Payment Card Acceptance, Security, Compliance and Governance (S-1)

Standard: S-1
Responsible Executive: Chief Financial Officer and Treasurer
Responsible Office: Office of Treasury Operations
Date Issued: December 13, 2013
Date Last Revised: September 27, 2023

TABLE OF CONTENTS

Contacts
Individuals and Entities Affected by this Standard
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix A

CONTACTS

Clarification of Standard

Title/Office

Telephone

Email/Webpage

Office of Treasury Operations

765-494-9783

merchantsupport@purdue.edu

Business Procedures, New Merchant Accounts and Process Changes

Title/Office

Telephone

Email/Webpage

Office of Treasury Operations

765-494-9783

treasury@purdue.edu

IT Procedures and Changes or Updates to Software/Hardware

Title/Office

Telephone

Email/Webpage

Purdue System Security

765-494-2751

itpolicyreq@purdue.edu

Known or Suspected Security Incidents

Title/Office

Telephone

Email/Webpage

  • Office of Treasury Operations
  • Purdue System Security
  • 765-494-9783

INDIVIDUALS AND ENTITIES AFFECTED BY THIS STANDARD

All persons, departments, units, entities, campuses and other Third Party Service Providers acting on behalf of the University that currently, or seek to, process, collect, maintain, have access to (directly or indirectly), or may otherwise impact the security of Cardholder Data (CHD) and/or the related systems or applications within the Cardholder Data Environment (CDE). 

STATEMENT OF STANDARD

Approval from the Office of Treasury Operations (OTO) is required before any person, department, unit, entity, campus or Third Party Service Provider (TPSP) may act as the Merchant of Record or accept Payment Cards as a method of payment on behalf of the University.

All solutions, including but not limited to devices, software, hardware, payment gateways, payment processors, other technologies, and TPSPs that are used to facilitate the acceptance of Payment Cards as a method of payment must be approved by the OTO prior to entering into any contracts or purchasing any solutions. The requisite Merchant Account(s) must be established by the OTO. Only individuals and entities that can demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as this standard will be granted a Merchant Account. Merchants approved to accept Payment Cards are subject to review(s) of compliance and must demonstrate compliance on an annual basis by completing a Self-Assessment Questionnaire (SAQ). In so doing, they must implement secure processes, adhere to all applicable PCI DSS requirements published and maintained by the PCI Security Standards Council (see Appendix A for an outline of these requirements), and maintain best practices as described in business and IT procedures associated with this standard.

The University has engaged strategic partners for accepting Payment Cards as a method of payment. Payment acceptance needs that cannot be met through these partnerships and require an alternative solution must be presented to the Vice President and Deputy CFO via the OTO for review and approval on a case-by-case basis prior to engaging any alternative solutions. All TPSPs must demonstrate their PCI DSS compliance prior to engaging with any University Merchant and must provide appropriate documentation at any time upon request.

Merchants that transact business using Payment Cards in a manner that deviates from this standard are subject to various financial penalties and sanctions. These may include termination of Merchant Accounts, financial penalties and costs associated with a security breach or fraudulent transactions, as well as penalties and costs associated with bringing non-compliant applications into scope.  

Any confirmed or suspected compromise of the Cardholder Data Environment (CDE) must be reported immediately to IT Purdue System Security by completion of an Incident Report Form. Refer to the Response Procedures for Payment Card Data Incidents for additional information.

RESPONSIBILITIES

Vice Presidents and Vice Chancellors

  • Ensure compliance with this standard.

Merchants

  • Prior to seeking approval as a Merchant and accepting Payment Cards as a method of payment, carefully review the requirements for Becoming a Merchant, including the information on Merchant Fees, to ensure all Merchant responsibilities can be met and to understand all costs and fees associated with accepting Payment Cards.
  • Implement this standard and related business and IT procedures.
  • Establish and maintain departmental business procedures for the processing of Payment Cards.
  • Ensure that access to Payment Card Data is restricted to only those employees for whom such access is required to carry out the responsibilities of their position.
  • Ensure that all staff with Payment Card responsibilities complete Payment Card acceptance training upon hire and on an annual basis thereafter.
  • Complete annual Self-Assessment Questionnaire.
  • Participate in PCI DSS interview meetings.
  • Follow established business procedures when making changes to the Merchant environment (i.e., new purpose for accepting Payment Cards, new Web application, etc.).
  • Immediately report any confirmed or suspected incident in accordance with the Response Procedures for Payment Card Data Incidents.

Office of Treasury Operations

  • Review requests for approval from departments/units wanting to accept Payment Cards.
  • Establish applicable Merchant Accounts.
  • Maintain related business procedures and assess compliance with the procedures by each Merchant no less than annually.
  • Provide compliance reports to the Acquiring Bank/Processor as required.
  • Provide Payment Card Acceptance training.
  • Review, in cooperation with IT Security and Policy, all contractual agreements for services that include the acceptance of Payment Cards.
  • Evaluate and approve new point-of-sale equipment utilized to accept/process Payment Cards.
  • Issue order to cease and desist use of Payment Card acceptance to any Merchant not meeting the PCI DSS requirements.
  • Respond to reports of confirmed or suspected incidents in accordance with the Response Procedures for Payment Card Data Incidents.
  • Keep abreast of changes in industry and PCI DSS standards.

