A. SUMMARY ADMINISTRATIVE PROCEDURE
1. Purpose. The purpose is to establish procedures that will minimize risk and provide the greatest value, security, and service to each component institution of the University System of New Hampshire (USNH) within the rules, regulations and guidelines established by the Payment Card Industry Data Security Standard (PCI DSS). This procedure addresses the standards that are contractually imposed by the major payment card brands on merchants that accept these cards as forms of payment. The policy covers the following specific areas contained in the PCI standards related to cardholder data (CHD): processing, transmitting, storing, and disposing of CHD.
2. Scope. These procedures apply to any person using USNH’s systems and networks involved with payment card handling. This includes processing, transmitting, storing and disposing of CHD at USNH, and use of any third party system that could impact the security of CHD at USNH. In addition, institutions must comply with USNH Information Technology Security Policy USY VI.F.5
3. Authority. The PCI DSS is a set of requirements created and agreed upon by the five major payment card brands: American Express, Discover, the Japanese Credit Bureau (JCB), MasterCard and VISA. These security requirements apply to all transactions surrounding the payment card industry. Electronic and paper transactions are covered by this standard. The requirements apply to any organization involved with handling CHD. The card brands apply terms in the merchant agreement to enforce these standards. USNH requires that all campus organizations and departments handling payment card data:
a. Adhere to all applicable PCI DSS administrative, technical, and reporting requirements;
b. Have pertinent local practices, procedures and documentation in place to ensure compliance with PCI standards; and
c. Provide training for the employees and others that handle CHD.
4. Revision. These procedures may be updated at any time by USNH Financial Services and should be reviewed annually by campus Merchants Departments for changes, in accordance with PCI DSS.
a. Attestation of Compliance (AOC) - A document that is completed along with an Self-Assessment Questionnaire (SAQ), as a declaration of the merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS). This summary document may be safely shared outside of USNH with third parties with a legitimate business reason to know.
b. Campus Finance/Administration Office – Responsible for approving all requests for acceptance of payment cards.
i. For UNH this is the Vice President for Financial Affairs Office (VPFA)
ii. For PSU this is the Financial Services Office
iii. For KSC this is the Finance & Planning Office
iv. For GSC this is Student Accounts Department
c. Cardholder Data (CHD) – Those elements of payment card information that are required to be protected. These elements are:
i. the Primary Account Number (PAN), or
ii. the PAN in conjunction with:
- Cardholder name
- Expiration Date
- Service code
d. Merchant Department – Any department or unit which has been approved by the Campus Finance/Administration Office to accept payment cards (Visa, Master Card, American Express, Discover) and has been assigned a Merchant Identification number (MID).
e. Merchant Department Responsible Person (MDRP) – An individual within the department who has primary authority and responsibility for payment card transactions and ensuring compliance with PCI DSS.
f. Payment Card Industry Data Security Standards (PCI DSS) - The security requirements defined by the Payment Card Industry Security Standards Council and the 5 major Payment Card Brands.
g. Self-Assessment Questionnaire (SAQ) - reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
h. Service Code – The three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. This data is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.
i. Service Provider - A business entity other than a payment brand directly involved in the processing, storage, or transmission of CHD on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data.
B. DETAILED OPERATING PROCEDURES
1. Payment Card Acceptance and Handling
a. In the course of doing business at any USNH institution, it may be deemed advantageous for a department or other unit to accept payment cards for purchases of USNH goods and/or services. These transactions may include receipt of donations, payment for credit and non-credit courses, conference fees, ticket sales and other approved institutional products and services. Approval of a new merchant account for the purpose of accepting payment cards is done on a case-by-case basis. Each Campus Finance/Administration Office determines where to charge any fees associated with the acceptance of payment cards by its units.
b. Departments or units that want to begin accepting payment cards as payment for sales of goods or services rendered should contact their respective Campus Finance/Administration Office to begin this approval process. Steps include:
i. Completion of an Application to Accept Payment Card
ii. Completion of PCI-DSS and Best Practices Guide training, and
iii. Submitting the completed application to the Campus Finance/Administration Office for approval.
c. The Campus Finance/Administration Office submits the approved application to USNH Accounting Services at firstname.lastname@example.org to initiate setup of the MID with the USNH Merchant Bank and obtain an AMEX ID if applicable.
