Payment Card Industry Data Security Standard Procedure - 62.10.01
College Policy Number/Title:
Credit card processing at Howard Community College (HCC) complies with the Payment Card Industry Data Security Standard (PCI DSS). The following security requirements have been established by the payment card industry and adopted by HCC to ensure the college’s compliance with PCI DSS. These requirements apply to HCC employees, systems, and networks involved with credit card processing, including transmission, storage, or electronic and paper processing of credit card data.
Credit Card Processors
The college’s finance office maintains a list of: college work areas that process credit cards; approved credit card systems; and employees who process credit card transactions. This list is updated annually.
Employees who process credit card information or who have access to this information are required to complete annual PCI DSS training. The finance office will arrange for training to ensure employees are kept informed of the latest PCI DSS requirements.
Work Center Procedures
Each work area that processes credit card information develops and maintains up-to-date business procedures to protect credit card information. These procedures include the following measures:
- Access to credit card data is restricted to a “need to know” basis. Written authorization giving employees access to credit card information must be maintained and signed by the supervisor and employee. Employees granted access to credit card information acknowledge their responsibility for protecting this information. Supervisors record a list of personnel who have access to credit card information, including their specific roles and responsibilities. This list is updated annually.
- System and desktop passwords must be changed every 90 days. Changed passwords may not repeat the last four passwords used. Passwords may not be shared. Further guidance related to passwords may be found in college procedure 61.12.01, Identification, Authentication, and Password Management.
- Procedures are in place to expire or terminate accounts for individuals who leave employment with the college. When an employee separates from the college, accounts are terminated..
- Written procedures are in place to secure and protect credit card information, which includes working documents, receipts, and forms.
- A review of the physical security of the credit card processing environment, which includes control logs, scan card entries, and camera images, is conducted on a monthly basis.
- All credit card data via a fax machine will be received through fax machines kept in a secure environment or through a fax secured to print on demand with an access code.
- System logs showing access to credit card data will be retained for one year. Additionally, 90 days of information is kept online.
- A list of all hardware and systems used to process credit card information is maintained. All devices are labeled with contact information.
- All media containing credit card and sensitive information are marked “confidential.”
- Processes for vendors who maintain credit card systems are established. Vendor access is disabled when the use of the system is no longer needed.
- Practices for identifying and escorting visitors and vendors who are provided access to the credit card processing environment are developed and implemented.
Credit card data, including the primary account number (PAN), cardholder name, service code, and expiration date may be retained if there is a business need. Written justification of the business need will document the business reason for retention.
Data that are not permitted to be stored include: full magnetic stripe (track 1 or 2 data); CVV2, CVC2, CID, and CAV2; storage chip; and PIN/PIN Block.
Credit card data may be destroyed using the following authorized methods:
- Hard disks are returned to the college information technology department to allow disk destruction in accordance with National Security Agency (NSA) standards (smashed, pulverized);
- CDs and other optical media discs or magnetic media disks are shredded; and
- Paper is shredded using cross-cut shredding (maximum particle size 6x35mm).
Employees may not send or process unencrypted primary account numbers for credit cards via email or instant messaging. Credit card information may not be left exposed to unauthorized persons.
All sensitive credit card data are destroyed when they are no longer required to be maintained for legal, contractual, or business purposes. Generally, this timeframe is 60 days.
Network and Systems
The information technology department maintains additional procedures to ensure compliance with PCI DSS. These include:
- Configuration of card processing environments procedures, including segmentation of local area networks and protection through deployment of firewalls;
- Logging control procedures;
- Wireless use procedures;
- Encryption procedures; and
- Scheduled penetration tests.
Quarterly internal and external vulnerability scans are scheduled by the information technology department. External scans are accomplished by an approved scanning vendor.
Electronic scan cards are the primary security tool to track access to work areas that process credit card information. HCC’s security services department will provide the appropriate area supervisors with a daily automated, system-generated log that records when a controlled area has been accessed outside of normal business hours. The area supervisors may request video files for a specific time if a log reveals suspicious or unusual activity. Security services responds to entries into PCI-controlled work areas outside of normal business hours.
System and audit logs showing access to credit card data are retained online for at least one year.
The finance office obtains letters stating PCI compliance from companies processing credit cards on the college’s behalf on an annual basis.
The college reports compliance to merchant banks through PCI DSS quarterly vulnerability scans and annual self-assessment.
Compliance with Howard Community College policies and procedures is expected under policy, 63.09, Ethics and Conduct; noncompliance is subject to the disciplinary provisions of that policy and possible criminal prosecution.
Effective Date: 09/10/21
President's Office Use: VPIT/VPAF