1.0 W&M Payment Card Policy
Single column table within another table, used to present a collapsible list of report options, external
The purpose of this policy is to ensure William & Mary complies with the Payment Card Industry Data Security Standard (PCI DSS), and represents the university's requirements to prevent the loss or unauthorized disclosure of sensitive customer information including payment card data. Failure to comply may result in financial loss for customers, suspension of credit card processing privileges, and fines imposed on and damage to the reputation of William & Mary.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements agreed upon by the five major credit card companies; VISA, MasterCard, Discover, American Express, and JCB. (Section 3 provides a summary of these standards.) These security requirements apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment. In order to accept credit card payments, William & Mary must annually prove and maintain compliance with these standards.
This policy applies to all academic and administrative units and associated individuals (faculty, staff, students, volunteers) of William & Mary who are involved in the acceptance of credit/debit card payments as well as all external entities contracted by William & Mary that provide or use payment card processing services. This includes third-party vendors, individuals, systems, and networks involved in the transmission, storage (electronic or physical), and/or processing of payment card data including entities that can impact the security of payment card data.
It is the policy of William & Mary to allow acceptance of payment cards as a form of payment for goods and services upon written approval from the Office of University Operations - Financial Operations. William & Mary requires all departments that accept payment cards to do so only in compliance with PCI DSS and in accordance with this policy and procedures document and other referenced documents herein.
- University departments/units must request and receive approval from Financial Operations to accept payment cards using the W&M Payment Card Application. All approved entities must establish departmental processes and procedures using Section 2 of this document as a guide. In addition, entities may use the Departmental Card Handling Procedures as a template.
- Departments accepting payment cards will sign the W&M Payment Card Security & Confidentiality Agreement with Financial Operations that details their responsibilities and policies that must be followed. This agreement must be renewed annually as it may be updated from time to time as requirements change. Failure to follow the requirements of the agreement may result in the revocation of your ability to accept card payments.
- All departments and individuals involved must annually complete the required training; PCI DSS-W&M Payment Card training and W&M Security Education and Awareness training. Departments must track each individual’s completion of training, access and termination using the PCI DSS Security Awareness Program Roster.
- Departments must accept only payment cards authorized by Financial Operations and agree to operate in accordance with the contract(s) William & Mary holds with its service provider(s) and the card brands. This ensures all transactions are in compliance with the PCI DSS, federal regulations, National Automated Clearing House Association (NACHA) rules, service provider contracts, and William & Mary policies regarding security and privacy that pertain to electronic transactions.
- Payment cards may only be accepted using the methods approved by the university (Financial Operations, Information Technology and Procurement).
- New technology solutions must be approved prior to implementation and must be properly secured and documented.
- Vendors of third-party systems accepting payment cards must provide PCI compliance documentation. The Office of Procurement must keep on-site a current copy of that vendor’s PCI certificate.
- Procurement of any software applications, third-party services, or development of payment channels must be approved [by Financial Operations, Information Technology and Procurement] prior to the execution of contractual agreements or any free trials.
- Only approved devices may be used to enter credit card data into approved systems. Standard William & Mary desktops/laptops are NOT approved devices.
- All types of media containing payment card information must be destroyed in accordance with PCI DSS and the Library of Virginia’s Record Retention schedule. In addition:
- Limit data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
- Treat all data as confidential. Data that is not necessary in order to conduct business should not be retained in any format.
- Adhere to specific retention requirements for cardholder data.
- Follow processes for secure deletion of data when no longer needed.
- Utilize a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
- Restrict physical access to data records to staff with a need to know.
- All processing equipment must be obtained by Financial Operations – Cashier’s office. Exceptions to this policy will be limited and will require a business plan (including the reason why the available central processing systems will not work for your area) to be submitted and approved by Financial Operations and IT in advance of any equipment or system purchase.
- All payments received must be directed into a William & Mary approved bank account. The type and nature of the electronic transaction (e.g., ACH, Credit Card, Point of Purchase, wire, etc.) will dictate where the transaction is deposited.
- Departments are responsible for all expenses associated with payment card merchant accounts and cannot adjust the price of goods or services based upon the method of payment, i.e., price must be the same for credit card payments and check payments.
