Payment Card Policy & Procedures for [Insert Department Name]

MID [Enter Merchant Number]

Payment Card Policy & Procedures for [Insert Department Name]

MID [Enter Merchant Number]

SAQ C Merchant

[Pick the date]

Vanderbilt University

Approved By: [Enter Merchant Department Responsible Person Name Here]

I. Procedure Statement

Per Vanderbilt University policy each department that processes, transmits or stores payment card information (credit and/or debit) must have documented procedures for complying with the current version of the Payment Card Industry Data Security Standards (PCI DSS) issued by the Payment Card Industry Security Standards Council (PCI SSC).

II. Purpose

The purpose of this policy and procedure document is to state the requirements to which [Insert Department Name] must adhere when processing payment card transactions for customers for goods or services provided. This document should supplement other internal procedures that are in place to minimize the potential for loss of sensitive cardholder and personal data belonging to Vanderbilt University, Vanderbilt University Health Center or our constituents.

III. To whom this Policy Applies and Scope

This procedure applies to all [Insert department name] employees, faculty, students, contractors, guests, consultants, temporary employees, and any other agent of VU/VUMC that processes, stores, maintains, transmits or handles payment card information in a physical or electronic format on the behalf of Vanderbilt University or Vanderbilt University Medical Center. All the noted above will assume the responsibility for the following procedures outlined below. Therefore, ANY system that connects to the cardholder data environment is in scope for compliance and must meet the PCI requirements. The cardholder data environment includes all process and technology, as well as, the people that store, process or transmit data, including but not limited to systems, applications, and servers being utilized.

The table below lists the names and email addresses of all departmental staff that are part of the Merchant Card operation. The list includes all staff involved in the credit and/or debit operation. Each applicable staff member is required to:

  1. Review this Policy and Procedure for [Insert department name]
  2. Participate in an annual PCI DSS Security Awareness Training
  3. Attestation of items 1 and 2 listed above by annual submission of the Employee Acknowledgement (Employee Compliance Form – ATTACHMENT A)

Name

/

Email Address

/

Title/Role or Function

The table below lists the names and email addresses of all Third Party Service Provider/Vendor (TPSP) staff that will be part of the Merchant Card operation. The list includes all staff involved in the credit and/or debit operation, integration, testing and/or support. Each TPSP is required to:

  1. Review this Policy and Procedure for [Insert department name]
  2. Participate in an annual PCI DSS Security Awareness Training
  3. Attestation of items 1 and 2 listed above by annual submission of the Employee Acknowledgement (Employee Compliance Form – ATTACHMENT A)

Name

/

Email Address

/

Title/Role or Function

IV. Overview

Any area or department accepting payment cards on behalf of [Insert department name]for gifts, goods, or services will designate a full time employee within that department who will have primary authority and responsibility for payment card and/or ecommerce transaction processing. This individual will be referred to in the remainder of this policy as the Merchant Department Responsible Person or MDRP. The MDRP must be, at a minimum, the fiscal officer, business manager, administrative officer, or equivalent of the department accepting payment cards. Any changes to the person filling this role should be reported to the PCI Compliance Office immediately and the new applicant will undergo the appropriate background screening.

The MDRP will be responsible for [Insert department name]complying with the security measures established by the PCI SSC and Vanderbilt policies. In addition, they are responsible for any party, as described in Section III, for completing PCI and Point Of Sale, or “POS,” annual PCI Security Awareness Training as determined by the PCI Compliance Office.(See ATTACHMENTB for MDRP Responsibilities).

[Insert department name] may only use the services of a VU/VUMC authorized payment application vendor meeting the PCI SCC compliance requirements and VU/VUMC acquiring bank. Any third-party vendor MUST be approved by the PCI Compliance Office prior to payment card processing regardless of whether the transaction is point of sale (POS), mail/telephone order (MOTO), or internet-based.

The PCI Compliance Office will review this departmental Payment Card Procedures at least annually as part of the compliance review cycle. Each department may be selected for a random annual audit by the PCI Compliance Office to ensure standards, procedures, and policies are on file and adhered to. Failure to provide documentation as outlined in the policies and procedures may result in the merchant account being frozen and/or closed.

The PCI Compliance Office will make PCI and POStraining available at least annually or as new staff are hired.

Departmental procedures will be reviewed, updated, signed and dated by the MDRP on an annual basis, acknowledging the department has satisfied all PCI requirements outlined in the VU Payment Card Issuance and Compliance Policy and Procedures Manualand that copies have been submitted to the PCI Compliance Office.

V. Payment Card Procedures

The following [Insert department name] procedures must be followed when processing payment cards and, therefore, in order to answer YES to questions presented in your annual SAQ it is imperative that [Insert department name] reviews, understands, and enforces the below outlines procedures:

  1. Ensure that all employees have been trained on all departmental payment card policies and procedures. Each employee must sign the Employee Acknowledgement form. (See Employee Compliance Form – ATTACHMENT A)
  1. PCI DSS Requirement 1.1.4 – Each Internet Connection must have a firewall configured and in place.