IT Purdue System Security

  • Establish related technical standards.
  • Conduct compliance validation and assessment services.
  • Coordinate technical oversight to ensure new implementations of and changes to existing applications and their related hardware are compliant with the current applicable PCI DSS requirements.
  • Review, in cooperation with the Office of Treasury Operations, all contractual agreements for services that facilitate the acceptance of Payment Cards.
  • Conduct a review to assess risk and identify systemwide vulnerabilities at least quarterly or when the environment changes.
  • Respond to reports of suspected or discovered incidents in accordance with the Response Procedures for Payment Card Data Incidents.
  • Keep abreast of changes in industry and PCI DSS standards.

Procurement Services

  • In collaboration with the Office of Treasury Operations and Purdue System Security, ensure that RFPs/RFIs for and contracts with any payment processing solutions, software, hardware or Third Party Service Providers include necessary language for payment acceptance by means of Payment Cards.

DEFINITIONS

All defined terms are capitalized throughout the document. Refer to the central Policy Glossary for additional defined terms.

Acquiring Bank/Processor
The financial institution that has entered into a contractual arrangement to process Payment Cards for the UniversityAlso referred to as a merchant bank.

Cardholder Data Environment (CDE)
The people, processes and technology that store, process, and/or transmit cardholder data or sensitive authentication data. A CDE also includes any component that directly connects, supports or may otherwise affect the security of this environment.

Merchant(s)
All persons, departments, units, entities, campuses and Third Party Service Providers acting on behalf of the University that accept Payment Cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as a method of payment for goods and/or services. 

Merchant Account
A unique account set up with the Acquiring Bank/Processor that provides a Merchant with the ability to process and settle Payment Card transactions for goods, services or donations.

Merchant of Record
The legal entity selling goods or services to a cardholder and to whom the cardholder owes payment for such good and services. The Merchant of Record takes on all of the liability related to those transactions, including ensuring PCI DSS compliance, covering the costs of payment processing systems and fees, and honoring refunds and chargebacks.

Payment Card
Credit cards, debit cards and some gift/stored-value cards that bear the logo of a card association brand, including but not limited to Visa, MasterCard, Discover or American Express.

Payment Card Data
Also referred to as cardholder data (CHD), Payment Card Data refers to any information contained on a customer's Payment Card. The data is printed on either side of the card and also may be contained in digital format on the magnetic stripe embedded in the backside of the card. Some Payment Cards store data in chips embedded in the front side. At a minimum, Payment Card Data includes the primary account number (PAN), cardholder name, expiration date and/or service code.

PCI DSS (Payment Card Industry Data Security Standard)
Security standards developed collaboratively by the major card issuers that must be adopted by all Merchants accepting Payment Cards. The standards, which are updated by the Payment Card Industry Security Standards Council, are intended to protect cardholder information from fraudulent use. Organizations that outsource their CDE or payment operations to Third Party Service Providers are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements.

Third Party Service Provider (TPSP)
A business entity that is not a payment brand, but is directly involved in the processing, storage, or transmission of Payment Card Data on behalf of another entity. This also includes companies that provide services that control or could impact the security of Payment Card Data and/or the CDE.

RELATED DOCUMENTS, FORMS AND TOOLS

This standard is issued in support of the policies on Information Security and Privacy (VII.B.8) and Acceptable Use of IT Resources and Information Assets (VII.A.4), as amended or superseded.

Additional related information:

HISTORY AND UPDATES

September 27, 2023: Revised merchant responsibilities and Appendix A to align with updated PCI DSS requirements.

September 14, 2022: Updated Contacts section and hyperlinks.

November 1, 2021: Expanded the kinds of solutions that require OTO approval and changed executive responsible for approval to the Vice President and Deputy CFO. Added definition for Merchant of Record.

September 18, 2020: Tightened up the language in the Statement of Policy to clarify approval requirements and oversight. Changed risk assessments performed by IT Purdue System Security to quarterly rather than annually. Added definitions for Cardholder Data Environment (CDE) and Third Party Service Provider. Updated definitions of Merchant, Payment Card Data and PCI DSS.

December 10, 2019: Updated Contacts section and hyperlink to incident response procedures throughout.

September 30, 2019: Standard reviewed and validated. 

December 1, 2018: Standard reviewed and validated. Changed the Responsible Executive and updated the hyperlink to the Incident Report Form throughout. Minor updates made to wording in Statement of Standard and Responsibilities sections. 

December 1, 2017: Standard reviewed and validated. Related Documents, Forms and Tools section updated. IT Security and Policy Responsibilities updated.  

November 16, 2016: Standard reviewed and validated. Responsible Executive changed to Senior Vice President and Assistant Treasurer.

September 29, 2015: Contacts section updated, requirement for reporting and reference to new procedures updated in Statement of Standard, Responsibilities updated to align with new procedures, Related Documents, Tools and Forms section updated, and Appendix A updated to align with PCI DSS standards.

April 21, 2014: Additional contact added to the Contacts section. This standard supersedes its interim version of the same name.

December 13, 2013: This is the first such standard to address this issue.

APPENDIX A

PCI DSS Standards fall into the following broad categories that cover 12 requirements:

Build and Maintain a Secure Network and Systems

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components

Protect Account Data

  1. Protect stored account data
  2. Protect cardholder data with strong cryptography during transmission over open, public networks

Maintain a Vulnerability Management Program

  1. Protect all systems and networks from malicious software
  2. Develop and maintain secure systems and software

Implement Strong Access Control Measures

  1. Restrict access to system components and cardholder data by business need-to-know
  2. Identify users and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Log and monitor all access to system components and cardholder data
  2. Test security of systems and networks regularly

Maintain an Information Security Policy

  1. Support information security with organizational policies and programs

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2020 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by University Policy Office

Trouble with this page? Disability-related accessibility issue? Please contact University Policy Office at policies@purdue.edu.