d. Any department accepting payment cards on behalf of a USNH institution or affiliated organization must designate an individual within the department who will have primary authority and responsibility for payment card transactions. This individual is referred to as the Merchant Department Responsible Person or MDRP. The department must also specify a back-up, or person of secondary responsibility, should matters arise when the MDRP is unavailable.
e. Once the MID is obtained from the bank, the USNH merchant bank relationship manager will guide the MDRP through the process until the location is up and running. Please allow five to seven business days for a new setup.
f. Requests to obtain or replace point of sale terminals for existing locations must be made to your Campus Finance/Administration Office. Once approved, the equipment can be purchased and the USNH’s merchant bank relationship manager can be contacted.
g. Each MDRP may directly contact the USNH merchant bank relationship manager for questions related to maintenance of existing terminals and terminal settings. Current contact information can be obtained from Campus Finance/Administration Office or USNH Accounting Services.
h. Specific details regarding transaction handling and required reconciliation for each merchant location will depend upon the method of payment card acceptance and type of merchant account used. Detailed instructions will be provided by the merchant bank when any new account is established.
j. When purchasing new services or equipment handle payment card transactions, the MRDP must obtain proof of PCI compliance from the service provider or the equipment vendor. New web applications that accept credit card payments on USNH’s behalf must be approved by Campus IT Security Officer. The vendor must:
i. be PCI compliant,
ii. provide an AOC,
iii. be approved before the contract can be signed, and the contract must include specific PCI language
k. When renewing existing agreements, the MDRP should make every effort to negotiate the PCI compliance requirements in B.1.j. above if not already in place. If already in place MDRP must maintain that same level of PCI compliance.
l. Any new or renewal of service agreement must comply defined by with USNH Procurement Policy.
m. Each merchant location should record their payment card revenue in the USNH Financial System on a daily basis, unless other arrangements are made with USNH Accounting Services. Payment card merchants should contact USNH Accounting Services with any questions in this regard.
2. Payment Card Data Security Procedures.
All procedures for processing payment card transactions and handling of related data must be documented by authorized departments and be available for periodic review. Departments must have the following components in their procedures and ensure that these components are maintained on an ongoing basis.
a. Access to CHD must be restricted to only those users who need the data to perform their jobs. Each such user is subject to a background check as described in policy USY V.C and related campus specific procedures, prior to being given access to CHD. Each merchant department must maintain a current list of all users (employees, volunteers, contractors, etc.) with access to CHD and review the list quarterly to ensure that the list reflects the most current access needed and granted. For system requiring login, this list must be a system generated listing of users.
b. CHD, whether collected on paper or electronically, must be protected against unauthorized access at all times.
c. All equipment used to collect CHD must be secured against unauthorized use or tampering in accordance with the PCI DSS.
d. Physical security controls must be in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or file cabinets that store the equipment, documents or electronic files containing CHD.
i. A process for regular inspections of devices must be documented at the merchant level. A PCI DSS Compliance log must be maintained and validation entered for the specific device. Each inspection should include:
- Verifying the serial number
- Inspecting the device to ensure that all anti-tampering labels are intact
- Inspecting the device to ensure that no obvious modifications have been made to the device.
ii. Employees are not permitted to change or switch out any transmission wiring without approval from the MDRP or designated IT Support personnel. The only parties who may modify or move wiring are paid vendors with written permission, or a campus employee with written permission from his/her campus IT or Finance/Administration management. Each card acceptance location should ensure that their employees:
- Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
- Do not install, replace, or return devices without verification.
- Are aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
- Report suspicious behavior and indications of device tampering or substitution to MDRP and Department management.
