University units that accept payment cards (credit or debit) as a method of payment must meet University policy, state and federal laws, and contractual obligations to the University's banks and financial institutions. The sale of goods and services must be consistent with the University's mission and the normal activities of the college or unit associated with the organization. Units that accept revenue via payment cards must:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Employees must obtain approval from Accounts Receivable Services (ARS) prior to initiating or engaging in any payment card activity, whether the University owns the payment card account or by a vendor that accepts payment cards on behalf of the University. Payment card accounts are subject to the Minnesota Government Data Practices Act, Minnesota Plastic Card Security Act, Payment Card Industry Data Security Standards (PCI DSS), and other applicable laws or policy. Units must treat customer's private data as per the requirements set forth in the preceding acts and standards.
Each department must develop a continuity plan that details the response and recovery plans of the account in the event of a breach, failure, or disaster.
The University Controller, may, upon receipt of a written request, grant exception to this policy and/or related procedures.
This policy does not pertain to the University Procurement Card Program.
This policy will create a consistent, cost-effective and secure environment for the University community to accept revenue via payment cards that provides the following:
- Compliance with University policy, state and federal laws, and PCI DSS
- Protection of customer's private data
- Protection for the University from fines, liability, and loss of reputation
- Acquiring Bank
- The bank or financial institution that accepts payments for the products or services on behalf of a merchant. Wells Fargo is the University of Minnesota's acquiring bank.
- Any confirmed access to, or loss of data.
- The person to whom a payment card is issued, or an additional person authorized by the original cardholder to use the card.
- Cardholder data
- Any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc.
- Continuity Plan
- A document required of each payment card account that details the response and recovery plans of the account in the event of a breach, failure, or disaster.
- Contractual Obligation
- State and/or federal law mandate many private data standards (e.g. HIPAA, FERPA, etc.). However, PCI DSS is a set of standards that are required to be followed through terms and conditions of the payment card account contract the University has with the acquiring bank.
- Customer (Non-University)
- An individual or other entity that makes a payment to the University for goods or services.
- Any unconfirmed or suspected access to, or loss of, data. An incident can become a "breach" if it is confirmed. Not all incidents are or become breaches.
- Incident Response
- The process by which incidents are handled. Each payment card account is required to have an incident response plan (continuity plan) on file with ARS.
- Merchant An entity that accepts payment cards as a method of payment for goods, services, information, or gifts.
- Minnesota Government Data Practices Act
- Legislation delineating how private data collected by Minnesota government entities is to be maintained and protected (including financial data).
- Minnesota Plastic Card Security Act
- Legislation prohibiting organizations from keeping the secure information stored on a payment card's magnetic strip in their computer databases after a transaction is completed. The magnetic strips on payment cards contain sensitive information such as the customer's name, account number, PIN, card expiration date, and security code data. This legistation also specifies that an organization violating this provision is responsible for both notifying their customers and covering the expenses of potential fraud if their customer's information is compromised.
- Non-Disclosure Form
- An annually renewable form required to be signed by all University employees with access to cardholder data. By signing this form, employees agree to protect any part of the Cardholder Information from disclosure to anyone that does not have a business need for it.
- Payment Card
- A financial transaction card (credit, debit, etc.) issued by a financial institution; also called Bankcard/Payment Card/Charge Card/Credit Card/Debit Card.
- Payment Card Account (PCA)
- A contractual relationship between a merchant and the acquiring bank that allows the merchant to accept payment cards from purchasers.
- Payment Card Industry Data Security Standards (PCI DSS)
- A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Failure of merchants to conform to these standards can result in losing the ability to process payment card payments and being audited and/or fined.
- Payment Card Manager
- Departmental staff person responsible for management of payment card account. The Manager must be knowledgeable about the payment card acceptance process in the unit, PCI DSS requirements and compliance, and is the first point of contact for all questions concerning a payment card account.
- Payment Card Transaction
- The activity of purchasing a good or service through use of a payment card.
- Private Data
- Legally and contractually protected non-public University data and data which the University is obliged to treat as confidential whether it is research, clinical, educational, outreach, or administrative data. Private data can only be released to the subject of the information and to those within the university who have a legitimate business need-to-know, outside entities with the subject's written permission, and others as allowed by law.
- The process of comparing information that exists in two systems or locations, analyzing differences and making corrections so that the information is accurate, complete and consistent in both systems or locations. For financial reporting purposes, the process includes comparing the local unit's record of financial information to the general ledger.
- Risk Assessment
- The process of evaluating a payment card account for vulnerabilities that would allow any unauthorized person access to private data.
- Service Provider
- Service providers are organizations that process, store, or transmit cardholder data on behalf of merchants.
- University Community
- Any official member of the University. May be a college, department, unit, auxiliary, etc.
- A business that provides computer-based payment card services to customers over a network that is not controlled by the University that could impact the security of cardholder data. Examples include payment gateways, and on-line providers that store, process, and/or transmit payment card data.
- Accounts Receivable Services
- Develop and provide to University units a comprehensive payment card program, including:
- Review and approve the establishment, change, and termination of Payment Card Accounts.
- Establish, document and distribute University-wide payment card account policies and procedures.
- Ensure merchant account compliance with University policy, state and federal law, and PCI DSS.
- Provide training and awareness on compliance with PCI DSS and management of merchant accounts.
- Set up and maintain payment card accounts in Enterprise Financial System.
- Assist units with reconciliation issues related to PCA's.
- Office of Information Technology Security (OITSEC)
- Review and approve implementation of all technology set-up/changes associated with payment card transaction processing. Coordinate the external vulnerability scanning by an approved external scan vendor, review and approve firewall changes that are supported by a valid business reason, coordinate with external security monitoring vendor for logs and forward alerts as appropriate, provide storage of logs for 1 year or coordinate penetration testing for those servers, desktops or devices that ARS identifies to OIT Security as requiring the service to meet PCI DSS. Establish, document and distribute University-wide security incident response and escalation procedures to ensure timely and effective handling of situations.
- Payment Card Manager
- Departmental staff person responsible for management of a payment card account. The payment card manager must be knowledgeable about the payment card acceptance process in the unit, PCI DSS requirements and compliance, and is the first point of contact for all questions concerning a payment card account. Documents departmental policy and process in concert with ARS to ensure the following standards are maintained:
- Keep secure and confidential all cardholder information. The department will be responsible for any losses due to poor internal or inadequate controls.
- Restrict access to payment card data and processing to appropriate and authorized personnel.
- Establish appropriate segregation of duties between payment card processing, the processing of refunds, and the reconciliation function. Supervisory approval of all card refunds is required.
- Perform an annual self-assessment and compliance review to ensure compliance with this policy and associated procedures, and report the results of this assessment to ARS.
- Notify OITSEC and ARS prior to implementation of any technology changes affecting transactions processing associated with the merchant account.
- Notify OITSEC and ARS in case of security incident or potential breaches.
- Make sure employees with access to cardholder information are trained in payment card process and understand applicable policy, standards, and regulations.
- RRC Manager and Department Head/Dean
- Responsible for approving the set up, modification, and termination of payment card accounts. Setup accounting structure for payment card account. Active participant in management of payment card processes and procedures.
- Review and approve all payment card account mitigation plans.
- Office of Investment and Banking
- Negotiates, approves, and manages acquiring bank relationship.
- December 2009