- Accounting entries to record the receipt of the payment will be linked directly into William & Mary’s finance system (Banner), whenever possible, to ensure timely recording of transactions and expedite the prompt reconcilement of general ledger and bank accounts.
- Payment card information is considered confidential and must be treated as carefully as any other sensitive/confidential information (see Data Classification Policy).
- Under no circumstances should a department or unit store sensitive authentication data (track data from the magnetic stripe, card-validation code CVV2 data, etc.) subsequent to authorization (not even if encrypted).
- Never send or request cardholder information to be sent via email.
- Customer records located within units should be stored in locked cabinets or non-portable safes dedicated solely to these records. Full payment card information should never be stored.
- If a form containing cardholder data (i.e., the payment card number) must be retained for operating purposes, the card number must be rendered unreadable by encryption or punchout anywhere it is stored.
- Under no circumstances should a department retain electronically (including Excel files, databases) or on paper the payment card numbers and expiration dates of payment cards.
- Access should be limited to only those staff who need this information to accomplish their work.
- Departments destroying cardholder information are REQUIRED to cross-shred or punch out card numbers on all documents before placing it in the trash.
- To protect our clients from the possibility of data loss due to spyware and keyboard “sniffers”, a department must NOT enter a client’s payment card data into a website on behalf of the client using a standard W&M desktop/laptop. Only approved devices can be used. Clients should be directed to the appropriate website (Financial Operations and IT must approve any exceptions or devices).
- All visitors must be authorized before entering areas where cardholder data is processed or maintained. Departments must maintain a Payment Card Visitors Log.
- Appropriate facility entry controls (i.e., physical access or system access) must be used to limit and monitor physical access to systems that store, process, or transmit cardholder data.
- Credit card payments may be received over the phone if an approved phone/handset are used. The approved phone/handset must have data encryption. Teams Telephony is NOT an approved phone/handset.
- Remove all sensitive documents from your work area when not in use and secure the documents properly at the end of the day.
- Virtual points-of-sale can be used to process payment card data upon approval by Financial Operations and IT.
- Departments using the card swipe terminals must follow the transaction processing guidelines as outlined by the vendor (First Data).
- Departments using card swipe terminals and/or other approved devices must inspect devices periodically for tampering and log inspections. Inspections must be logged using the W&M PCI Quality Control Check List.
- Products sold must be evaluated by Financial Operations to determine if sales tax must be collected. Financial Operations will determine the appropriate sales tax when a merchant account is requested. Direct all tax questions to firstname.lastname@example.org.
- Departments must submit a copy of the payment card “settlement slip” when submitting cash reports or deposit transmittals to the Cashier’s Office.
- Departments using a web-based application must submit a copy of the settlement information from the web when submitting deposit transmittals to the Cashier’s Office.
- All transactions must be settled and recorded daily. Departments must also reconcile their account activity at least monthly.
- Departmental personnel must reconcile transactions captured/processed through the terminal/web processor with the sales transactions posted to Banner.
- Audits will be performed periodically by Internal Audit, the Auditor of Public Accounts, Internal Controls Compliance Officer or the PCI Committee. The Cashier’s Office will also do periodic audits on cash handling practices and on compliance with payment card handling procedures.
- Merchant accounts (MIDs) will be reviewed annually for usage. If a merchant has not had any transactions in the past 12-18 months, the merchant will be terminated. The PCI Committee will work with the merchant to determine ongoing needs and solutions.
- Departments needing to close a merchant account need to complete the W&M Request to Close Merchant Account.
Departments: Each department is responsible for ensuring all individuals involved with payment card transactions are aware of the importance of cardholder data security. Specific requirements include:
- Documenting departmental procedures.
- Ensuring that payment card activities are in compliance with PCI DSS requirements and associated university procedures.
- Completing the annual validation of PCI compliance by submitting the appropriate PCI DSS Self-Assessment Questionnaire (SAQ) and supporting university-required documents.
- Confirming the appropriate individuals complete the annual W&M Payment Card Security & Confidentiality Agreement, PCI DSS-W&M Payment Card training and W&M Security Education and Awareness training.
- Reporting any suspected or confirmed breach immediately to the Chief Information Technology Security Officer. Departments will be responsible for any fines levied against the university that result from noncompliance.
