this is called CID.
Encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information from unauthorized disclosure between the encryption process and the decryption process (the inverse of encryption).
Firewall: Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources.
Magnetic Stripe or Chip Data (Track Data): Data encoded in the magnetic stripe or chip used for authorization during a card present transaction.
Network: A network is defined as two or more computers connected to each other so they can share resources.
PAN: Acronym for “primary account number” and also referred to as “account number.” Unique payment card number that identifies the issuer and the particular cardholder account.
Payment Application: In the context of PA-DSS, a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
Payment Card Receipt Transactions: Any collection of cardholder data to be used in a financial transaction whether by facsimile, paper, card presentation or electronic means.
Sensitive Authentication Data: Security data used to authenticate a cardholder and/or authorize payment card transactions. Includes full track data from magnetic stripe or chip, card validation code/value, and PINs/PIN blocks.
Third Party Service Provider: A business entity that is directly involved in the collecting, processing, storage or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could affect the security of cardholder data.
IV. PCI DSS Key Compliance Elements
Procedures must be documented by merchant departments and be available for periodic review. Merchant departments seeking final authorization must ensure that the following objectives are met:
- Access to cardholder data (CHD) must be restricted. User access to cardholder data must be essential to job performance. Each merchant department must maintain a current list of employees who are granted access to CHD. All personnel with access to CHD must sign the Payment Card Control and Security Procedures document and must participate in the PCI DSS training annually. Merchant departments are responsible for assuring that background investigations are performed for applicable personnel per Policy 2221.
- Cardholder data, whether collected on paper or electronically, must be protected against unauthorized access.
- All equipment used to collect data must be secured against unauthorized use in accordance with the PCI DSS. Payment card devices should be included on the Payment Card Industry Council’s approved PIN Transaction Security (PTS) Device list and authorized by Fiscal Services prior to purchase.
- Physical security controls must be in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment or documents containing cardholder data.
- Cardholder data must not be processed, stored or transmitted using the university’s network unless the IT Security Office (ITSO) has verified the technical controls, including firewalls and encryption, in accordance with the PCI DSS.
- Email must never be used to transmit payment card or personal payment information, nor should it be accepted as a method to supply such information.
- If a fax machine is used to transmit payment card information to a merchant department, the fax machine must be a standalone machine with appropriate physical security; receipt or transmission of payment card data using a multi-function facsimile is not permitted.
- Cardholder data must not be retained after authorization unless a legitimate, authorized and documented business need exists. This data must be properly protected and subsequently destroyed in accordance with the PCI DSS.
- Sensitive authentication data including the card validation code/value printed on the card or full track data from the stripe or chip must never be stored after authorization, even if this data is encrypted.
- University staff may not store cardholder data and/or the card validation code/value using any electronic method including but not limited to storage in databases or spreadsheets or storage on portable electronic media devices.
- Cardholder data collected on paper must be properly destroyed immediately after processing using approved PCI DSS methods.
- Mason has a centralized payment platform which serves as the base for all implementations. Touchnet uCommerce is the University’s mandatory payment card system providing increased control and reduced risk over payment card collection and transaction recording in Banner. Benefits include: immediate receipt of the dollars tendered in the sale; amounts are received gross rather than net of fees as required by CAPP manual guidance; centralized control of reporting for payments; and automatic update of the General Ledger reducing manual effort. Deviations from use of the Touchnet platform require preapproval, in writing, from the Vice President for Finance or his/her designee. Merchant departments who desire to use a third party service provider other than TouchNet to obtain CHD or be involved with the payment card process must conduct proper due diligence and receive advance approval from the Vice President for Finance or designee and from ITSO.
Merchant departments are responsible for ensuring compliance with PCI DSS requirements related to third party service providers including:
a. Maintaining a written agreement in which the service provider acknowledges their responsibility for the security of CHD they possess, store, process or transmit, or that could impact the security of the CHD environment. All contracts for third party service providers must be authorized by the Vice President for Finance or designee. Merchant departments cannot negotiate their own contracts with payment card processing companies or third party vendors accepting card payments on their behalf, including acceptance of on-line click-through end user license agreements (EULAs).
b. Monitoring the provider’s PCI DSS compliance status annually by either obtaining an attestation of compliance, or by verifying that the provider is listed on the Visa Global Registry of compliant service providers.
c. Maintaining information about which PCI DSS requirements are managed by the provider and which are managed by Mason.
d. Ensuring that the payment application, when used to process cardholder data, is listed in the Payment Application Data Security Standard (PA-DSS) database of compliant payment applications.
13. In the event of an actual or suspected data breach, the incident must be reported to Fiscal Services and ITSO. If fraud is suspected, also contact the University Police.
14. When developing eCommerce applications, departments must provide documentation of the web redirect architecture to Fiscal Services and it must be reviewed and approved by ITSO to ensure PCI DSS compliance and technical security. For TouchNet eCommerce sites, the FAST team will obtain the review on behalf of the department as part of the standard development testing process.
Fiscal Services: Fiscal Services is responsible for the review of practices in connection with payment card receipt transactions.
Information Technology Services: The IT Security Office (ITSO) is responsible for coordinating the university’s compliance with the PCI Standard’s technical requirements. Where technical control requirements are the responsibility of or are enforced by Information Technology Services, the IT Security Office will validate that the controls are enforced. The ITSO will provide technical control guidance on requirements to merchant departments. It will also maintain the attestation of compliance self-assessment questionnaire or SAQ guideline for all merchant departments. The ITSO will coordinate with Fiscal services in assessing systems and merchant departments for compliance.
Heads of departments and units: Department and unit heads are responsible for documenting and monitoring departmental procedures, for working with ITSO to ensure proper technical controls exist and for ensuring that payment card activities are in compliance with this policy. They are responsible for adhering to all PCI DSS requirements and for annually certifying their continued compliance by submitting the appropriate PCI DSS Self-Assessment Questionnaire (SAQ) and supporting university-required documents. Departments/units will be responsible for any fines levied against the university that result from noncompliance.
The Vice President for Finance will terminate payment card collection privileges for any department/unit not in compliance with this policy.
A. Effective Date
This policy will become effective upon the date of approval by the Senior Vice President for Administration and Finance and the Provost and Executive Vice President.
B. Date of Most Recent Review:
VIII. Timetable for Review
This policy, and any related procedures, shall be reviewed and revised, if necessary, annually to become effective at the beginning of the university’s fiscal year, unless otherwise noted.
Senior Vice President for Administration and Finance
Provost and Executive Vice President
Date approved: December 13, 2006
Revised: January 9, 2013
Revision approved: June 9, 2016
Revision approved: June 24, 2019