PCI Training
In September of 2006, a group of five leading payment brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Incorporated, launched the Payment Card Industry (PCI) Security Standards Council, an open global forum responsible for the development, management, education, and awareness of the PCI Security Standards.
From the Council, came the Data Security Standard (PCI DSS) which provides a baseline of technical and operational requirements designed to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.
The PCI DSS requirements apply to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and Third Party Service Providers (TPSP), as well as all other entities that store, process or transmit cardholder data. Additionally, the PCI DSS affects all credit card acceptance channels, including retail, mail, telephone, fax, and e-commerce.
Loyola University Chicago is required to remain in compliance with the PCI DSS.
The common processes and precautions for handling, processing, storing, and transmitting credit card data established by the PCI DSS, help to combat the unprecedented assaults on personal and financial data which impact cardholders, retailers, banks, service providers and credit card companies.
PCI Data Security Standard – High Level Overview | |
---|---|
Build and Maintain a Secure Network and Systems | 1. Install and Maintain Network Security Controls. 2. Apply Secure Configurations to All System Components. |
Protect Account Data | 3. Protect Stored Account Data. 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks. |
Maintain a Vulnerability Management Program | 5. Protect All Systems and Networks from Malicious Software. 6. Develop and Maintain Secure Systems and Software. |
Implement Strong Access Control Measures | 7. Restrict Access to System Components and Cardholder Data by Business Need to Know. 8. Identify Users and Authenticate Access to System Components. 9. Restrict Physical Access to Cardholder Data. |
Regularly Monitor and Test Networks | 10. Log and Monitor All Access to System Components and Cardholder Data. 11. Test Security of Systems and Networks Regularly. |
Maintain an Information Security Policy | 12. Support Information Security with Organizational Policies and Programs. |
Non-compliance penalties vary among major credit card networks and can be substantial; companies can be barred from processing credit card transactions altogether, higher processing fees can assessed, and, in the event of a serious security breach, fines of $500,000 or more can be levied for each instance of non-compliance. Several large, well-known institutions that lacked adequate protection have been responsible for exposing credit card payment data. Consequently, these companies were penalized with significant fines, and experienced backlash from the public resulting from the negative media coverage of the major data security breaches within their organizations.
All University departments that transmit, process, or store cardholder data are responsible and accountable for their PCI Compliance. All employees must do their part to protect credit card data and to mitigate the risks associated with processing credit card transactions.
University Cash Management Services (CMS) works with your department to ensure that you are processing credit card payments or donations in accordance with these regulations. Maintaining PCI Compliance will prevent your department and the University from receiving unnecessary fines due to data exposure.
To assist in maintaining the University’s PCI compliance, Loyola University departments must adhere to the rules and business procedures below:
Please note: These rules are subject to change and may not address every PCI DSS requirement. Additional controls and practices may also apply.
- All University and CMS policies must be followed.
- Departments cannot collect credit card data or process credit card payments without prior approval from CMS.
- CMS approval must be obtained before a department can accept credit card payments. Departments are required to provide all potential acceptance channels (phone, postal mail, in-person point of sale, or eCommerce) for CMS review. Before approving any of these credit card acceptance channels, CMS will work with your department to ensure that secure processes are in-place to protect the credit card data being collected. Any changes to your department’s credit card payment acceptance channels must be approved by CMS.
- Departments approved to accept credit card data via postal mail must ensure that strong policies are in place and enforced to secure the cardholder data until it is processed and destroyed. These policies must be reviewed and approved by CMS.
- Departments may NOT receive or request that credit card payment data be sent to the University via email, fax, instant messenger, chat, or any other unencrypted transmission method.
- Departments cannot direct cardholders to or provide a University designated computer, computer lab, iPad, tablet or other device to make credit card payments.
- Departments cannot use a computer to process an eCommerce payment on behalf of a cardholder unless they have been given access to both Loyola’s LSA and RDS server. eCommerce payments must be processed via LSA and RDS on a computer; wireless devices such as tablets or mobile phones cannot be used. LSA and RDS server access is setup by ITS but can only be requested by CMS.
- Anyone at the University involved in the process of accepting credit card payments must undergo credit card security training on an annual basis and must adhere to the rules and regulations outlined by the Council and the University. Departments are required to notify CMS when new employees with access to credit card data and/or systems are hired and must ensure that all employees undergo training before they are allowed to handle or process credit card data.
