Credit card processing at Howard Community College (HCC) complies with the Payment Card Industry Data Security Standards (PCIDSS). The following security requirements have been established by the payment card industry and adopted by HCC to ensure the college’s compliance with the payment card industry. These requirements apply to HCC employees, systems, and networks involved with credit card processing, including transmission, storage, or electronic and paper processing of credit card numbers.
Credit Card Processors
The college’s finance office maintains a list of: college work areas that process credit cards; approved credit card systems; and employees who process credit card transactions. This list is updated annually.
Employees who process credit card information or who have access to this information will complete annual PCIDSS training. The information technology department will arrange for training to ensure employees are kept informed of the latest PCIDSS requirements.
Work Center Procedures
Each work area that processes credit card information develops and maintains up-to-date business procedures to protect credit card information. These procedures will include the following measures:
Credit card information, including the primary account number (PAN), cardholder name, service code, and expiration date may be retained if there is a business need. Written justification of the business need will document the business reason for retention.
Data that are not permitted to be stored include: full magnetic stripe (track 1 or 2 data); CVV2, CVC2, CID, and CAV2; and PIN / PIN Block.
Credit card data may be destroyed using the following authorized methods:
Employees may not send or process unencrypted primary account numbers for credit cards via email or instant messaging. Credit card information may not be left exposed to unauthorized persons.
All sensitive credit card data are destroyed when they are no longer required to be maintained for legal, contractual, or business purposes. Generally, this timeframe is 60 days.
Network and Systems
The information technology department maintains additional procedures to ensure compliance with PCIDSS. These include:
Quarterly internal and external vulnerability scans are scheduled by the information technology department. External scans are accomplished by an approved scanning vendor.
Electronic scan cards are the primary security tool to track access to work areas that process credit card information. HCC’s security services department will provide the appropriate area supervisors with a daily automated, system-generated log that records when a controlled area has been accessed outside of normal business hours. The area supervisors may request video files for a specific time if a log reveals suspicious or unusual activity. Security services responds to entries into PCI-controlled work areas outside of normal business hours.
System and audit logs showing access to credit card data are retained online for at least one year.
The information technology department obtains letters stating PCI compliance from companies processing credit cards on the college’s behalf on an annual basis.
The college reports compliance to merchant banks through PCIDSS quarterly vulnerability scans and annual self-assessment.
Compliance with Howard Community College policies and procedures is expected under policy, 63.09, Ethics and Conduct; noncompliance is subject to the disciplinary provisions of that policy and possible criminal prosecution.
Effective Date: 10/12/12