Overview
This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges and credits on credit and/or debit cards. The goal is to protect against exposure and possible theft of account and personal cardholder information that has been provided to CSU, Channel Islands.
ITS Information Security (InfoSec) Responsibilities
- ITS InfoSec will coordinate organizational compliance and documentation
- ITS InfoSec will advise organizations on appropriate documentation of compliance and procedures to ensure alignment with PCI-DSS requirements.
Note: | Any organization, entity or individual that in any way accepts, captures, stores, processes or transmits credit or debit card information, using campus information assets, (both electronic and non-electronic), or uses third-party service providers to do this for you; is governed by this Information Security Standard. |
Department, Auxiliary or College Responsibilities
- Each organization which conducts credit card transactions under an assigned Merchant ID (MID) shall designate an individual responsible for completing the requisite documentation and ensuring the organization is compliant with PCI-DSS.
- Complete a CSU Channel Islands Annual Credit Card Security Self-Assessment Questionnaire (SAQ) and forward it to the Information Security Office for review.
- Maintain department credit card security handling procedures that comply with the PCI DSS – In addition to complying with campus information security policy and standards, departments should establish procedures for physically and electronically safeguarding cardholder information. Exceptions to these policies and procedures may be granted with written approval from an appropriate administrator and your division vice president.
- Communicate procedures to staff – Appropriate administrators should communicate the department credit card security handling procedures to staff and ensure that the “Credit Card Handlers and Processors Responsibilities” section of this standard is followed for all personnel involved in credit card transactions.
- Prevent unauthorized access to cardholder data and secure the data – Appropriate administrators should establish procedures to prevent access to cardholder data in physical or electronic form. Hard copy or media containing credit card information should be stored (when deemed necessary) in a locked drawer or office, and password protection should be used on computers.
- Restrict access based on a business need-to-know – Access to physical or electronic cardholder data should be restricted to individuals whose job requires access. Appropriate administrators should establish appropriate segregation of duties between personnel handling credit card processing, the processing of refunds, and the reconciliation function.
- Assign a unique ID to each person with computer access – Departments should ensure that a unique ID is assigned to each person with computer access to credit card information. User names and passwords may not be shared, nor should system accounts be issued or used.
- Transmitting credit card information by e-mail or fax – Full or partial credit card numbers and three or four digit validation codes (usually on the back of credit cards) may not be faxed or emailed unless personnel have been authorized to do so, and processes exist to securely store and dispose of the information. If transmitted by email, the contents must be encrypted or in a password protected file.
- Never store electronically the CVV, CVV2 validation code, or PIN number - Departments must not store the three or four digit CVV or CVV2 validation code from the credit card or the personal identification number (PIN).
- Background checks – Departments should perform applicable background checks on potential employees who have access to systems, networks, or cardholder data within the limits of CSU,
- CI HR policy, union bargaining agreements and local law. If employees have access to one card number at a time to facilitate a transaction, such as store cashiers, background checks are not necessary.
- Mask 12 of the 16 digits of the credit card number - Terminals and computers must mask all but the last 4 digits of the credit card number.
- Using imprint machines – Imprint machines need special handling as they display the full 16 digit credit card number on the customer copy. Departments should not use imprint machines to process credit card payments unless personnel have been authorized to do so, and processes exist to securely store and dispose of the information.
- Report Security Incidents to the Information Security Office - If staff or faculty know or suspect that credit card information has been exposed, stolen, or misused; this incident must be reported immediately to Information Security Office. The report must not disclose by fax or e-mail credit card numbers, three or four digit validation codes, or PINs.
Credit Card Handlers and Processors Responsibilities
Staff or faculty with access to credit or debit card holder data must not:
- Acquire or disclose any cardholder’s credit card information without the cardholder’s consent including but not limited to the full or partial sixteen (16) digit credit card number, three (3) or four (4) digit validation code (usually on the back of credit cards), or PINs (personal identification numbers)
- Transmit or request any credit card information by e-mail or fax. If someone e-mails their data, staff and faculty should make them aware that, for their own safety, they should not do this again. The email or fax should be destroyed as soon as possible
- Electronically store or record any credit card information in any electronic format (Excel files, databases, e-mail, etc.) unless they have been authorized to do so by the Information Security Office.
- Request, record, or store any of the magnetic stripe data or the credit card confirmation code (three digit on the back of many cards and 4 digits on the front of American Express)
- Share a computer password if they have access to a computer with credit card information
Staff or faculty with access to credit or debit card holder data should:
- Change a vendor-supplied or default password if they have access to a computer with credit card information.
- Password protect their computer if they have access to a computer with credit card information.
- Store all non-electronic, physical documents or storage media containing credit card information in a locked drawer, locked file cabinet, or locked office.
- Store all electronic files on a secured server, or as encrypted or password protected files
- Report immediately a credit card security incident to an appropriate administrator if they know or suspect credit card information has been exposed, stolen, or misused.