- Do NOT acquire cardholder PINs (personal identification numbers). If a PIN is needed, the cardholder must enter it directly into the terminal.
- Credit card data must be labeled as confidential and employees may NOT electronically store any credit card data on a University computer, server, electronic flash drive, USB drive or optical storage (e.g., CD, DVD).
- Paper copies containing credit card data must NOT be left in an unsecure area. Electronic documentation must NOT be left open on a desktop, and users must log-out of programs that have access to credit card data when not in use.
- Electronic or hardcopy reports (e.g., excel or word documents) generated for departmental business reporting may NOT contain any credit card payment data.
- When tracking transactions, order numbers or reference numbers should be used instead of credit card numbers.
- The shredding of documents that contain credit card payment data must be completed using a cross cut shredder. If a company is hired to shred documentation, a representative from your department must watch the hired company shred the documentation using a cross cut shredding machine.
- Per PCI standard 9.4 & 9.5, departments must physically secure all related media (including, but not limited to point-of-sale (POS) terminals, computers, removable electronic media, paper receipts, and paper reports) to prevent them from being stolen. Departments must also ensure that a dual level of security (such as two of the following four locations: in a locked drawer/file cabinet, a safe that has been bolted to the floor, a locked office, or behind a badge-secured area) is put around such documentation or devices.
- Per PCI standard 9.4.1 & 9.4.2, departments must maintain strict control over the internal or external distribution of any kind of media that contains cardholder information or physical security characteristics of credit card payment information.
- Departments must invoke policies to restrict access to cardholder data by business need-to-know (those individuals whose job requires it). Unique user IDs and passwords must be assigned to all users with access to cardholder data and related system components. Utilizing group, shared, or generic accounts/passwords is NOT permitted unless documented and authorized through the University Information Security Office. Restriction of physical access to cardholder data should also be enforced.
- Any user ID that is no longer active or no longer needed must immediately be disabled. Departments are required to notify appropriate systems administration personnel when deactivation is required.
- Use a visitor log to retain a physical audit trail of visitor activity in secured areas. Retain this log for a minimum of three months, unless otherwise restricted by law.
- Departments need to verify with CMS the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot any credit card devices.
- Departments must inspect all point-of-sale (POS) terminals at the periodic schedule determined by CMS. Departments must be vigilant about any suspicious behavior around point-of-sale devices (for example, attempts by unknown persons to remove, unplug or open devices). Report any suspicious behavior and indications of device tampering or substitution to CMS and the University Information Security Office (UISO) immediately.
- The activation of remote-access technologies for third party vendors should be done only when needed, with immediate deactivation after use.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Do not use live credit card data in a test or pre-production environment.
- Refunds must be issued back via the same method used for the original payment. Credit card payments must be refunded back to the same credit card used for payment; a refund via check or cash for a credit card purchase is NOT permitted. Likewise, payments made by cash or check, cannot be refunded via credit card.
- When processing refunds via POS devices, the credit card must be present.
- If at any time a department experiences a breach or compromise of any payment information or related data or suspects that credit card information has been exposed, stolen or misused, that department must report the event immediately to their supervisor, CMS and ITS Information Security. CMS will then assess the situation in cooperation with ITS and invoke the necessary incident response plan. CMS will then notify the University’s acquirer.
To notify CMS, please call 312-915-7455, email LUC-Payments@luc.edu, or email LUC-Payments@luc.edu. To notify ITS Information Security, email DataSecurity@luc.edu, or submit via https://www.luc.edu/its/uiso/contacttheuiso/report.shtml. Please do NOT disclose any credit card payment data in your notification. Please include the department name and contact number.
The following Loyola policies must also be reviewed:
- Credit Card Policy: LUC Credit Card Policy
- Responsibilities of Credit Card Handlers and Processors: Responsibilities of Credit Card Handlers and Processors
This document must be reviewed, signed and submitted to CMS annually to complete PCI training.
- Security Awareness Policy: LUC ITS Security Awareness Policy
- Data Breach Response Policy: Data Breach Response Policy
- Data Classification Policy: LUC ITS Data Classification Policy
- Acceptable Usage Policy: LUC ITS Acceptable Usage Policy
Reviewed: October 8, 2021
Amended on: September 26, 2024
In September of 2006, a group of five leading payment brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Incorporated, launched the Payment Card Industry (PCI) Security Standards Council, an open global forum responsible for the development, management, education, and awareness of the PCI Security Standards.
