|
Initially approved October 5, 2006
The University
of North Carolina at Charlotte
Credit/Debit Card Processing Regulation
(Supplemental to
Policy Statement #102, Data and Information Security)
I. Executive Summary and Purpose
This regulation provides requirements
and guidance for all credit and debit card processing
activities for UNC Charlotte.
At the initial publication of this regulation
the following sources were consulted and provide the
basis for this program: ISO 17799 and Visa CISP.
This regulation deals with access to
the UNC Charlotte’s computing and network resources.
All relevant provisions included in Policy Statements
#10,
#66,
#102,
are applicable and included by reference in this document.
This regulation replaces and supersedes all other campus
policies and procedures for all issues within the scope
of this regulation.
II. Scope
This regulation applies to:
A. All academic and administrative units,
organizations, affiliates, and employees of UNC Charlotte
who accept credit/debit card payments for University
business.
B. All external organizations contracted
by the parties described in II. A., above, to provide
outsourced services for Credit/Debit Card Processing
for University business.
C. All academic and administrative units,
organizations, affiliates, and employees of UNC Charlotte
who provide Credit/Debit Card Processing services for
third parties.
III. Definitions
Account Number: The
unique number identifying the cardholder’s account
which is used in financial transactions.
Application Server:
The computer hosting the application with which the
general end-user or the point-of-sale (POS) terminal
connects.
Cardholder Data: Cardholder
data is any personally identifiable data associated
with a cardholder. This could be an account number,
expiration date, name, address, social security number,
etc.
Cardholder Information Security
Program (CISP): CISP defines a standard of
due care for securing Visa cardholder data, wherever
it is located. CISP compliance has been required of
all entities storing, processing, or transmitting Visa
cardholder data.
Credit/Debit Card Processing:
Act of storing, processing, or transmitting credit/debit
cardholder data.
Credit Card Number:
Any part or all of the unique number identifying the
account for a financial transaction.
Database Servers: The
computer storing the sales and/or credit card numbers.
e-Commerce Application:
Any internet-enabled financial transaction application,
whether a buying application or selling application.
Employee: Any employee
(as defined by the Employee Handbook): faculty, student
employee, or contractor employed by a third party and
providing services to UNC Charlotte.
Encryption: Scrambling
data in a recoverable format.
ISO 17799: The International
Standards Organization document defining computer security
standards.
POS Device: Point-of-sale
(POS) computer or credit card terminals either running
as standalone systems or connecting to a server either
at UNC Charlotte or at a remote off-site location.
Sensitive Cardholder Data:
This is defined as the account number, expiration date,
CVC2/CVV2 (a three-digit number imprinted on the signature
panel of the card), and data stored on track 1 and track
2 of the magnetic stripe of the card.
Swipe Terminal: POS
credit card terminals
Web Development: The
design, development, implementation and management of
the user interface of the e-Commerce application.
IV. Regulation
A. The approval process for all Credit/Debit
Card Processing activities will be as follows:
1.
The VCBA or delegate(s) must approve all Credit/Debit
Card Processing activities at UNC Charlotte before
a unit enters into any contracts or purchases software
and/or equipment. This requirement applies regardless
of the transaction method used (e.g. e-commerce, POS
device, or e-commerce outsourced to a third party).
Approved units must register their Credit/Debit Card
Processing information with the Business Affairs Division.
2.
All technology implementation (including approval
of authorized payment gateways) associated with the
Credit/Debit Card Processing must be in accordance
with the Credit Card Processing Procedures and approved
by the VCBA, CIO or delegate(s) prior to entering
into any contracts or purchasing of software and/or
equipment.
3.
Sensitive cardholder data may not be stored on any
UNC Charlotte computer device or network. Any exceptions
to this must be in writing and signed by both the
VCBA and CIO. Anyone who is granted an exception must
contact ITS Information Security for assistance with
interpretation and implementation.
B.
Units approved for Credit/Debit Card Processing activities
must maintain the following standards:
1.
All employees (business managers, operations personnel,
and technical staff) involved in e-Commerce or POS
transactions must attend appropriate training.