POLICY:

  1. A firewall will be implemented at each Internet connection and between any demilitarized zone (DMZ) and the internet network zone
  2. Firewall and network configurations are recorded and updated in [Insert department name] Payment Card Processing Diagram, refer to ATTACHMENT C.
  1. PCI DSS Requirement 1.1.6 – Documentation and business justification for use of all services, protocols, and ports allowed.
  1. PCI DSS Requirement 1.2 – Build a firewall and router configuration that restricts connections between untrusted networks and any system components in the Cardholder data environment.

POLICY:

  1. Logs for external-facing technologies (for example, wireless firewalls, mail) are written onto a secure, centralized, internal log server per PCI DSS requirement 10.5.4
  1. PCI DSS Requirement 1.2.1 – Restrict inbound and outbound traffic to that which is necessary for the Cardholder data environment.
  1. PCI DSS Requirement 1.3 – All direct public access between the Internet and any system component in the cardholder data environment is prohibited.
  1. PCI DSS Requirement 2.1 – All vendor supplied defaults are changed.

POLICY:

  1. All default passwords will be changed, including but not limited to those used in operating systems, applications systems, software, and POS systems.
  2. Repeated access attempts are limited by locking out the user after no more than six attempts per PCI DSS requirement 8.1.6
  3. All user passwords are changed every 90 days per PCI DSS requirement 8.2.4
  4. For wireless environments connected to the CHD environment, all default encryption keys are changed at implementation and at staff changes
  1. PCI DSS Requirement 2.5 – Security policies and operational procedures for managing vendor defaults and other security parameters are documented and known to [Insert department name] staff.

POLICY:

  1. Security policies will be continuously reviewed and shared with [Insert department name] staff, as applicable.
  1. PCI DSS Requirement 3.2 – All systems must adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted).

POLICY:

  1. POS terminal device(s) or systems are to be updated with the most current version of software that is provided by the manufacturer which does not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). Document all software upgrades on the Processing Equipment Maintenance Form.
  2. Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions and do not store the personal identification number (PIN) or the encrypted PIN block.
  1. PCI DSS Requirement 3.3 – Mask the primary account number (PAN) when displayed (the first six and last four digits are the maximum number of digits to be displayed).

POLICY:

  1. Truncation is performed by the POS system.
  2. If using a paper imprinter slip for telephone orders and mail orders and the document is to be stored, then all digits except the last four must be blacked out.
  1. PCI DSS Requirement 4.1 – For SSL/TLS implementations “https” appears in the URL and the CHD is only requested when it appears as part of the ULR.

POLICY:

  1. Our link: [Insert department line here] will be reviewed periodically by [Insert department name].
  1. PCI DSS Requirement 4.2 – Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat).

POLICY:

  1. When absolutely necessary to send cardholder data, other personally identifiable information, or other sensitive information via messaging technologies (including text or email), appropriate measures are taken to block out or remove the cardholder information, other personally identifiable information, or that the communicated sensitive information is rendered useless.
  1. PCI DSS Requirement 5.1.1 – All Anti-virus systems are capable of detecting, removing and protecting against all known malicious software.

POLICY:

  1. Documentation that the software detects, removes, and protects against spyware and adware.
  2. Periodic review of program to evaluate evolving malware and snit-virus system.
  1. PCI DSS Requirement 5.2 – All anti-virus mechanisms are maintained as follows:
  • Kept current
  • performs periodic scans and
  • Generates audit log per PCI DSS requirement 10.7

POLICY:

  1. Audit logs will be turned on for your anti-virus software turn on per any individual with administrative authority per PCI DSS requirement 10.2.2 and reviewed per PCI DSS requirement 10.6
  2. Audit logs will be generated quarterly and retained for a minimum of 12 months per PCI DSS requirement 10.7
  1. PCI DSS Requirement 6.1 - Establish a process to identify security vulnerabilities.

POLICY:

  1. Quarterly scans will be performed by an Approved Scanning Vendor per PCI DSS requirement 11.2.2
  2. All vendor supplied security patches will be installed within one month of release per PCI DSS requirement 6.2.
  1. PCI DSS Requirement 7.1 – Limit access to system components and cardholder data to only those individuals whose job requires such access.

POLICY:

  1. Each employee within [Insert department name]is given their own unique access code for POS or standalone terminals which are to restrict the fields in which they have access.
  2. Employees are instructed not to share cardholder information with other employees unless deemed necessary by a supervisor.
  1. PCI DSS Requirement 8.3 – Two factorauthenticationis incorporated for remote network access originating by [Insert department name] personnel and third parties.