From the Council, came the Data Security Standard (PCI DSS) which provides a baseline of technical and operational requirements designed to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.
The PCI DSS requirements apply to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and Third Party Service Providers (TPSP), as well as all other entities that store, process or transmit cardholder data. Additionally, the PCI DSS affects all credit card acceptance channels, including retail, mail, telephone, fax, and e-commerce.
Loyola University Chicago is required to remain in compliance with the PCI DSS.
The common processes and precautions for handling, processing, storing, and transmitting credit card data established by the PCI DSS, help to combat the unprecedented assaults on personal and financial data which impact cardholders, retailers, banks, service providers and credit card companies.
PCI Data Security Standard – High Level Overview | |
---|---|
Build and Maintain a Secure Network and Systems | 1. Install and Maintain Network Security Controls. 2. Apply Secure Configurations to All System Components. |
Protect Account Data | 3. Protect Stored Account Data. 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks. |
Maintain a Vulnerability Management Program | 5. Protect All Systems and Networks from Malicious Software. 6. Develop and Maintain Secure Systems and Software. |
Implement Strong Access Control Measures | 7. Restrict Access to System Components and Cardholder Data by Business Need to Know. 8. Identify Users and Authenticate Access to System Components. 9. Restrict Physical Access to Cardholder Data. |
Regularly Monitor and Test Networks | 10. Log and Monitor All Access to System Components and Cardholder Data. 11. Test Security of Systems and Networks Regularly. |
Maintain an Information Security Policy | 12. Support Information Security with Organizational Policies and Programs. |
Non-compliance penalties vary among major credit card networks and can be substantial; companies can be barred from processing credit card transactions altogether, higher processing fees can assessed, and, in the event of a serious security breach, fines of $500,000 or more can be levied for each instance of non-compliance. Several large, well-known institutions that lacked adequate protection have been responsible for exposing credit card payment data. Consequently, these companies were penalized with significant fines, and experienced backlash from the public resulting from the negative media coverage of the major data security breaches within their organizations.
All University departments that transmit, process, or store cardholder data are responsible and accountable for their PCI Compliance. All employees must do their part to protect credit card data and to mitigate the risks associated with processing credit card transactions.
University Cash Management Services (CMS) works with your department to ensure that you are processing credit card payments or donations in accordance with these regulations. Maintaining PCI Compliance will prevent your department and the University from receiving unnecessary fines due to data exposure.
To assist in maintaining the University’s PCI compliance, Loyola University departments must adhere to the rules and business procedures below:
Please note: These rules are subject to change and may not address every PCI DSS requirement. Additional controls and practices may also apply.
- All University and CMS policies must be followed.
- Departments cannot collect credit card data or process credit card payments without prior approval from CMS.
- CMS approval must be obtained before a department can accept credit card payments. Departments are required to provide all potential acceptance channels (phone, postal mail, in-person point of sale, or eCommerce) for CMS review. Before approving any of these credit card acceptance channels, CMS will work with your department to ensure that secure processes are in-place to protect the credit card data being collected. Any changes to your department’s credit card payment acceptance channels must be approved by CMS.
- Departments approved to accept credit card data via postal mail must ensure that strong policies are in place and enforced to secure the cardholder data until it is processed and destroyed. These policies must be reviewed and approved by CMS.
- Departments may NOT receive or request that credit card payment data be sent to the University via email, fax, instant messenger, chat, or any other unencrypted transmission method.
- Departments cannot direct cardholders to or provide a University designated computer, computer lab, iPad, tablet or other device to make credit card payments.
- Departments cannot use a computer to process an eCommerce payment on behalf of a cardholder unless they have been given access to both Loyola’s LSA and RDS server. eCommerce payments must be processed via LSA and RDS on a computer; wireless devices such as tablets or mobile phones cannot be used. LSA and RDS server access is setup by ITS but can only be requested by CMS.
- Anyone at the University involved in the process of accepting credit card payments must undergo credit card security training on an annual basis and must adhere to the rules and regulations outlined by the Council and the University. Departments are required to notify CMS when new employees with access to credit card data and/or systems are hired and must ensure that all employees undergo training before they are allowed to handle or process credit card data.