- Do not use any devices where suspicion exists that substitution or tampering has occurred
e. Unencrypted electronic communication methods such as email, instant messaging, chat, SMS, etc. must not be used to transmit CHD or personal payment information, or be accepted as a method to supply such information. Each merchant department must include the proper method to handle and respond to emails or other unsecure communications sent by customers and containing CHD in their departmental PCI DSS procedure. In the event this does occur, handling the received CHD as outlined in section B.2.J below is critical. Also see item 6.) in the Best Practices Guide for additional information in this regard.
f. It is best not to use fax machines to transmit payment card information to a merchant department. If a fax must be used, MDRP must ensure the device is a stand-alone machine using plain paper type and located in a secure location to prevent unauthorized access. Never use Multi-function/multi user devices to transmit or receive payment card information.
g. No database, electronic files, other electronic repositories of information, or paper forms may store the card-validation code (aka CVV or CVC) after authorization regardless of the success or failure of the payment.
h. The full contents of any track from the magnetic stripe on the back of a payment card must never be stored.
i. Portable electronic media devices or shared file repositories should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants and portable external hard drives.
j. CHD should not be retained any longer than required to authorize the transaction, and must be immediately deleted or destroyed following authorization. Access to cardholder data is restricted to those with a business “need to know”, and each person with access cardholder data must have a unique ID and password.
i. A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no CHD is kept after authorization. Any access of CHD must be logged with the date and time, along with the identity of the employee accessing the secured data and customer contact information in the case of loss (to notify the customer).
ii. CHD must be disposed of in a manner that renders all data un- recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices (Before disposal or repurposing, computer drives should be sanitized in accordance with applicable institutional electronic data disposal policies).
iii. Approved disposal methods per the PCI DSS v3.2 are:
- Cross-Cut shredding, incineration, pulping, or using an approved shredding/disposal service for paper documents
- Wiping and/or physical destruction of electronic media in a manner that renders it unrecoverable.
k. All work computers of employees authorized to handle CHD and shared workstations related to merchant operations must be scanned with the USNH authorized scanning tool on a regular basis to ensure no CHD is stored on those computers, in case of accident, negligence, or other reasons.
l. All CHD security lapses must be logged and resolved by the MDRP. CHD security lapses are defined as cases where employees did not follow USNH procedures, but which did not result in a security breach. CHD security lapse may be grounds for disciplinary action including termination.
m. USNH Purchasing Card data and bank accounts information should be protected the same way payment card data is protected. Related procedures should be documented by each department and include the above components, particularly as it relates to storage and disposal of CHD.
3. Service Provider Relationships
Merchants and their service providers must have a documented and consistent level of understanding about their applicable PCI DSS responsibilities.
a. USNH Merchants that utilize a service provider for payment processing, transmission or storage must obtain a written agreement from such provider stating that the named provider is responsible for the protection and security of any CHD that the provider possesses, stores, processes, or transmits on behalf of USNH, or any CHD that they could impact the security of. This should be done for all new contracts and to the extent negotiable with any contract renewals.
b. The written agreement must specify the PCI DSS requirements for which the service provider is responsible and those for which the USNH Merchant is responsible. This documentation should be obtained for all new contracts and any contract renewals.
c. MDRP must communicate the PCI requirements for which the merchant department is responsible to all persons (staff, contractors, temporary employees, volunteers, etc.) that will be involved with payment handling in any way.
d. Proof of a Service Provider’s PCI DSS compliance must be provided to USNH Accounting Services on an annual basis. Acceptable types of proof are limited to the following (in order of preference):
i. A signed Attestation of Compliance (AOC) that has been properly completed and is less than twelve months old.
ii. Alternatively, USNH may accept their status as it appears on the Visa Global Service Provider Listing (http://visa.com/splisting).
iii. Service Providers who are eligible to self-assess should provide an AOC signed by an executive of the vendor, dated within the last twelve months, and based on the results of a completed Self-Assessment Questionnaire (SAQ) D for Service Providers. This SAQ should ideally be supported by a Qualified Security Assessor (QSA as defined in the PCI DSS) signature, but this is not specifically required.
iv. USNH may also accept documents deemed appropriate by legal counsel in limited instances.
4. Failure to Meet the Requirements of USNH Policy and Procedures.
Departments and merchants have a responsibility to follow all applicable USNH Policies and Procedures.
a. Failure to meet the requirements outlined in this procedure will result in suspension of the physical and, if appropriate, electronic payment capability for affected units. Additionally, if appropriate, any fines and penalties which may be imposed by the affected payment card brand(s) will be the responsibility of the impacted unit.
b. Individuals who fail to meet the requirements outlined in this procedure will be subject to disciplinary action including termination under policy USY V.C.9 and related campus specific procedures.
