Latest about COVID-19 and W&M's Path Forward.

Info for... William & Mary
William & Mary W&M menu close William & Mary

Payment Card Policy and Procedures

1.0 W&M Payment Card Policy
Single column table within another table, used to present a collapsible list of report options, external
1.1 Purpose

The purpose of this policy is to ensure William & Mary complies with the Payment Card Industry Data Security Standard (PCI DSS), and represents the university's requirements to prevent the loss or unauthorized disclosure of sensitive customer information including payment card data. Failure to comply may result in financial loss for customers, suspension of credit card processing privileges, and fines imposed on and damage to the reputation of William & Mary.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements agreed upon by the five major credit card companies; VISA, MasterCard, Discover, American Express, and JCB.  (Section 3 provides a summary of these standards.)  These security requirements apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment.  In order to accept credit card payments, William & Mary must annually prove and maintain compliance with these standards.

1.2 Scope

This policy applies to all academic and administrative units and associated individuals (faculty, staff, students, volunteers) of William & Mary who are involved in the acceptance of credit/debit card payments as well as all external entities contracted by William & Mary that provide or use payment card processing services.  This includes third-party vendors, individuals, systems, and networks involved in the transmission, storage (electronic or physical), and/or processing of payment card data including entities that can impact the security of payment card data.

1.3 Policy

It is the policy of William & Mary to allow acceptance of payment cards as a form of payment for goods and services upon written approval from the Office of University Operations - Financial Operations.  William & Mary requires all departments that accept payment cards to do so only in compliance with PCI DSS and in accordance with this policy and procedures document and other referenced documents herein.    

