Payment Card Acceptance, Security and Governance (S-1)

Standard: S-1
Responsible Executive: Chief Financial Officer and Treasurer
Responsible Office: Office of Treasury Operations
Date Issued: December 13, 2013
Date Last Revised: September 18, 2020

TABLE OF CONTENTS

Contacts
Individuals and Entities Affected by this Standard
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix A

CONTACTS

Clarification of Standard

Title/Office

Telephone

Email/Webpage

Office of Treasury Operations

765-494-9783

merchantsupport@purdue.edu

Business Procedures, New Merchant Accounts and Process Changes

Title/Office

Telephone

Email/Webpage

Office of Treasury Operations

765-494-9783

treasury@purdue.edu

IT Procedures and Changes or Updates to Software/Hardware

Title/Office

Telephone

Email/Webpage

Purdue System Security

765-494-2751

itpolicy@purdue.edu

Known or Suspected Security Incidents

Title/Office

Telephone

Email/Webpage

  • Office of Treasury Operations
  • Purdue System Security
  • 765-494-9783
  • 765-494-2751

INDIVIDUALS AND ENTITIES AFFECTED BY THIS STANDARD

All persons, departments, units, entities, campuses and other Third Party Service Providers acting on behalf of the University that currently, or seek to, process, collect, maintain, have access to (directly or indirectly), or may otherwise impact the security of  Cardholder Data (CHD) and/or the related systems or applications within the Cardholder Data Environment (CDE). 

STATEMENT OF STANDARD

Approval from the Office of Treasury Operations (OTO) is required before any person, department, unit, entity, campus or Third Party Service Provider may accept Payment Cards as a method of payment on behalf of the University.

Approval from the OTO also is required prior to purchasing any software or hardware or engaging with and/or entering into any contract with Third Party Service Providers that may facilitate the acceptance of Payment Cards as a method of payment. The requisite Merchant Account must be established by the OTO. Only individuals and entities that can demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) as well as this standard will be granted a Merchant Account. 

The University has engaged in an exclusive strategic partnership to provide secure e-commerce solutions for accepting Payment Cards as a method of payment. Payment acceptance needs that cannot be met through this strategic partnership and require an alternative solution must be reviewed and approved on a case by case basis by the Senior Vice President and Assistant Treasurer via the OTO before engaging any alternative Third Party Service Providers and/or solutions. All Third Party Service Providers must demonstrate their PCI compliance prior to engaging with any University Merchant and must provide appropriate documentation at any time upon request.   Merchants approved to accept Payment Cards will be subject to annual review of compliance and must therefore implement secure processes, adhere to all applicable PCI DSS requirements published and maintained by the PCI Security Standards Council (see appendix A for an outline of the standards), and maintain best business practices as described in business and IT procedures associated with this standard.

Merchants that transact business using Payment Cards in a manner that deviates from this standard are subject to various financial penalties and sanctions. These may include termination of Merchant Accounts, financial penalties and costs associated with a security breach, as well as penalties and costs associated with bringing non-compliant applications into scope.  

Any confirmed or suspected compromise of the CDE must be reported immediately to IT Purdue System Security and the Office of Treasury Operations by emailing pci@purdue.edu. Additionally, an Incident Report Form must be completed. Refer to the Response Procedures for Payment Card Data Incidents for additional information.

RESPONSIBILITIES

Vice Presidents and Vice Chancellors

  • Ensure compliance with this standard.

Merchants

  • Prior to seeking approval as a Merchant and accepting Payment Cards as a method of payment, carefully review the requirements for Becoming a Merchant, including the information on Merchant Fees, to ensure all Merchant responsibilities can be met and to understand all costs and fees associated with accepting Payment Cards.
  • Implement this standard and related business and IT procedures.
  • Ensure that access to Payment Card Data is restricted to only those employees for whom such access is required to carry out the responsibilities of their position.
  • Ensure that all staff with payment card responsibilities complete Payment Card awareness training upon hire and on an annual basis thereafter.
  • Complete annual Self-Assessment Questionnaire.
  • Participate in annual compliance walk-though.
  • Follow established business procedures when making changes to the Merchant environment (i.e., new purpose for accepting Payment Cards, new Web application, etc.).
  • Immediately report any confirmed or suspected incident in accordance with the Response Procedures for Payment Card Data Incidents.

Office of Treasury Operations

  • Review requests for approval from departments/units wanting to accept Payment Cards.
  • Establish applicable Merchant Accounts.
  • Maintain related business procedures and assess compliance with the procedures by each Merchant no less than annually.
  • Provide compliance reports to the Acquiring Bank/Processor as required.
  • Provide Payment Card Acceptance training.
  • Review, in cooperation with IT Security and Policy, all contractual agreements for services that include the acceptance of Payment Cards.
  • Evaluate and approve new point-of-sale equipment utilized to accept/process Payment Cards.
  • Issue order to cease and desist use of Payment Card acceptance to any Merchant not meeting the PCI DSS requirements.
  • Respond to reports of confirmed or suspected incidents in accordance with the Response Procedures for Payment Card Data Incidents.
  • Keep abreast of changes in industry and PCI standards.