5. Responding to a Security Breach.
In the event of a breach or suspected breach of security, the department or unit must immediately execute each of the relevant steps outlined below in addition to following applicable local institutional or departmental incident management procedures:
a. Contact the USNH IT Security Office and the institutional IT or Information Security office for proper direction related to preservation of electronic data. The steps should include:
i. Disconnecting the impacted device(s) from all networks. To disconnect a device from the network, simply unplug the Ethernet (network) cable. If the device uses a wireless connection, simply disconnect it from the wireless network. For devices connected via an analog telephone line, simply unplug the phone line.
ii. DO NOT turn the device off or reboot. Leave the device powered on and disconnected from the network.
iii. Prevent any further access to or alteration of the compromised system(s) (i.e., do not log on to the machine and/or change passwords; do not run a virus scan). In short, leave the system(s) alone, disconnected from the network, and wait to hear from the IT security office.
b. Document every action taken from the point of suspected breach forward, preserving any logs or electronic evidence available. Include the following in the documentation:
i. Date and time
ii. Action taken
iv. Person performing action
v. Person performing documentation
vi. All personnel involved
c. Notify the department’s MDRP, the Dean, Director or Department Head of the unit experiencing the breach, the campus Finance/Administration office of the breach circumstances.
d. The Campus Finance/Administration Office must relay all such communications to the USNH Treasurer, USNH General Counsel and USNH Internal Audit.
e. Once a full determination of the scope of a breach is made, the Campus IT Security Officer and USNH Treasurer will be responsible for notifying USNH executive management, banking representatives, and any other parties as appropriate.
f. A suspected breach may also be reported to USNH by the processing bank or an outside party. In that case, USNH will notify the campus merchant involved in the suspected breach and the relevant steps outlined above should be executed.
g. A detailed incident response plan will be completed and maintained by USNH IT Security Officer. This incident response plan shall be in accordance with the parameters set forth by the card brands.
6. PCI DSS Information Technology (IT) Policy. Each USNH Institution must document its PCI DSS Information Technology policies and procedures. This may be accomplished by using templates provided by USNH’s merchant bank and/or consulting partners if desired.
7. User Change(s) at Merchant Location(s). Merchants must notify their MDRP of any changes of personnel involved in payment card processing. This includes any new hires, personnel who have been assigned new duties that include payment card handling and/or settlement duties, as well as changes in volunteers and contractors with access to CHD. This also includes employees, volunteers or contractors that have left their position and are no longer involved in payment card handling. Each Campus Finance/Administration Office should determine the manner of which these notifications will occur. The User Change Form is provided as a model to use in reporting these changes to the MDRP.
8. User Statement of Understanding. Persons (i.e. employees, volunteers, and contractors) who handle CHD as part of their employment or other activity at USNH must fill out and sign the related User Statement of Understanding Form or a similar acknowledgement as defined by their Campus Finance/Administration Office. The MDRP must ensure completeness of these filings at all times.
9. PCI DSS Annual Merchant Questionnaire. At least annually, each payment card merchant must (1) complete a current PCI DSS (SAQ), (2) participate in periodic vulnerability scans if required by the SAQ, and (3) take necessary action to be able to attest compliance to the current PCI DSS. After review by the QSA, the Campus Finance/Administration Office is responsible for uploading these documents to the USNH merchant bank portal upon completion.
10. Any merchant location which is not PCI DSS compliant could be assessed a $25 fee by the current USNH merchant bank every month they are non-compliant. A different fee may also be assessed for non-compliance for locations approved to use providers other than the main USNH merchant bank. Campus senior leadership must be notified of any non-compliance status and resulting fees.
11. In coordination with the MDRP, any merchant that remains non-compliant for six consecutive months may be required to stop collecting payments via payment card by USNH or USNH’s merchant bank. USNH Accounting Services will notify Campus Finance/Administrator office when a merchant is suspended from collecting payments due to non-compliance.
12. Best Practices. The USNH QSA provides regular guidance on best practices for USNH institutions to incorporate into merchant procedures to better understand and comply with the requirements of the standards. All USNH organizations that are subject to PCI DSS are expected to follow these best practices.
 See section A.5.c for a description of items included in cardholder data.