  1. University departments/units must request and receive approval from Financial Operations to accept payment cards using the W&M Payment Card Application.  All approved entities must establish departmental processes and procedures using Section 2 of this document as a guide.   In addition, entities may use the Departmental Cardhandling Procedures as a template.
  1. Departments accepting payment cards will sign the W&M Payment Card Security & Confidentiality Agreement with Financial Operations that details their responsibilities and policies that must be followed. This agreement must be renewed annually as it may be updated from time to time as requirements change. Failure to follow the requirements of the agreement may result in the revocation of your ability to accept card payments.
  1. All departments and individuals involved must annually complete the required training; PCI DSS-W&M Payment Card training and W&M Security Education and Awareness training. Departments must track each individual’s completion of training using the PCI DSS Security Awareness Program Roster
  1. Departments must accept only payment cards authorized by Financial Operations and agree to operate in accordance with the contract(s) William & Mary holds with its service provider(s) and the card brands. This ensures all transactions are in compliance with the PCI DSS, federal regulations, National Automated Clearing House Association (NACHA) rules, service provider contracts, and William & Mary policies regarding security and privacy that pertain to electronic transactions.
  1. Payment cards may only be accepted using the methods approved by the university (Financial Operations, Information Technology and Procurement).
    • New technology solutions must be approved prior to implementation and must be properly secured and documented.
    • Vendors of third party systems accepting payment cards must provide PCI compliance documentation. The Office of Procurement must keep on-site a current copy of that vendor’s PCI certificate.
    • Procurement of any software applications, third party services, or development of payment channels must be approved [by Financial Operations, Information Technology and Procurement] prior to the execution of contractual agreements or any free trials.
  1. All types of media containing payment card information must be destroyed in accordance with PCI DSS and Library of Virginia’s Record Retention schedule. In addition: 
    • Limit data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
    • Treat all data as confidential. Data that is not necessary in order to conduct business should not be retained in any format.
    • Adhere to specific retention requirements for cardholder data.
    • Follow processes for secure deletion of data when no longer needed.
    • Utilize a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
    • Restrict physical access to data records to staff with a need to know.
  1. All processing equipment must be obtained by Financial Operations – Cashier’s office.  Exceptions to this policy will be limited and will require a business plan (including reason why the available central processing systems will not work for your area) to be submitted and approved by Financial Operations and IT in advance of any equipment or system purchase.
  2. All payments received must be directed into a William & Mary approved bank account. The type and nature of the electronic transaction (e.g., ACH, Credit Card, Point of Purchase, wire, etc.) will dictate where the transaction is deposited.
  3. Departments are responsible for all expenses associated with payment card merchant accounts and cannot adjust the price of goods or services based upon the method of payment, i.e., price must be the same for credit card payments and check payments.
  4. Accounting entries to record the receipt of the payment will be linked directly into William  & Mary’s finance system (Banner), whenever possible, to ensure timely recording of transactions and expedite the prompt reconcilement of general ledger and bank accounts.
  5. Payment card information is considered confidential, and must be treated as carefully as any other sensitive/confidential information (see Data Classification Policy).
    • Under no circumstances should a department or unit store sensitive authentication data (track data from the magnetic stripe, card-validation code CVV2 data, etc.) subsequent to authorization (not even if encrypted).
    • Never send or request cardholder information to be sent via email.
    • Customer records located within units should be stored in locked cabinets or non-portable safes dedicated solely to these records. Full payment card information should never be stored.
    • If a form containing cardholder data (i.e., the payment card number) must be retained for operating purposes, the card number must be rendered unreadable by encryption or punchout anywhere it is stored.
    • Under no circumstances should a department retain electronically (including Excel files, databases) or on paper the payment card numbers and expiration dates of payment cards.
    • Access should be limited to only those staff who need this information to accomplish their work.
    • Departments destroying cardholder information are REQUIRED to cross-shred or punch out card numbers on all documents before placing it in the trash.
    • To protect our clients from the possibility of data loss due to spyware and keyboard “sniffers”, a department must NOT enter a client’s payment card data into a website on behalf of the client. Clients should be directed to the appropriate website (Financial Operations and IT must approve any exceptions).
    • All visitors must be authorized before entering areas where cardholder data is processed or maintained. Departments must maintain a Payment Card Visitors Log.
    • Appropriate facility entry controls (i.e., physical access or system access) must be used to limit and monitor physical access to systems that store, process, or transmit cardholder data.
    • Remove all sensitive documents from your work area when not in use and secure the documents properly at the end of the day.
    • Virtual points-of-sale can be used to process payment card data upon approval by Financial Operations and IT.
  1. Departments using the card swipe terminals must follow the transaction processing guidelines as outlined by the vendor (First Data).
  2. Departments using card swipe terminals must inspect terminals periodically for tampering and log inspections. Inspections must be logged using the W&M PCI Quality Control Check List.
  3. Products sold must be evaluated by Financial Operations to determine if sales tax must be collected. Financial Operations will determine the appropriate sales tax when a merchant account is requested.  Direct all tax questions to tax@wm.edu.
  4. Departments must submit a copy of the payment card “settlement slip” when submitting cash reports or deposit transmittals to the Cashier’s Office.
  5. Departments using a web-based application must submit a copy of the settlement information from the web when submitting deposit transmittals to the Cashier’s Office.
  6. All transactions must be settled and recorded daily. Departments must also reconcile their account activity at least monthly.
  7. Departmental personnel must reconcile transactions captured/processed through the terminal/web processor with the sales transactions posted to Banner.
  8. Audits will be performed periodically by Internal Audit, the Auditor of Public Accounts, Internal Controls Compliance Officer or the PCI Committee. The Cashier’s Office will also do periodic audits on cash handling practices and on compliance with payment card handling procedures.
  9. Departments needing to close a merchant account need to complete the W&M Request to Close Merchant Account.
1.5 Responsibilities 

Departments:  Each department is responsible for ensuring all individuals involved with payment card transactions are aware of the importance of cardholder data security.  Specific requirements include:

  • Documenting departmental procedures.
  • Ensuring that payment card activities are in compliance with PCI DSS requirements and associated university procedures.
  • Completing the annual validation of PCI compliance by submitting the appropriate PCI DSS Self-Assessment Questionnaire (SAQ) and supporting university-required documents.
  • Confirming the appropriate individuals complete the annual W&M Payment Card Security & Confidentiality Agreement, PCI DSS-W&M Payment Card training and W&M Security Education and Awareness training.  
  • Reporting any suspected or confirmed breach immediately to the Chief Information Technology Security Officer. Departments will be responsible for any fines levied against the university that result from noncompliance. 

Financial Operations:  Financial Operations is responsible for the following:

  • Ensuring annual review of this document (W&M Payment Card Policy & Procedures).
  • Ensuring annual validation and completion of PCI compliance with the university’s acquiring bank is complete.
  • Performing the annual review of departmental procedures and practices in connection with payment card transactions.
  • Consulting with Information Technology prior to implementing any new payment card process.
  • Overseeing the creation and implementation of PCI DSS-W&M Payment Card training.

