Handbook of Operating Procedures > Series 400 Budget, Finance and Operations > 4.2.3 PCI Compliance

4.2.3 PCI Compliance

A. Purpose

This policy provides the requirements and guidelines for all payment card processing activities at the University, including debit card processing and ecommerce activities. The policy addresses protection against the exposure to and possible theft of account and personal cardholder information and the compliance with credit card company requirements for card information that is stored, processed, or transmitted on the University's information technology resources. The referenced payment card company requirements are known as the Payment Card Industry Data Security Standards (PCI DSS). Compliance with the PCI DSS and this policy is mandatory for all University departments/merchants and entities processing credit, debit, or e-commerce payments directly or indirectly.

B. Persons Affected

This policy addresses all payment card processing by and for The University of Texas at Tyler (the "University"). All electronic and non-electronic methods mentioned in this document apply and are subject to this policy. This remains true of any payments, whether handled directly by the University, on University-owned systems, or handled by third parties on the University's behalf. This policy applies to all users accessing, using, or handling University PCI data.

C. Definitions

N/A

D. Policy

Departments are not permitted to engage in any form of credit card payment processing without seeking and receiving approval as required by this policy. This includes non-electronic methods (taking payments with an imprinter or payment information on paper forms), face-to-face electronic methods (using POS terminals, iPads, etc., or PC-based payment software to process transactions), or indirect electronic methods (taking payments over the phone, via fax, or via e-commerce equipped websites whether handled directly by University employees and systems, or by a third party).

Outsourcing General Policy

Departments and units may elect to outsource payment card transaction processing. However, outsourcing does not remove the responsibility for verifying and maintaining protection from the outsourcing department or unit, nor does it eliminate the requirement of completing an annual PCI Self-Assessment Questionnaire (SAQ). Contracts/agreements must include language requiring the third-party to comply with all appropriate PCI DSS requirements and provide proof of compliance annually.

Access to Cardholder Data

1. Access to system components and cardholder data must be limited to only those individuals whose job requires such access.
2. Individuals are given access to as little cardholder data as necessary to perform job functions.
3. Individuals are instructed not to share cardholder information with others unless deemed necessary by a supervisor.
4. All individuals who are involved with payment processing must be trained on this policy and all applicable procedures relevant to payment card processing.
5. The University maintains a list of users with access to technologies connected to the payment card data environment (refer to list of AD security groups).
6. If remote access is required to access devices within the payment card data environment, idle or absolute session timeouts must be in place to require re-authentication.

PCI Training

1. All individuals who handle, process, support, or manage payment card transactions received by the university must complete the university PCI training upon hire and annually thereafter. Training requirements are addressed in the University PCI Requirements.
2. Additionally, IT directors and designated staff involved in payment card e-Commerce processing must also comply with the University Information Security Standards.

Cardholder Data Storage and Destruction Requirements

1. The following processes must be avoided if they include cardholder data:
   1. Basic functions including but not limited to faxing; e-mailing; scanning payment forms; maintaining spreadsheets, receipts, or documents in electronic form; and using messaging technology must be avoided if they include cardholder data.
2. All merchants and individuals processing payment cards must comply with PCI DSS and additionally with University PCI requirements.
3. All systems that store sensitive authentication data after authorization must adhere to the following requirements:
   1. The complete payment card number is not to be stored under any circumstances.
   2. The card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions, and the personal identification number (PIN), or the encrypted PIN block is not to be stored under any circumstances.
   3. All systems that handle, process, or store payment card numbers must be registered with the IT department.
4. All paper and electronic media containing cardholder data must be physically stored in a secure area that is accessible only by individuals whose jobs require they have access to cardholder data.
5. All physical cardholder data that is not deemed essential must be properly destroyed. Paper records should be disposed of in the locked shredding bins and a certified third-party collects and shreds sensitive data from the bins on-site.

Protection of Devices Against Tampering

1. A list of devices used for processing card payments is kept updated by Information Security and is audited on an annual basis. Audits are managed by the Information Security department.
2. Periodic inspection of devices is performed by the department using the payment devices, along with ensuring only authorized users have access to the devices.
3. The identity of any third-party persons claiming to be repair or maintenance personnel must be verified prior to granting them access devices. Do not install, replace or return devices without verification.

Violations