Jump to other news and events
Purdue signature
 

Business and Finance

Payment Card Acceptance, Security and Governance (S-1)

Standard: S-1
Responsible Executive: Executive Vice President for Business and Finance and Treasurer
Responsible Office: Office of Treasury Operations
Date Issued: December 13, 2013
Date Last Revised: April 21, 2014

TABLE OF CONTENTS

Individuals and Entities Affected by this Standard
Contacts
Statement of Standard
Responsibilities

Definitions
Related Documents, Forms and Tools
History and Updates
Appendix A

INDIVIDUALS AND ENTITIES AFFECTED BY THIS STANDARD

All persons, departments, units and campuses that currently, or seek to, process, collect, maintain or have access to Payment Card Data and/or the related systems or applications.

CONTACTS

Subject 

Contact

Telephone

E-mail/Web Address

Clarification of Standard

Office of Treasury Operations

(765) 494-9783

treasury@purdue.edu

Establishing a New Merchant Account

Office of Treasury Operations

(765) 494-9783

treasury@purdue.edu

Business Procedures

Office of Treasury Operations

(765) 494-9783

treasury@purdue.edu

Technical/IT Procedures

IT Security and Policy

(765) 496-3567

itpolicy@purdue.edu

Software/Hardware Change or update

IT Security and Policy

(765) 496-3567

itpolicy@purdue.edu

Known or Suspected Security Breach
  • Office of Treasury Operations
  • IT Security and Policy
  • 765-494-9783
  • 765-496-3567

STATEMENT OF STANDARD

Approval from the Office of Treasury Operations (OTO) is required before any University campus, department or unit may accept Payment Cards and/or before entering into any contract or purchasing any software or equipment related to Payment Card processing. The requisite Merchant Account will be established by OTO. No Merchant Account will be approved unless the Merchant is fully compliant with the PCI DSS and this standard.

Campuses, departments and units that have been approved to accept Payment Cards must implement security requirements, adhere to the standards published and maintained by the PCI Security Standards Council (see appendix A for an outline of the standards) and maintain proper business practices as described in business and IT procedures associated with this standard. The campus, department or unit is responsible for paying all fees and other costs associated with accepting payment cards, including internal fees for administering the University’s Payment Card program.   

The University strategically partners with a third-party vendor to provide a compliant e-commerce application. Campuses, departments or units who believe their needs cannot be met through this partner must request approval from the Senior Vice President for Business Services and Assistant Treasurer via the OTO before considering or acquiring third party solutions. Third-party vendors must provide proof of compliance with credit card security standards on an ongoing basis.

All known or suspected security breaches of Payment Card Data must be reported immediately to IT Security and Policy via the completion of an Incident Report Form and to the Office of Treasury Operations. Refer to the policy on Incident Response (VII.B.3) for additional reporting requirements.

University campuses, departments or units that transact business using Payment Cards in a manner that deviates from this standard are subject to various financial penalties and sanctions. These may include termination of Merchant Accounts, financial penalties and costs associated with a security breach, as well as penalties and costs associated with bringing non-compliant applications into compliance. 

RESPONSIBILITIES

Vice Presidents and Vice Chancellors

  • Ensure compliance with this standard

Merchants

  • Implement this standard and related business and IT procedures
  • Ensure that access to Payment Card Data is restricted to only those employees for whom such access is required to carry out the responsibilities of their position
  • Complete annual Payment Card awareness training
  • Complete annual Security Assessment Questionnaire
  • Follow established business procedures when making changes to the Merchant environment (i.e., new purpose for accepting Payment Cards, new Web application, etc.)

Office of Treasury Operations

  • Review for approval requests for departments/units to accept Payment Cards
  • Establish applicable Merchant Accounts
  • Establish related business procedures and assess compliance with the procedures by each Merchant no less than annually
  • Provide compliance reports to the Acquiring Bank/Processor as required
  • Provide Payment Card awareness training
  • Review, in cooperation with IT Security and Policy, all contractual agreements for services that include the acceptance of Payment Cards
  • Approve point-of-sale equipment utilized to accept/process Payment Cards
  • Issue order to cease and desist use of Payment Card acceptance to any Merchant not meeting the PCI DSS requirements
  • Keep abreast of changes in industry and PCI standards

IT Security and Policy

  • Establish related technical standards and monitor compliance with them
  • Conduct compliance validation and assessment services
  • Coordinate technical oversight to ensure new implementations of and changes to existing applications and their related hardware are compliant with the current standards
  • Review, in cooperation with the Office of Treasury Operations, all contractual agreements for services that include the acceptance of Payment Cards
  • Conduct a review of each Merchant to assess risk and identify vulnerabilities at least annually or when the environment changes
  • Keep abreast of changes in industry and PCI standards

Procurement Services

  • Collaborate with IT Security and Policy and the Office of Treasury Operations on development of RFPs/RFIs and negotiation of language on contracts that include payment acceptance by means of Payment Cards

DEFINITIONS

All defined terms are capitalized throughout the document. Additional defined terms may be found in the central Policy Glossary.

Acquiring Bank/Processor
The financial institution that has entered into a contractual arrangement to process Payment Cards for the University.

Merchant(s)
All persons, departments, units and campuses that process, collect, maintain or have access to Payment Card Data.

Merchant Account
A unique account set up with the Acquiring Bank/Processor that provides a department or unit with the ability to process and settle Payment Card transactions for goods, services or donations.

Payment Card
Credit cards, debit cards and some gift/stored-value cards that bear the logo of a card association brand, including but not limited to Visa, MasterCard, Discover or American Express.

Payment Card Data
At a minimum, Payment Card Data consists of the full unique Payment Card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Payment Card Data may also appear in the form of the unique Payment Card number plus any of the following: cardholder name, expiration date and/or service code.

PCI DSS (Payment Card Industry Data Security Standards)
Security standards developed collaboratively by the major card issuers that must be adopted by all merchants accepting Payment Cards. The standards, which are updated by the Payment Card Industry Security Standards Council, are intended to protect cardholder information from fraudulent use.

RELATED DOCUMENTS, FORMS AND TOOLS

This standard is issued in support of the Data Security and Access Policy (C-34) and the policy on Privacy for Electronic Information (VII.B.2), as amended or superseded.

HISTORY AND UPDATES

April 21, 2014: Additional contact added to the Contacts section. This standard supersedes its interim version of the same name.

December 13, 2013: This is the first such standard to address this issue.

APPENDIX A

PCI DSS Standards fall into the following broad categories:

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security