- Store only essential credit card information. Any stored information must be destroyed in accordance with the campus Record Retention Schedule. All media used for credit cards must be destroyed when retired from use. All hardcopies must be shredded prior to disposal.
Payment Card Industry Data Security Standards (PCI DSS)
The campus and all departments that process credit or debit card information must comply with the
Payment Card Industry Data Security Standards (PCI DSS). This includes the acquiring, accepting, capturing, storing, processing or transmitting of credit or debit card data, in both electronic and non-electronic formats.
PCI DSS is a set of comprehensive requirements for enhancing credit card data security. The standards were developed by the PCI Security Standards Council1, and a single violation of any of the requirements can trigger an overall non-compliant status. Each non-compliant incident may result in steep fines, suspension and revocation of card processing privileges.
Although the primary focus of the PCI DSS is on web-based sales and processing credit card information via the Internet, there are other processes that allow systems to be Internet accessible which may expose cardholder information. Basic functions such as e-mail can result in Internet accessibility of a merchant’s network. Therefore, all campus credit card merchants, including merchants transmitting via a terminal on a dedicated phone line, or other approved method of transmission must complete an annual self-assessment survey and, if applicable, an internal scan and a remote external scan by a PCI DSS approved vendor.
Storing Credit and Debit Card Holder Data
Card holder data is any personally identifiable data associated with a cardholder. This can be an account number, expiration date, name, address, social security number, or Card Verification Value CVV22.
Storage of credit cardholder data refers to both electronic (databases, spreadsheets, etc.) and non-electronic (faxes, imprint machine slips, hand written forms, etc.) data.
The best way to be in compliance with PCI DSS is by NOT storing credit card holder data if there is no business need to do so.
- The PCI Security Standards Council home page is https://www.pcisecuritystandards.org/
- The Card Verification Value (CVV2) is three- or four-digit value printed on the front or back of a payment card. CVV2 refers to VISA card naming scheme, whereas with MasterCard it is called Card Validation Code (CVC2), or Card-member ID by Discover, Card Identification Number (CID) by American Express.
Additional information regarding storage of credit and debit card holder information can be found in
Appendix A.
Appendix A: Credit Cardholder Data Storage Requirements
The following table includes high level information regarding storage and protection of cardholder data.
Data Element | Is Storage Allowed? | Is Protection Required? | PCI DSS Requirement 3.4? | |
Primary Account Number (PAN) | YES | YES | YES | |
Cardholder Name* | YES | YES* | NO | Cardholder Data |
Service Code* | YES | YES* | NO | (Front of Card) |
Expiration Date* | YES | YES* | NO | |
Full Magnetic Strip2 | NO | N/A | Cannot store per Requirement 3.2 | Sensitive |
CVC2/CVV2/CID3 | NO | N/A | Cannot store per Requirement 3.2 | Authentication Data1 |
PIN/PIN Block4 | NO | N/A | Cannot store per Requirement 3.2 | (Back of Card) |
1 Sensitive authentication data must not be stored after authorization (even if encrypted).
2 Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere.
3 The three- or four-digit value printed on the front or back of a payment card
4 Personal Identification Number entered by cardholder during a transaction, and/or encrypted PIN block present within the transaction message.
* These data elements must be protected if stored in conjunction with the PAN.
Even when the storage of credit card holder data is necessary, only some data elements (from the front of the card) may be stored as long as they are protected. Protection of data means that it needs to be encrypted or otherwise made unreadable (PCI DSS Requirement 3.4). However the sensitive authentication data (from the back of the card) may not be stored.
Additionally, only some data elements may be kept for the charge back process, whereas others may not. Sensitive authentication data, such as CVV2, are used for charge back verification but must not be stored. The entire 16 digit Primary Account Number (PAN), which is also used in charge back verification, cannot be kept in an unprotected mode. Only the first 6 and/or the last 4 digits5 can be stored in this manner, because in this form, they are not card holder data. For example;
- Name + Expiry Date + Service Code is not cardholder data because the PAN is not retained.
- 1234 5678 9012 3456 + Name + Expiry Date is cardholder data because the PAN is retained; so everything must be protected.
- 1234 56xx xxxx 3456 + Name + Expiry Date is not cardholder data because store the first 6 and the last 4 digits unprotected.
- 1234 56xx xxxx 3456 + Name + CVV2 cannot be stored since sensitive authentication data is retained.
- The standard campus practice involves storing last 4 digits only
The PCI DSS storage rules also apply to digital voice and fax systems. Digital voice systems are searchable, so if a recording contains sensitive authentication data (CVV2/CVC2/CID), it cannot be stored and must be cleaned. Restricting both physical and logical access to such voice systems is recommended. Fax paper records also need to have sensitive authentication data deleted. This can be easily achieved by using forms in which a section can be removed. If the fax system has memory, that too needs to have the sensitive authentication data erased. PCI DSS storage rules also apply to any third party providers that you use for outsourcing; so departments should ensure that they are PCI compliant as part of any contract.