2.
All employees (business managers, operations personnel,
and technical staff) involved in e-Commerce or POS
transactions must have appropriate background checks,
as determined in accordance with PCI standards and
University policies.
3.
All units must create, maintain and test annually,
business continuity and disaster recovery plans as
well as incident response capabilities.
4.
All servers and POS Devices must be administered in
accordance with the requirements of the Credit/Debit
Card Processing Procedures.
5.
Access to Credit/Debit Card Processing systems and
related information must be restricted to personnel
who are trained and certified to do so in accordance
with University policies and procedures.
6.
All outsourcing agreements must meet the standards
set forth in the Credit/Debit Card Processing Procedures.
7.
All servers that have been granted an exception to
store credit card numbers or that process or link
to a server that handles Credit Card Numbers will
be located with Information and Technology Services.
All servers and POS Terminals will be administered
in accordance with the requirements of the Credit
Card/Debit Processing Procedures.
8.
If Sensitive Cardholder data has to be electronically
retained and where proper exceptions have been granted,
it may only be held for a maximum of 90 days. All
electronically retained Credit Card Numbers must be
stored in an Encrypted format and in a physically
secure location in accordance with the Credit/Debit
Card Processing Procedures. All electronic media used
for storing Credit Card Numbers must be destroyed
when retired from this use.
9.
If Credit Card Numbers have to be physically retained,
they may only be held in accordance with
University Policy #37. All physically retained
Credit Card Numbers must be stored in a physically
secure location in accordance with the Credit/Debit
Card Processing Procedures. All media used for storing
Credit Card Numbers must be destroyed when retired
from this use. All hardcopy must be shredded by at
least a cross-cut shredder prior to disposal.
10.
Access to Credit Card Numbers must be restricted to
the minimum number of people possible. No employee
may have access to Credit Card Numbers until he or
she has attended the Credit/Debit Card Processing
Regulation training, had a completed background check,
has tendered written acknowledgement of receipt of
a copy of this regulation, the Credit/Debit Card Processing
Procedures and other appropriate policies (e.g., Policy
Statements #66, #10, #102 and service and unit level
security regulation). After completion of these requirements,
the unit head may issue, in writing, authorization
for the employee's access. No employee will have access
to Credit Card Numbers without such written authorization.
11.
Each unit responsible for Credit/Debit Card Processing
must complete a self assessment annually on all systems
processing cardholder data to ensure compliance with
this regulation and the associated procedures. The
University IT Information Security Officer and the
Business Affair’s Office will, at the request
of the unit, assist in the initial self assessment.
Audits will be performed periodically by the Internal
Auditing Division to confirm the results of the self
assessments. On a quarterly basis, the ITS, Information
Security department will conduct a vulnerability assessment
on machines involved in the processing of credit/debit
cards.
C. On a regular basis, the University
IT Information Security Officer, Business Affair’s
Office and Internal Auditing Department will provide
appropriate training to all employees associated with
Credit/Debit Card Processing.
V. Procedures
The Credit/Debit
Card Processing Procedures document provides details
for implementation of this regulation. This separate
document carries the full force of this regulation.
This separation allows for easier modifications to the
procedures due to the changing nature of business, technology
and security.
VI. Revisions and Exceptions
This regulation may be revised only
with the approval of the VCBA of UNC Charlotte. The
VCBA and the CIO may grant exceptions to this regulation
or revise the Credit/Debit Card Processing Procedures
document by mutual agreement.
VII. Compliance
Failure to comply with this regulation
and the associated required procedures will be deemed
a violation and subject to disciplinary action up under
appropriate University disciplinary procedures (Policy
Statement #25: Violation of University Policy).
Technology that does not comply with
this regulation and the associated required procedures
is subject to immediate disconnection from the University’s
network.
VIII. Communication
Upon approval, this regulation shall
be published on the appropriate UNC Charlotte web site(s).
The following offices and individuals shall be notified
in writing with any subsequent revisions or amendments
made to this regulation:
•
Vice Chancellors
• Associate Provosts
• Deans, Directors and Department Heads
|