- Do NOT acquire cardholder PINs (personal identification numbers). If a PIN is needed, the cardholder must enter it directly into the terminal.
- Credit card data must be labeled as confidential and employees may NOT electronically store any credit card data on a University computer, server, electronic flash drive, USB drive or optical storage (e.g., CD, DVD).
- Paper copies containing credit card data must NOT be left in an unsecure area. Electronic documentation must NOT be left open on a desktop, and users must log-out of programs that have access to credit card data when not in use.
- Electronic or hardcopy reports (e.g., excel or word documents) generated for departmental business reporting may NOT contain any credit card payment data.
- When tracking transactions, order numbers or reference numbers should be used instead of credit card numbers.
- The shredding of documents that contain credit card payment data must be completed using a cross cut shredder. If a company is hired to shred documentation, a representative from your department must watch the hired company shred the documentation using a cross cut shredding machine.
- Per PCI standard 9.4 & 9.5, departments must physically secure all related media (including, but not limited to point-of-sale (POS) terminals, computers, removable electronic media, paper receipts, and paper reports) to prevent them from being stolen. Departments must also ensure that a dual level of security (such as two of the following four locations: in a locked drawer/file cabinet, a safe that has been bolted to the floor, a locked office, or behind a badge-secured area) is put around such documentation or devices.
- Per PCI standard 9.4.1 & 9.4.2, departments must maintain strict control over the internal or external distribution of any kind of media that contains cardholder information or physical security characteristics of credit card payment information.
- Departments must invoke policies to restrict access to cardholder data by business need-to-know (those individuals whose job requires it). Unique user IDs and passwords must be assigned to all users with access to cardholder data and related system components. Utilizing group, shared, or generic accounts/passwords is NOT permitted unless documented and authorized through the University Information Security Office. Restriction of physical access to cardholder data should also be enforced.
- Any user ID that is no longer active or no longer needed must immediately be disabled. Departments are required to notify appropriate systems administration personnel when deactivation is required.
- Use a visitor log to retain a physical audit trail of visitor activity in secured areas. Retain this log for a minimum of three months, unless otherwise restricted by law.
- Departments need to verify with CMS the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot any credit card devices.
- Departments must inspect all point-of-sale (POS) terminals at the periodic schedule determined by CMS. Departments must be vigilant about any suspicious behavior around point-of-sale devices (for example, attempts by unknown persons to remove, unplug or open devices). Report any suspicious behavior and indications of device tampering or substitution to CMS and the University Information Security Office (UISO) immediately.
- The activation of remote-access technologies for third party vendors should be done only when needed, with immediate deactivation after use.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Do not use live credit card data in a test or pre-production environment.
- Refunds must be issued back via the same method used for the original payment. Credit card payments must be refunded back to the same credit card used for payment; a refund via check or cash for a credit card purchase is NOT permitted. Likewise, payments made by cash or check, cannot be refunded via credit card.
- When processing refunds via POS devices, the credit card must be present.
- If at any time a department experiences a breach or compromise of any payment information or related data or suspects that credit card information has been exposed, stolen or misused, that department must report the event immediately to their supervisor, CMS and ITS Information Security. CMS will then assess the situation in cooperation with ITS and invoke the necessary incident response plan. CMS will then notify the University’s acquirer.
To notify CMS, please call 312-915-7455, email LUC-Payments@luc.edu, or email LUC-Payments@luc.edu. To notify ITS Information Security, email DataSecurity@luc.edu, or submit via https://www.luc.edu/its/uiso/contacttheuiso/report.shtml. Please do NOT disclose any credit card payment data in your notification. Please include the department name and contact number.
The following Loyola policies must also be reviewed:
- Credit Card Policy: LUC Credit Card Policy
- Responsibilities of Credit Card Handlers and Processors: Responsibilities of Credit Card Handlers and Processors
This document must be reviewed, signed and submitted to CMS annually to complete PCI training.
- Security Awareness Policy: LUC ITS Security Awareness Policy
- Data Breach Response Policy: Data Breach Response Policy
- Data Classification Policy: LUC ITS Data Classification Policy
- Acceptable Usage Policy: LUC ITS Acceptable Usage Policy
Reviewed: October 8, 2021
Amended on: September 26, 2024