Credit card processing at Howard Community College (HCC) complies with the Payment Card Industry Data Security Standards (PCIDSS).  The following security requirements have been established by the payment card industry and adopted by HCC to ensure the college’s compliance with the payment card industry.  These requirements apply to HCC employees, systems, and networks involved with credit card processing, including transmission, storage, or electronic and paper processing of credit card numbers. 

Credit Card Processors

The college’s finance office maintains a list of: college work areas that process credit cards; approved credit card systems; and employees who process credit card transactions.  This list is updated annually.

Training

Employees who process credit card information or who have access to this information will complete annual PCIDSS training.  The information technology department will arrange for training to ensure employees are kept informed of the latest PCIDSS requirements.

Work Center Procedures

Each work area that processes credit card information develops and maintains up-to-date business procedures to protect credit card information.  These procedures will include the following measures:

  • Access to credit card information is restricted to a “need to know” basis.  Written authorization giving employees access to credit card information must be maintained and signed by the supervisor and employee.  Employees granted access to credit card information acknowledge their responsibility for protecting this information.  Supervisors record a list of personnel who have access to credit card information, including their specific roles and responsibilities.  This list is updated annually.
  • System and desktop passwords must be changed every 90 days.  Changed passwords may not repeat the last four passwords used.  Passwords may not be shared.  Further guidance related to passwords may be found in college procedure 61.12.01, Identification, Authentication, and Password Management.
  • Procedures are in place to expire or terminate accounts for individuals who leave employment with the college.  When an employee separates from the college, accounts are terminated immediately and reported to the human resources office.
  • Written procedures are in place to secure and protect credit card information, which includes working documents, receipts, and forms.
  • A review of the physical security of the credit card processing environment, which includes control logs, scan card entries, and camera images, is conducted on a monthly basis.
  • All credit card information via a fax machine will be received through fax machines kept in a secure environment or through a fax secured to print on demand with an access code.
  • System logs showing access to credit card data will be retained for one year.  Additionally, 90 days of information is kept online.
  • A list of all hardware and systems used to process credit card information is maintained.  All devices are labeled with contact information.
  • All media containing credit card and sensitive information are marked “confidential.”
  • Processes for vendors who maintain credit card systems are established.  Vendor access is disabled when the use of the system is no longer needed.
  • Practices for identifying and escorting visitors and vendors who are provided access to the credit card processing environment are developed and implemented.

Data Retention

Credit card information, including the primary account number (PAN), cardholder name, service code, and expiration date may be retained if there is a business need.  Written justification of the business need will document the business reason for retention.

Data that are not permitted to be stored include:  full magnetic stripe (track 1 or 2 data); CVV2, CVC2, CID, and CAV2; and  PIN / PIN Block.

Data Destruction 

Credit card data may be destroyed using the following authorized methods:

  • Hard disks are returned to the college information technology department to allow disk destruction in accordance with National Security Agency (NSA) standards (smashed, pulverized);
  • CDs and other optical media discs or magnetic media disks  are shredded; and
  • Paper is shredded using cross-cut shredding.

Restrictions 

Employees may not send or process unencrypted primary account numbers for credit cards via email or instant messaging.  Credit card information may not be left exposed to unauthorized persons.

Disposal 

All sensitive credit card data are destroyed when they are no longer required to be maintained for legal, contractual, or business purposes.  Generally, this timeframe is 60 days.

Network and Systems

The information technology department maintains additional procedures to ensure compliance with PCIDSS.  These include:

  • Configuration of card processing environments procedures, including segmentation of local area networks and protection through deployment of firewalls;
  • Logging control procedures;
  • Wireless use procedures;
  • Encryption procedures; and
  • Scheduled penetration tests.

Quarterly internal and external vulnerability scans are scheduled by the information technology department.  External scans are accomplished by an approved scanning vendor.

Surveillance

Electronic scan cards are the primary security tool to track access to work areas that process credit card information.  HCC’s security services department will provide the  appropriate area supervisors with a daily automated, system-generated log that records when a controlled area has been accessed outside of normal business hours.  The area supervisors may request video files for a specific time if a log reveals suspicious or unusual activity.  Security services responds to entries into PCI-controlled work areas outside of normal business hours. 

System Logs

System and audit logs showing access to credit card data are retained online for at least one year. 

Third-Party Compliance

The information technology department obtains letters stating PCI compliance from companies processing credit cards on the college’s behalf on an annual basis.

Compliance

The college reports compliance to merchant banks through PCIDSS quarterly vulnerability scans and annual self-assessment.

Compliance with Howard Community College policies and procedures is expected under policy, 63.09, Ethics and Conduct; noncompliance is subject to the disciplinary provisions of that policy and possible criminal prosecution.

Effective Date:  10/12/12