PCI-DSS requirements apply to all transactions surrounding the payment card industry including electronic and paper transactions processed via point-of-sale, mail order, telephone order, or ecommerce. Any organization involved in handling card holder data (CHD) is required to ensure the data security standards are met.
Those elements of payment card information that are required to be protected are called Card Holder Data or CHD. CHD includes the following:
- the Primary Account Number (PAN), or
- the PAN in conjunction with:
- Cardholder name
- Expiration Date
- Service Code
Any department or unit which has been approved by the Campus Finance/Administration Office to accept payment cards (Visa, Master Card, American Express, Discover) and has been assigned a Merchant Identification number (MID).
In order to accept credit card payments, UNH departments, colleges, or other organizational units must first obtain VPFA approval.
UNH departments and organizational units who accept credit card payments are responsible for safeguarding payment card data and complying with the PCI-DSS requirements. Ensuring CHD is appropriately safeguarded:
- Protects consumers from fraud and identity theft
- Minimizes risk and the costs associated with a data breach
- Protects the University's reputation and brand
- Only authorized and trained University employees may accept and handle CHD
- Authorized employees must have a background check and be trained on the department’s PCI DSS policy
- Authorized employees must not copy CHD, except as may be defined by policy and must not leave CHD where non-authorized employees or other persons could view or access the information
- Non-authorized employees must refuse to accept CHD and instead direct a customer to an authorized employee, a payment application or a payment website
Access to CHD requires specific authorization and is only granted to those who have a required business purpose to access it.
Follow departmental procedures to ensure credit card transactions are legitimate and not fraudulent. These procedures should include steps to:
- Ensure the card is legitimate
- Check the expiration date
- Check the hologram - it should reflect light, be 3 dimensional and appear to move when the card is moved back and forth
- Make sure the card is signed, do not accept cards without a signature
- When taking card payments when the card payment is not present, like payments made over the phone, ask the customer to provide the the security code to ensure the customer has possession of the card at the time of the sale.
Card holder information can only be transmitted by approved secure mechanisms. Email, text message, instant message, or unapproved fax machines are not secure mechanisms for transmitting CHD. Transmission of CHD must be encrypted.
Only mobile point of sale devices that have been approved as PCI-DSS compliant devices can be used to process credit card transactions.
In addition to the requirements provided above, PCI-DSS also requires the University to implement administrative, technical, and physical controls to prevent unauthorized access or disclosure of CHD.
- Administrative Controls:
- UNH Information Security Policy
- Maintain of an inventory of all devices that can process credit card transactions
- Technical Controls:
- Defense in Depth Security Strategy
- Network Security
- Vulnerability Management
- Network Monitoring
- Storage requirements
- Access controls
- Access to PCI-DSS protected information requires specific password security requirements
- Transmission requirements
- Encryption of CHD across public networks
- Defense in Depth Security Strategy
- Physical Controls:
- CHD stored on physical media (i.e. paper) must be stored in a secure safe or file cabinet
- Any area where CHD is stored in either physical or digital formats must be protected by the following physical security controls:
- Access monitored by security camera
- Access only granted to authorized personnel based on job function
- Procedures to deprovision access upon termination are in place
- Authorized personnel must use ID badges
- A log of visitors must be maintained
- An inventory of all devices must be maintained and the removal of any device or media must be tracked
- Verify the identity of any personnel who will be used to maintain or repair all devices used to process credit card transactions
Those who are authorized to access CHD can only disclose CHD when there is a required business purpose and then, only those employees who are also authorized to access CHD
Storage of CHD is strongly discouraged and should only be done for designated business purposes that are enumerated and managed by policy. The only CHD that can be retained is the account number, expiration date, service code, and name are the only elements that can be retained. The full magnetic stripe data cannot be stored. The security code cannot be retained or stored after transaction authorization is received. Any service code information recorded on a form as part of a transaction must be destroyed once authorization is received.
Prior to being stored, the primary account number (PAN) must be encrypted, hashed or truncated so that it is no longer readable. CHD can only be stored in locations and using mechanisms that are specifically authorized for CHD storage. CHD cannot be stored on personal computers, shared file stores, or in spreadsheets.
Black marker, stamps, and white-out are not approved mechanisms for redacting CHD on physical media.
Physical storage of CHD requires the use of a locked safe or secure file cabinet that cannot be physically removed from it's location. Access to this secure storage must be limited to those employees who are authorized to access CHD. Any visitors to the secure storage location must be escorted by an authorized employee and their visit must be logged.
CHD storage mechanisms and practices must be reviewed on a quarterly basis.
CHD must be disposed of accoridng to organizational policy.
Paper documents must be destroyed in a way that renders CHD unreadable and impossible to reconstruct. To meet PCI-DSS requirements, phyical media like paper must be cross-cut shredded or incinerated.
Electronic media must be destroyed or completely and securely deleted, which is usually performed by an information technology team using specialized tools. Equipment used to store and process PCI-DSS protected data that is submitted to the UNH SEED program will be disposed of in the appropriate manner.
The PCI Security Standards Council is a global organization that maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe. It was founded in 2006 by the five major card brands, American Express, Discover, JCB International, MasterCard, and Visa Inc, who all have an equal share in governance and execution.