Bentley University PCI DSS Policy
- Overview and Purpose
- Credit Card Acceptance and Processing
- Data Retention and Destruction
- Credit Card Data Security
- Responding to a security breach
- Policy Support Contact
- Approval and Revisions
- Supporting Documentation
1.0 Overview and Purpose
This policy addresses Payment Card Industry (PCI) Data Security Standards (DSS) that are contractually imposed by the major credit card brands on merchants that accept these cards as forms of payment.
The policy covers the following specific areas contained in the PCI standards related to cardholder data: collecting, processing, transmitting, storing and disposing of cardholder data. All departments that participate in credit card processing must have documented procedures pertaining to the items noted above. The documents should be available for periodic review.
- Cardholder data – Any personally-identifiable data associated with a cardholder. Such data include account number, expiration date, name, address, social security number, Card Validation Code, Card Verification Value, Card Identification Number, or Card member ID.
- PCI-DSS - Payment Card Industry Data Security Standards
4.0 Credit Card Acceptance and Processing
In the course of doing business at Bentley University, it may be necessary for a department to accept credit cards for payment. The opening of a new merchant account for the purpose of accepting and processing credit cards at the University is done on a case by case basis and coordinated through Financial Operations. Any fees associated with the acceptance of the credit cards in a department will be charged to that department.
Any department accepting credit cards on behalf of the University must designate an individual within the department who will have primary authority and responsibility within that department for credit card transactions.
Specific details regarding processing and reconciliation will depend upon the method of credit card acceptance and type of merchant account. Detailed instructions will be provided by Financial Operations when a new merchant account is opened.
5.0 Credit Card Data Security
Departments must have in place the following components in their procedures and ensure that these components are maintained on an ongoing basis.
- Cardholder data collected are restricted only to those users who need the data to perform their jobs. Each department must maintain a current list of employees with access and review the list annually, or when there is a change in staff, to ensure that the list reflects the most current access needed and granted.
- Cardholder data, whether collected on paper or electronically, are protected against unauthorized access.
- All equipment used to collect data is secured against unauthorized use in accordance with the PCI Data Security Standard.
- Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents or electronic files containing cardholder data.
- PCI Compliance at Bentley is a joint effort. The Information Security and Privacy Administrator will work jointly with departments that process credit cards to ensure that the departments are PCI compliant. Individual departments are held responsible for PCI compliance for all departmental procedures, applications, point of sale devices and departmentally administered systems that process, or transmit cardholder data.
- End-user messaging such as E-mail, Instant Messaging (IM), Social Media, or other cloud based services should not be used to transmit credit card or personal payment information, nor should it be accepted as a method to supply such information. In the event that it does occur, disposal as outlined in section 6.0.
- If a fax machine is regularly used to transmit credit card information to a merchant department, that machine should be a stand-alone machine with appropriate physical security. Disposal of credit card information provided via fax should follow section 6.0.
- No database, electronic file, or other electronic repository of information will store full credit/debit card numbers, the full contents of any track from the magnetic stripe, or the card-validation code.
- Bentley issued computers and portable electronic media devices should not be used to store cardholder data. These devices include, but are not limited to, the following: desktops, laptops, compact disks, DVDs, floppy disks, USB flash drives, smartphones, tablets, personal digital assistants and portable external hard drives.
6.0 Data Retention and Destruction
- Cardholder data in paper form should be retained for three months or less for reconciliation purposes and destroyed immediately following the required retention period.
- A regular schedule of deleting or destroying data should be established in the department to ensure that no cardholder data is kept beyond the record retention requirements.
- Paper documents should be shredded in a cross-cut shredder.
- Electronic data should be sanitized with an electronic shredding tool sponsored by the University.
7.0 Responding to a Data Security Breach
In the event of a breach or suspected breach of security, the department or unit must immediately execute each of the relevant steps below:
- Document every action taken from the point of suspected breach forward, preserving any logs or electronic evidence available.
- If the affected machine is a desktop or laptop, disconnect the computer/devices(s) from the network. DO NOT turn the system off or reboot. Leave the device powered on and disconnected from the network.
- Disconnect the device from the Ethernet (network) by unplugging the cable.
- Disconnect from the wireless network by disabling the wireless network card.
- If the affected device is a server, contact Computer Operations at x3181 and ask the operator to disconnect the device from the Network.
- Notify the Information Security and Privacy Administrator and the Director or department head of the organization experiencing the primary account number data breach.
- Email (from an unaffected system) may be used for initial contact but further details of the breach should not be disclosed in email correspondence.
- Prevent any further access to or alteration of the compromised system(s). (i.e.do not log on to the machine and/or change passwords; do not run a virus scan). In short, leave the system(s) alone, disconnected from the network, and wait to hear from the Information Security and Privacy Administrator.
- If warranted, the University will invoke its Data Breach Response Plan with further notifications and procedures.
Any exceptions to this policy are to be reviewed and approved by the Information Security and Privacy Administrator in consultation with the Information Privacy Committee as needed.
Failure to meet the requirements outlined in this policy may result in suspension of the physical and, if appropriate, electronic payment capability with credit cards for affected departments. As described in Bentley’s Acceptable Usage Policy, anyone found to have violated this policy may be subject to disciplinary action, up to and including immediate termination.
10.0 Policy Support Contact
- Information Security and Data Privacy Administrator
11.0 Approval and Revisions
This policy is approved by the Information Privacy Committee. The policy is reviewed on an annual basis and updated as needed.
- Revision v1: Approved by the Information Privacy Committee on 7/13/2010
- Revision v2: Approved by the Information Privacy Committee on 9/30/2013
12.0 Supporting Documentation
This policy is supported by the following policies, procedures, and/or guidelines;