Policies

10.11 Use and Security of Credit Card Numbers

Purpose

To ensure that the University of Northern Iowa’s processing of credit card payments is compliant with all state and federal laws and regulations on the acceptance of credit cards as a form of payment.  Also, to comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements issued by the Payment Card Industry Security Standards Council. This policy is not applicable to university procurement cards issued to University of Northern Iowa (UNI) employees and administered by the Office of Business Operations (OBO).

Definitions
  1. Availability - A loss of availability is the disruption of access to or use of information or an information system.
  2. Confidentiality - A loss of confidentiality is the unauthorized disclosure of information.
  3. Integrity - A loss of integrity is the unauthorized modification or destruction of information.
  4. Cardholder data – Confidential or identifying information found on a credit card, such as cardholder name, primary account number, expiration date, service code, and any validation codes (CVV/CVC).
  5. “Unit” or “units” - The term “unit” or “units” shall refer to UNI departments, schools, programs, activities, or offices. 
Policy

UNI is committed to ensuring the privacy and proper handling of cardholder data that it collects and maintains from students, faculty, staff, patrons, and other individuals conducting business with the University.  Faculty, staff, students, or anyone else accessing cardholder data must protect the data from a loss of availability, confidentiality, or integrity.  Units wishing to process credit cards for payment must be approved by OBO prior to accepting credit cards for payment and use approved methods for handling cardholder data.  All systems, electronic or paper-based, processing credit card payments must be secured sufficiently to protect the availability, confidentiality and integrity of the cardholder data.

Whereas the confidentiality of cardholder data is of chief importance, measures necessary to protect the confidentiality of cardholder data are superior to the availability of credit card payment systems.

Units not complying with this policy may lose the privilege to process credit card payments and may be responsible for any losses occurring due to their action or inaction.  Individuals who knowingly violate this policy and/or in any way compromise the availability, confidentiality or integrity of cardholder data may be subject to appropriate disciplinary action and/or sanctions.

As required by the PCI DSS, the University shall maintain and follow a comprehensive set of policies, procedures and guidelines for the processing of credit card payments.

Office of Business Operations Responsibilities

OBO shall be primarily responsible for the enforcement of this policy and will maintain a collection of cardholder data-related policies and procedures.

In accordance with PCI DSS, OBO shall establish several required committees of relevant University personnel, including individuals designated by the Chief Information Officer (CIO). These committees will review and approve required policies and procedures, conduct an assessment of compliance with this policy, verify compliance with the PCI DSS, conduct official reviews pertaining to PCI DSS, maintain appropriate segregation of duties, and assign responsibility for the operations of UNI’s credit card payment processes. Each committee shall be required to meet as needed, and annually at a minimum.

OBO shall provide training as needed, and annually at a minimum, to comply with the PCI DSS.  OBO shall maintain a list of covered units or individuals.

In the event of non-compliance with this policy, OBO shall have the authority to revoke the privilege of any unit or individual to process credit card payments until an official review is conducted as required by PCI DSS and OBO has determined acceptable operating procedures have been established in the unit.

Information Technology Services Responsibilities

The CIO shall designate individuals to administer, monitor, secure, and maintain information systems needed for the processing of cardholder data; these individuals are considered to have access to cardholder data.  The responsibilities of Information Technology personnel include performing ongoing information risk assessments and audits to ensure that information systems meet PCI DSS requirements.

The CIO and designated staff shall have the authority to select the technological solutions used by UNI to meet the PCI DSS.   As required by PCI DSS, in the event that the availability, confidentiality, or integrity of the cardholder data is in question, the CIO or staff designated shall have the authority to remove the ability of any unit or individual to process credit card payments until an official review is conducted or the threat to the availability, confidentiality or integrity of cardholder data has been remediated.

Covered Units Responsibilities

All units accepting credit cards as a form of payment in any manner, including staff with access to cardholder data, must adhere to this policy. Individuals responsible for the units covered by this policy are responsible for assuring their unit’s compliance with the policy.  Units covered by this policy must:

  1. Consult with OBO on the acceptance or utilization of credit cards.
  2. Accept credit cards only with approval from OBO.
  3. Never store cardholder data on University computers or electronic systems at any time.
  4. Receive instruction and approval from OBO to store cardholder data on paper-based records.
  5. Utilize information systems approved by OBO to process credit card payments.
  6. Follow all policies, procedures and guidelines provided by OBO for credit card operations; refer to OBO web page for additional information.
  7. Ensure staff and supervisors attend required training regarding credit card payment and processing policies and procedures.
  8. Purchase required equipment and supplies for credit card payments with the assistance of OBO.
  9. Fund the operation of the information systems and processes necessary for compliance with the PCI DSS.
  10. Pay transaction fees assessed by the card brands and the credit card processor.
  11. Provide accurate and complete information to OBO and/or Information Technology Services in an expedient manner to validate compliance with this policy.
  12. Consult with OBO and/or Information Technology Services if there is suspicion of a credit card incident or breach or the discovery or suspicion of required procedures not being followed. 

Office of Business Operations, Information Technology Services, and the Vice President for Administration and Financial Services, approved June 2012

President’s Cabinet, approved July 9, 2012