POLICY:

  1. Any access by [Insert Vendor name] will only be enabled on an as needed basis.
  1. PCI DSS Requirement 9.1 – Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. (POS Maintenance Form, POS and Terminal Inspection Form)

POLICY:

  1. Restricted areas are appropriately identified by signage (i.e. authorized personnel only).
  2. A POS/Counter top Maintenance Form is to be completed when maintenance is done to any POS/Counter top terminal.
  3. Inspect terminals/POS to ensure no unauthorized cables have been attached or the terminal/POS has not been tampered with.
  4. An updated inventory list will be maintained and logged per PCI DSS requirement 9.9.1
  1. PCI DSS Requirement 9.6 – Physically secure all paper and electronic media that contain cardholder data.

POLICY:

  1. Locate all paper documents (including receipts, notes, reports and faxes) and all electronic storage data such as cds, backup tapes, thumb drives, hard drives and credit/debit card processing machines which contain your customers’ full credit/debit card numbers.
  2. Determine if it is necessary to keep any paper or electronic data that contains your customers’ full credit/debit card numbers. We strongly recommend you do not keep any documents with the 16 digit number unless absolutely necessary. If you do have any on file, please ask yourself, “Why do I need to keep this?”
  3. If necessary for business purposes to store this data, the following rules apply:
  4. Any electronically stored data must be password secured and PCI DSS guideline 3 must be followed.
  5. A Form must be kept documenting how the cardholder data is stored and secured.
  1. PCI DSS Requirement 9.7 – Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. (See Media Removal Form – ATTACHMENT D)

POLICY:

  1. All material moved from the secure area is marked confidential, documented on the Media Removal Data Form and transported by a document service such as Fed Ex or U.S. Post Office with a tracking number. (See Media Removal Form – ATTACHMENT D)
  1. PCI DSS Requirement 9.8 – Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals).

POLICY:

  1. No material containing cardholder data is to leave the premises without the permission of management.
  1. PCI DSS Requirement 9.9 – Maintain strict control over the storage and accessibility of media that contains cardholder data.

POLICY:

  1. All sensitive data is to be kept in a file or secured area which is accessible by management only.
  2. The file cabinet or safe containing confidential information is to be locked during business hours as well as after hours.
  1. PCI DSS Requirement 9.10 – Destroy media containing cardholder data when it is no longer needed for business or legal reasons (See Media Destruction Form – ATTACHMENT E).

POLICY:

  1. Requirement 9.10.1—Cross cut shred, incinerate, or pulp hard copy materials so that cardholder data cannot be reconstructed.
  2. Document the description of the storage data you are destroying, the date and method of destruction on the Media Destruction Form – ATTACHMENT E.
  3. Management is to sign and date the Form and it is to be kept in the Compliance Binder.
  1. PCI DSS Requirement 11.3.4 – If segmentation is used to isolate the CDE from other networks then penetration testing must be performed.

POLICY:

  1. Annual penetration testing of the network layer and the application layer will be completed, or after any major upgrade.
  2. All results will be reviewed, corrected if applicable, signed and dated and maintained in file.
  1. PCI DSS Requirement 12.8 – If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers. (Service Provider Form and Service Agreement)

POLICY:

  1. Maintain a list of service providers who would have access to any POS system or to any credit card data. This also includes those individuals or companies which maintain equipment.
  2. Determine with whom you share your customers’ cardholder data. Be sure to include all other companies or individuals who are not your employees on the Service Provider Form.
  3. Maintain a written agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the service provider’s possess.
  4. Monitor service providers’ PCI DSS compliance status by requesting a copy of their annual SAQ.
  1. PCI DSS Requirement 12.8.3 – Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

POLICY:

  1. Only engage contracted work with industry-approved vendors and check references of such vendors.
  1. PCI DSS Requirement 12.10.1 – Implement an Incident Response Plan. Be prepared to respond immediately to a system breach.

POLICY:

  1. If a breach occurs, immediately notify the PCI Compliance Office at
  2. Refer to [Insert department name] Incident Reponses Plan documented in ATTACHMENT F.

[Insert department name] Incident Response Plan -

Refer to ATTACHMENT F.

[Insert department name]Payment Card Processing Diagram–

Refer to ATTACHMENT C.

Data-flow diagrams provide an important aid to understanding the scope of the cardholder data environmentby showing the actual flow of cardholder data as it is being transmitted across various networks and systems. See Example below.

  • Periodic review will ensure accuracy as changes to the environment may occur.
  • A well-designed data flow diagram will:
  • Identify each system involved in the storing, processing and transmission of cardholder data (CHD)
  • Identify any system connected to the systems which store, process or transmit cardholder data
  • Illustrate how cardholder data is processed, for example, how CHD is managed within a web application’s functionality and pages, along with how the data flows within a network or across multiple networks
  • Illustrate where security controls are implemented
  • Illustrate and make a clear distinction between payments processed under the merchant’s responsibility (whether developed internally or purchased from a third party and integrated with a shopping cart) vs. payments processed solely within third party environments

Segregation of Duties-

PCI DSS Requirement 6.4.2 – Separation of duties between development, test, and production environments.