Information Technology:  IT is responsible for the following:

  • Verifying the appropriate technical system security controls are in place in accordance with PCI Data Security Standards.
  • Performing regular monitoring and testing of the William & Mary network.
  • Establishing and reviewing security incident response and escalation procedures and initiating such procedures when necessary to ensure timely and efficient handling of all incidents.
  • Implementing the W&M Security Awareness and Education training and confirming individuals have completed it annually.
  • Consulting with Financial Operations and Procurement on the security (PCI DSS compliance), purchase and implementation on any new payment card processes/systems.

PCI Committee:  The PCI Committee is an oversight committee composed of representatives from Financial Operations, IT, Internal Audit and, at least, one merchant.  The committee is responsible for assisting the university to be compliant with PCI DSS and reduce the scope of items that will need to be compliant with the PCI DSS by implementing changes set forth by the strategic direction of the university. Specific responsibilities include:

  • Maintaining this policy and the training for PCI DSS compliance.
  • Reviewing related policies and procedures annually.
  • Conducting periodic audits of merchant payment card processing.
  • Advising merchants on policies and procedures, as needed.
  • Reviewing proposed software solutions and related procedures for PCI DSS Compliance.
  • Onboarding new merchants.
  • Reviewing related policies and procedures annually.
Procurement: Procurement is responsible for the following:
  • Consulting with Financial Operations and Information Technology on the security (PCI DSS), purchase and implementation on any new payment card processes/systems.
  • Collecting attestations of PCI Compliance from contracted vendors, annually.
1.6 Compliance

Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability for the affected merchant(s). In the event of a breach or a PCI violation the payment card brands may assess penalties to William & Mary’s bank which will likely then be passed on to William & Mary.  A one-time penalty of up to $500,000 per card brand per breach can be assessed as well as on-going monthly penalties.

Persons in violation of this policy are subject to sanctions, including loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws. William & Mary will carry out its responsibility to report such violations to the appropriate authorities.

1.7 Definitions

Breach:  Also referred to as “data compromise,” or “data breach.”  Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected.  A data breach may also occur when card holder data is taken/stolen from paper sources and used in an unauthorized manner.

Cardholder:  The customer to whom a payment card has been issued or the individual authorized to use the card.

Cardholder Data (CHD): Personally identifiable data about the cardholder gathered as a direct result of a payment card transaction.  At a minimum, it consists of the full primary account number (PAN).  It may also appear in the form of the full PAN plus any of the following:  cardholder name, expiration date, and/or service code.

Card-Validation Code/Value: The three-digit or four-digit value printed on the payment card used to verify card-not-present transactions. On a MasterCard this is called CVC2. On a Visa card this is called CVV2. On an American Express card this is called CID.

Chargeback:  A charge to the merchant when the cardholder or the cardholder’s bank challenges all or part of a purchase.  An action will be required and an adjustment will be made to the merchant account.

Encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information from unauthorized disclosure between the encryption process and the decryption process (the inverse of encryption).

Firewall: Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources.

Magnetic Stripe or Chip Data (Track Data): Data encoded in the magnetic stripe or chip used for authorization during a card present transaction.

Network: A network is defined as two or more computers connected to each other so they can share resources.

PAN: Acronym for “primary account number” and also referred to as “account number.” Unique payment card number that identifies the issuer and the particular cardholder account.

Payment Application: In the context of PA-DSS, a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.

Payment Card Receipt Transactions: Any collection of cardholder data to be used in a financial transaction whether by facsimile, paper, card presentation or electronic means.

Sensitive Authentication Data: Security data used to authenticate a cardholder and/or authorize payment card transactions. Includes full track data from magnetic stripe or chip, card validation code/value, and PINs/PIN blocks.

Third Party Service Provider: A business entity that is directly involved in the collecting, processing, storage or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could affect the security of cardholder data. 

1.8 W&M Policy References

Pertinent references to university policies and standards:

2.0 W&M Payment Card Procedures

William & Mary requires all departments that accept payment cards to do so only in accordance with PCI DSS and the following procedures.

Single column table within another table, used to present a collapsible list of report options, external
2.1 Card Acceptance and Handling

The opening of a new merchant account for the purpose of accepting and processing payment cards is done on a case-by-case basis.  Any fees associated with the acceptance of the payment card in that department will be charged to that individual merchant.