Financial Operations: Financial Operations is responsible for the following:
- Ensuring annual review of this document (W&M Payment Card Policy & Procedures).
- Ensuring annual validation and completion of PCI compliance with the university’s acquiring bank is complete.
- Performing the annual review of departmental procedures and practices in connection with payment card transactions.
- Consulting with Information Technology prior to implementing any new payment card process.
- Overseeing the creation and implementation of PCI DSS-W&M Payment Card training.
Information Technology: IT is responsible for the following:
- Verifying the appropriate technical system security controls are in place in accordance with PCI Data Security Standards.
- Performing regular monitoring and testing of the William & Mary network.
- Establishing and reviewing security incident response and escalation procedures and initiating such procedures when necessary to ensure timely and efficient handling of all incidents.
- Implementing the W&M Security Awareness and Education training and confirming individuals have completed it annually.
- Consulting with Financial Operations and Procurement on the security (PCI DSS compliance), purchase and implementation on any new payment card processes/systems.
PCI Committee: The PCI Committee is an oversight committee composed of representatives from Financial Operations, IT, Internal Audit and, at least, one merchant. The committee is responsible for assisting the university to be compliant with PCI DSS and reduce the scope of items that will need to be compliant with the PCI DSS by implementing changes set forth by the strategic direction of the university. Specific responsibilities include:
Procurement: Procurement is responsible for the following:
- Maintaining this policy and the training for PCI DSS compliance.
- Reviewing related policies and procedures annually.
- Conducting periodic audits of merchant payment card processing.
- Advising merchants on policies and procedures, as needed.
- Reviewing proposed software solutions and related procedures for PCI DSS Compliance.
- Onboarding new merchants.
- Reviewing related policies and procedures annually.
- Consulting with Financial Operations and Information Technology on the security (PCI DSS), purchase and implementation on any new payment card processes/systems.
- Collecting attestations of PCI Compliance from contracted vendors, annually.
Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability for the affected merchant(s). In the event of a breach or a PCI violation the payment card brands may assess penalties to William & Mary’s bank which will likely then be passed on to William & Mary. A one-time penalty of up to $500,000 per card brand per breach can be assessed as well as on-going monthly penalties.
Persons in violation of this policy are subject to sanctions, including loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws. William & Mary will carry out its responsibility to report such violations to the appropriate authorities.
Breach: Also referred to as “data compromise,” or “data breach.” Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected. A data breach may also occur when card holder data is taken/stolen from paper sources and used in an unauthorized manner.
Cardholder: The customer to whom a payment card has been issued or the individual authorized to use the card.
Cardholder Data (CHD): Personally identifiable data about the cardholder gathered as a direct result of a payment card transaction. At a minimum, it consists of the full primary account number (PAN). It may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code.
Card-Validation Code/Value: The three-digit or four-digit value printed on the payment card used to verify card-not-present transactions. On a MasterCard this is called CVC2. On a Visa card this is called CVV2. On an American Express card this is called CID.
Chargeback: A charge to the merchant when the cardholder or the cardholder’s bank challenges all or part of a purchase. An action will be required and an adjustment will be made to the merchant account.
Encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information from unauthorized disclosure between the encryption process and the decryption process (the inverse of encryption).
Firewall: Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources.
Magnetic Stripe or Chip Data (Track Data): Data encoded in the magnetic stripe or chip used for authorization during a card present transaction.
Network: A network is defined as two or more computers connected to each other so they can share resources.
PAN: Acronym for “primary account number” and also referred to as “account number.” Unique payment card number that identifies the issuer and the particular cardholder account.
Payment Application: In the context of PA-DSS, a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
Payment Card Receipt Transactions: Any collection of cardholder data to be used in a financial transaction whether by facsimile, paper, card presentation or electronic means.
Sensitive Authentication Data: Security data used to authenticate a cardholder and/or authorize payment card transactions. Includes full track data from magnetic stripe or chip, card validation code/value, and PINs/PIN blocks.
Third Party Service Provider: A business entity that is directly involved in the collecting, processing, storage or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could affect the security of cardholder data.
1.8 W&M Policy References
Pertinent references to university policies and standards: