Minimum Security Standards for Merchant Payment Card Processing
UTB/TSC is committed to maintaining the security of customer information, including payment cardholder information such as payment card account number, payment cardholder name, expiration date, and payment cardholder verification number. To uphold this commitment, UTB/TSC follows the best practices for protecting payment card information as defined by the Payment Card Industry Security Standards Council, including information in computer systems which process, store, and transmit payment card information. UTB/TSC must adhere to these standards to limit its liability and to continue to process payments using payment cards.
The PCI Data Security Standard impacts all UTB/TSC computers and electronic devices involved in processing payment card information. PCI compliance is required of all eCommerce merchants that store, process or transmit credit cards, use equipment with external facing IP addresses, and all other payment channels including manual processing techniques such as, but not limited to, point-of-sale terminals and cash registers.
UTB/TSC, including all colleges, schools, and units that process payment card data, has a contractual obligation to adhere to the PCI Data Security Standard (PCI-DSS). The Controller's Office and the Office of Information Security are working with departments to assure compliance by December 31, 2007.
To meet the Payment Card Industry requirements, the Office of Information Security requires the following actions be taken:
- All Merchant accounts must be obtained through and registered with UTB/TSC Office of Accounting and Finance.
- Merchants shall not transmit or store cardholder data outside of pre approved services from the Office of Accounting and Finance.
- All systems processing payment card information must be registered with the Office of Accounting and Finance. All systems processing payment card information must comply with the Category-A requirements specified in the UTB/TSC Minimum Security Standards for Systems. Server administrators should also refer to the Server Hardening Checklists.
- All applications processing payment card information must comply with the UTB/TSC Minimum Security Standards for Application Development and Administration.
- All payment card business and data handling processes must comply with the UTB/TSC Minimum Security Standards for Data Stewardship.
- All eCommerce merchants processing less than 20,000 payment card transactions per year, and all non-eCommerce merchants, are considered Level-4 Merchants by PCI Standards. All eCommerce systems associated with the Level-4 Merchant’s processes shall undergo quarterly vulnerability scans. Local Information Security Administrators(ISAs) are expected to review the vulnerability scan results and remediate or take steps to mitigate the risk. The ISAs will note in the Information Security Office’s vulnerability management console if a particular vulnerability is identified as a false positive or the risk has been mitigated in other ways.
- All Level-4 Merchants shall quarterly complete a PCI Self-Assessment Questionnaire. Access to these surveys will be limited to the respective department’s Technical Support Coordinator(s), the department contact(s) for the merchant account, and the department head. All responses shall be coordinated with UTB/TSC Accounting and Finnance and the Office of Information Security.
- All systems processing payment card information must use fixed IP addresses. Access to these systems should be appropriately restricted.
- Using any wireless connectivity for payment card processing is not authorized unless purchased from Global Payments Inc through UTB/TSC Accounting and Finance. Merchants that must use wireless must file an exception via the UTB/TSC Exception Reporting Process and must adhere to PCI best practices regarding such use.
- In addition to the UTB/TSC Minimum Security Standards for Systems, all Web servers providing payment card processing services must utilize the strongest transmission encryption possible (e.g., enable SSLv3 and disable SSLv2).
- All portable devices processing payment card information (e.g., laptops, external hard drives, flash drives, CD-ROMs, DVDs) and any desktops located in physically insecure environments must implement disk encryption software. Encryption credentials must be properly escrowed, preferably using a central escrow authority, if there is a need for data retention or recovery.
- Merchants using manual payment card processing techniques, such as point-of-sale and other credit card processing equipment, must abide by the Office of Accounting and Finance business procedures.
- The university merchant is also responsible for ensuring any credit card equipment purchased from vendors other than the university’s credit card processor (i.e., Global Payments Inc) is PCI compliant. The university merchant will coordinate proof of compliance with UTB/TSC Accounting and Finance Office.
IV. Additional Resources
Supporting PCI-DSS Documents