A department manager must contact Financial Operations to begin the process following these steps:

  1. Contact the PCI Committee, PCI@wm.edu, to have a conversation regarding your department’s needs. 
  2. Review the policy and related procedures. 
  3. Complete and submit the W&M Payment Card Application.
  4. Direct department individual(s) to complete required training (PCI DSS-W&M Payment Card training and W&M Security Education and Awareness training).
  5. Maintain a training log of the required training completed by each department individual.
  6. Direct department individual(s) to review and sign the W&M Payment Card Security & Confidentiality Agreement.
  7. Using the training log review the acknowledgement of this document, W&M Payment Card Policy and Procedures, including proof of ongoing compliance with all requirements of the policy.
  8. Designate an individual within the department who will have primary authority and responsibility for payment card transactions. The department should also specify a back-up, or person of secondary responsibility, should matters arise when the primary is unavailable.
  9. Create department procedures on how your department will handle credit cards with the specific details regarding processing and reconciliation for each departmental merchant, if different, as it will depend on the method of payment card acceptance and type of merchant account. A template has been created that you can use as a base; W&M Departmental Card Handling Procedures.
  10. All service providers and third party vendors providing payment card services must be PCI DSS compliant and be vetted through the procurement and contracting process. Departments who contract with third-party service providers must maintain a list that documents all service providers and: 
    • Ensure contracts include language stating that the service provider or third party vendor is PCI complaint and will protect all cardholder data.
    • Annually audit the PCI compliance status of all service providers and third-party vendors. A lapse in PCI compliance could result in the termination of the relationship.
2.2 Payment Card Data Security

All departments authorized to accept payment card transactions must have their card handling procedures documented and made available for periodic review. Departments must have in place the following components in their procedures and ensure that these components are maintained on an ongoing basis. (As stated above the W&M Departmental Card Handling Procedures can be used as a template.)

PROCESSING AND COLLECTION
  1. Access to cardholder data (CHD) must be restricted to only those users who need the data to perform their jobs. Each merchant department must maintain a current list of individuals (Employee Access Log) with access to CHD and review the list periodically to ensure that the list reflects the most current access needed and granted.
  2. All equipment used to collect cardholder data must be secured against unauthorized use or tampering in accordance with the PCI DSS. This includes the following:
    • Maintaining an inventory/list of devices and their location; W&M PCI Quality Control Checklist.
    • Periodic inspection of the devices to check for tampering or substitution.
    • Training all personnel to be aware of suspicious behavior and reporting procedures in the event of suspected tampering or substitution.
  3. Cardholder data must not be processed, stored or transmitted using the university’s network unless the Chief IT Security Officer has verified the technical controls, including firewalls and encryption, in accordance with the PCI DSS.
  4. Email must never be used to transmit payment card or personal payment information, nor should it be accepted as a method to supply such information. In the event that it does occur, disposal as outlined below is critical. If payment card data is received in an email then:
    • The email should be replied to immediately with the payment card number deleted stating that "William & Mary does not accept payment card data via email as it is not a secure method of transmitting cardholder data".
    • Provide a list of the alternate, compliant option(s) for payment.
    • Delete the email from your inbox and also delete it from your email Trash.
  5. If fax machines are used to transmit payment card information to a merchant department, it must be a standalone machine and on the appropriate secure network with appropriate physical security; receipt or transmission of payment card data using a multi-function fax machine is not permitted. Departments must work with IT to ensure the fax machine is on the appropriate network.
STORAGE AND DESTRUCTION
  1. Cardholder data, whether collected on paper or electronically, must be protected against unauthorized access.
  2. Physical security controls must be in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents, or electronic files containing cardholder data.
  3. No database, electronic file, or other electronic repository of information will store the full contents of any track from the magnetic stripe, or the card validation code.
  4. Portable electronic media devices should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, ipads, tablets, smart phones or other handheld devices, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives.
  5. Cardholder data should not be retained any longer than that defined by a legitimate business need and must be destroyed immediately following the required retention period (see Library of Virginia’s Record Retention schedule) using a PCI DSS-approved method of destruction. A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no cardholder data is kept beyond the required retention period. 
2.3 Risk Assessment

William & Mary should conduct annual risk assessments for PCI DSS compliance. 