IT Purdue System Security

  • Establish related technical standards.
  • Conduct compliance validation and assessment services.
  • Coordinate technical oversight to ensure new implementations of and changes to existing applications and their related hardware are compliant with the current applicable PCI DSS requirements.
  • Review, in cooperation with the Office of Treasury Operations, all contractual agreements for services that facilitate the acceptance of Payment Cards.
  • Conduct a review to assess risk and identify systemwide vulnerabilities at least quarterly or when the environment changes.
  • Respond to reports of suspected or discovered incidents in accordance with the Response Procedures for Payment Card Data Incidents.
  • Keep abreast of changes in industry and PCI standards.

Procurement Services

  • In collaboration with the Office of Treasury Operations and Purdue System Security, ensure that RFPs/RFIs for and contracts with Third Party Service Providers include necessary language for payment acceptance by means of Payment Cards.

DEFINITIONS

All defined terms are capitalized throughout the document. Refer to the central Policy Glossary for additional defined terms.

Acquiring Bank/Processor
The financial institution that has entered into a contractual arrangement to process Payment Cards for the UniversityAlso referred to as a merchant bank.

Cardholder Data Environment (CDE)
The people, processes and technology that store, process, and/or transmit cardholder data or sensitive authentication data. A CDE also includes any component that directly connects, supports or may otherwise affect the security of this environment.

Merchant(s)
All persons, departments, units, entities campuses and Third Party Service Providers acting on behalf of the University that accept Payment Cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as a method of payment for goods and/or services.. 

Merchant Account
A unique account set up with the Acquiring Bank/Processor that provides a department or unit with the ability to process and settle Payment Card transactions for goods, services or donations.

Payment Card
Credit cards, debit cards and some gift/stored-value cards that bear the logo of a card association brand, including but not limited to Visa, MasterCard, Discover or American Express.

Payment Card Data
Also referred to as cardholder data (CHD), Payment Card Data refers to any information contained on a customer's Payment Card. The data is printed on either side of the card and also may be contained in digital format on the magnetic stripe embedded in the backside of the card. Some Payment Cards store data in chips embedded in the front side. At a minimum, Payment Card Data includes the primary account number (PAN),cardholder name, expiration date and/or service code.

PCI DSS (Payment Card Industry Data Security Standards)
Security standards developed collaboratively by the major card issuers that must be adopted by all Merchants accepting Payment Cards. The standards, which are updated by the Payment Card Industry Security Standards Council, are intended to protect cardholder information from fraudulent use. Organizations that outsource their CDE or payment operations to Third Party Service Providers are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements.

Third Party Service Provider
A business entity that is not a payment brand, but is directly involved in the processing, storage, or transmission of Payment Card Data on behalf of another entity. This also includes companies that provide services that control or could impact the security of Payment Card Data and/or the CDE.

RELATED DOCUMENTS, FORMS AND TOOLS

This standard is issued in support of the policies on Information Security and Privacy (VII.B.8) and Acceptable Use of IT Resources and Information Assets (VII.A.4), as amended or superseded.

Additional related information:

HISTORY AND UPDATES

September 18, 2020: Tightened up the language in the Statement of Policy to clarify approval requirements and oversight. Changed risk assessments performed by IT Purdue System Security to quarterly rather than annually. Added definitions for Cardholder Data Environment (CDE) and Third Party Service Provider. Updated definitions of Merchant, Payment Card Data and PCI DSS.

December 10, 2019: Updated Contacts section and hyperlink to incident response procedures throughout.

September 30, 2019: Standard reviewed and validated. 

December 1, 2018: Standard reviewed and validated. Changed the Responsible Executive and updated the hyperlink to the Incident Report Form throughout. Minor updates made to wording in Statement of Standard and Responsibilities sections. 

December 1, 2017: Standard reviewed and validated. Related Documents, Forms and Tools section updated. IT Security and Policy Responsibilities updated.  

November 16, 2016: Standard reviewed and validated. Responsible Executive changed to Senior Vice President and Assistant Treasurer.

September 29, 2015: Contacts section updated, requirement for reporting and reference to new procedures updated in Statement of Standard, Responsibilities updated to align with new procedures, Related Documents, Tools and Forms section updated, and Appendix A updated to align with PCI DSS standards.

April 21, 2014: Additional contact added to the Contacts section. This standard supersedes its interim version of the same name.

December 13, 2013: This is the first such standard to address this issue.

APPENDIX A

PCI DSS Standards fall into the following broad categories that cover 12 requirements:

Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  1. Protect all systems against malware and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need-to-know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2017 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by University Policy Office

Trouble with this page? Disability-related accessibility issue? Please contact University Policy Office at policies@purdue.edu.