  • Information Technology should implement a formal risk assessment process in which current threats and vulnerabilities to the institution’s network and processing environment, including staff, are analyzed. IT should also conduct the risk assessment of the infrastructure and threats. 
  • Departments accepting payment cards must also conduct an assessment of their physical environments and assess risks to the payment card environment which includes devices and cardholder data.
  • Each area will need to address all threats with mitigation tasks, timelines and/or acceptance statements.
  • Each area will need to prepare and maintain documented output from the risk assessment exercise(s).
2.4 Incident Response

William & Mary Information Technology Security maintains the Incident Response Plan it will execute in the event of a breach or suspected breach of security.  Departments must immediately contact IT Security for any breach or suspected breach. This includes any suspected activity involving computers (hacking, unauthorized access, etc).  For the fastest response, information security incidents should be reported directly using one of the options below.  The Security Incident Response Team monitors these communication channels continuously during business and most non-business hours. 

Immediately, upon receipt of an incident reported, a member of the Security Incident Response team will document necessary information about the incident using the Information Security Report Form.

Security Incident Response Team

Name

Department

Role

Telephone

Email

Pete Kellogg

IT

CISO and IRP Lead

757-870-9806

pckell@wm.edu

Matt Keel

IT

Network Security Engineer and IRP Secondary

757-603-6883

mikeel@wm.edu

Jim Supplee

IT

Network Security Engineer

757-903-5330

jbsupp@wm.edu

Eric Myers

IT

Network Security Engineer

757-608-8724

emmyer@wm.edu

Incident Response Plan (IRP)

William & Mary’s Security Incident Response Plan is summarized as follows:

  1. All incidents must be reported to the Security Incident Response Team using the methods provided above.
  2. The Security Incident Response Team will confirm receipt of the incident notification.
  3. The Security Incident Response Team will investigate the incident and assist the compromised department in limiting the exposure of cardholder data.
  4. The Security Incident Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.
  5. The Security Incident Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future.

In the event of a suspected or confirmed PCI DSS incident involving a payment station (PC used to process credit cards):

  • Do NOT turn off the PC.
  • Disconnect the network cable connecting the PC to the network jack. If the cable is secured and you do not have the key to the network jack, simply cut the network cable.
  • Document any steps taken until the Response Team has arrived. Include the date, time, person/persons involved and action taken for each step.
  • Assist the Response Team as they investigate the incident.

The Incident Response Plan will be reviewed and tested at least annually by IT.

2.5 Policy and Training
Policy

The PCI Committee, Financial Operations and Chief IT Security Officer will review this policy document annually to ensure it is up-to-date and covers the entirety of the PCI DSS.  

  • Departments will maintain the following:
  • Departments will maintain their departmental procedures and review annually.
  • The PCI Committee will audit departments annually for compliance.
Training

All departments and associated users accepting payment cards must complete PCI DSS-W&M Payment Card training and W&M Security Education and Awareness training prior to accepting payment cards.  Thereafter, all personnel must complete the trainings annually.  Departments will maintain a log of the completed training using the W&M PCI Awareness Roster.    

3.0 Payment Card Industry Data Security Standards (PCI-DSS)
Single column table within another table, used to present a collapsible list of report options, external
3.1 Build and Maintain a Secure Network

Payment Card Industry Data Security Standards (PCI-DSS) are national standards from the Card Association and apply to all organizations anywhere in the country that process, transmit or store payment cardholder data.  William & Mary and all departments that process payment card data have a contractual obligation to adhere to the PCI Data Security Standard.  We must adhere to these standards to continue to process payments using payment cards and to protect our client’s data. 

The current version of the standard specifies 12 requirements for compliance, organized into six related groups, which are called control objectives.  All of these requirements revolve around securing the cardholder information, permitting access to the information only when there is a business need, and destroying the information in a secure manner.  The control objective and associated requirements are:

Build and Maintain a Secure Network

W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance for these requirements.

Requirement 1 - Install and maintain a firewall configuration to protect cardholder data.

  • Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks.

Requirement 2 – Do not use vendor-supplied defaults for any system passwords and other security parameters.

  • Always change the vendor-supplied defaults before you install a system on the network (e.g., passwords, SNMP community strings, and elimination of unnecessary accounts.)
  • Configure system security parameters to prevent misuse.
Protect Cardholder Data

W&M Information Technology, VIMS Information Technology and each department are responsible for ensuring compliance for these requirements.

Requirement 3 – Protect stored cardholder data.

  • Do not store sensitive authentication data subsequent to authorization (not even if encrypted).
  • Keep cardholder information storage to a minimum.
  • Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
  • Do not store full contents of any track from the magnetic stripe (on the back of a card, in a chip, etc.)
  • Do not store the card-validation code, three digit or four digit value printed on the front or back of a payment card, e.g., CVV2 and CVC2 data or the PIN Verification Value (PVV).
  • Mask account numbers when displayed (the first six and last four digits are the maximum number of digits to be displayed.

Requirement 4 – Encrypt transmission of cardholder data across open, public networks.

  • Never send cardholder information via unencrypted email.
  • Use strong cryptography and encryption to safeguard sensitive cardholder data during transmission over public networks.
3.2 Maintain a Vulnerability Management Program

W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance for these requirements.

Requirement 5 – Protect all systems against malware and regularly update anti-virus software or program.

  • Deploy anti-virus mechanisms on all systems commonly affected by viruses (e.g., PCs and servers)
  • Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.

Requirement 6 – Develop and maintain secure systems and applications.

  • Ensure that all system components and software have the latest vendor-supplied security patches.
  • Install relevant security patches within one month of release.
  • Establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet.)
  • Develop software applications based on industry best practices and include information security throughout the software development lifecycle.
  • Follow change control procedures for all systems and software configuration changes.
  • Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project guidelines.
3.3 Implement Strong Access Control Measures

W&M Information Technology, VIMS Information Technology and each department are responsible for ensuring compliance for these requirements.

Requirement 7 – Restrict access to cardholder data by business need-to-know.

  • Limit access to computing resources and cardholder information to only those individuals whose job requires such access.
  • Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.

Requirement 8 – Identify and authenticate access to system components.

  • Identify all users with a unique username before allowing them to access system components or cardholder data.
  • Encrypt all passwords during transmission and storage, on all system components.
  • Remove inactive user accounts at least every 90 days.
  • Distribute password procedures and policies to all users who have access to cardholder information.
  • Do not use group, shared, or generic accounts/passwords.
  • Change user passwords at least every 90 days.
  • Limit repeated attempts by locking out the user ID after not more than six attempts.
  • Authenticate all access to any database containing cardholder information. This includes access by applications, administrators, and all other users.

Requirement 9 – Restrict physical access to cardholder data.

  • Physically secure all paper and electronic media (e.g., computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder information.
  • Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.
  • Restrict physical access to wireless access points, gateways, and handheld devices.
  • Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder information is accessible.
  • Make sure all visitors are authorized before entering areas where cardholder data is processes or maintained.
  • Maintain strict control over the storage and accessibility of media that contains cardholder information:
    • Properly inventory all media and make sure it is securely stored.
    • Destroy media containing cardholder information when it is no longer needed for business or legal reasons:
    • Cross-cut shred, incinerate, or pulp hardcopy materials

Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed.

3.4 Regularly Monitor and Test Networks

W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance for these requirements.

Requirement 10 – Track and monitor all access to network resources and cardholder data.

Requirement 11 – Regularly test security systems and processes 

  • Test security controls, limitations, network connections, and restrictions routinely to make sure they can adequately identify or stop any unauthorized access attempts. Where wireless technology is deployed, use a wireless analyzer periodically to identify all wireless devices in use.
  • Run internal and external network vulnerability scans at least quarterly and after any significant change in the network topology, firewall rule modifications, product upgrades).
  • Perform penetration testing on network infrastructure and applications at least once a year and after any significant infrastructure or application upgrade or modification (e.g., operating system upgrade, sub-network added to environment, web server added to environment).
  • Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems.
3.5 Maintain an Information Security Policy

W&M Information Technology, VIMS Information Technology, and each department are responsible for ensuring compliance for this requirement.

Requirement 12 – Maintain a policy that addresses information security

  • Ensure the security policy and procedures clearly define information security responsibilities for all employees and contractors.
  • Make all employees aware of the importance of cardholder information security.
  • Require employees to acknowledge in writing they have read and understood the company’s security policy and procedures.
  • Implement an incident response plan. Be prepared to respond immediately to a system breach.
  • Provide appropriate training to staff with security breach response responsibilities.