2006 - Credit Card Sales PCI Compliance

The Office of the VP for Finance and Treasurer is responsible for issuing credit card merchant accounts and for overseeing policies and procedures regarding payment processing and adherence to information security policies, guidelines and standards. Information Systems and Computing (ISC) is responsible for the operation of Penn’s data networks (PennNet). The Office of the VP for Finance and Treasurer has the responsibility and authority to ensure that all merchant accounts and any related third-party payment processors adhere to the Payment Card Industry (PCI) requirements to protect cardholder data throughout the University. The Office of the VP for Finance and Treasurer is responsible for submitting the annual Attestation of Compliance (AOC) to the University’s acquiring bank.

The Senior Business Leader(s) in conjunction with the merchant account owners in each School/Center will be responsible for ensuring that their staff members complete the annual PCI training course, their merchant account(s) are PCI Compliant on a daily basis, and fill out a Self Assessment Questionnaire (SAQ) once per year.

The Payment Card Industry (including VISA, Master Card, AMEX, Discover and other major card issuers) has established important and stringent security requirements to protect credit card data. These are called the PCI Data Security Standards or “PCI-DSS.” These standards define the way in which credit card merchant accounts must protect cardholder data and achieve PCI compliance based on the method by which credit cards are processed. This policy is intended to be used in conjunction with the complete PCI-DSS standards as established and revised by the PCI Security Standards Council at: https://www.pcisecuritystandards.org/

This policy defines the responsibilities that merchant account owners and Senior Business Leaders have in assessing and validating compliance with PCI-DSS standards. It also establishes responsibility and accountability in the processing of credit card data, conducting the ongoing self-assessment of the merchant account and undertaking any remediation of processes associated with the transmission, storage or processing of credit card data. Upon review of the PCI self-assessments and any necessary remediation efforts by merchant account owners, the office of the VP for Finance and Treasurer will then complete and submit the annual AOC to the University’s acquiring bank that includes all University merchant accounts.

Without adherence to the PCI-DSS standards and this policy, the University would be in a position of unnecessary reputational risk and financial liability.

Departments who fail to comply are subject to:

• Fines imposed by the payment card industry.
• Monetary costs associated with remediation, assessment, forensic analysis, fraudulent card activity or legal fees.
• Suspension of the merchant account.

A relationship set up by the Office of the VP for Finance and Treasury between the University and a bank in order to accept credit card transactions. The merchant account is tied to a general ledger account to distribute funds appropriately to the School/Center (owner) for which the account was set up.

For purposes of the PCI DSS, a merchant is defined as any School/Center that accepts payment cards bearing the logos of any of the five members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payments cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.

Merchant Account Owner

As defined by Penn: point of contact for the School/Center’s merchant account. This person is responsible for the completion of the Self-Assessment Questionnaire in the approved SAQ portal in conjunction with the Senior Business Leader. This should be a full time, exempt Penn employee approved by the Senior Business Leader.

Cardholder Data

At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.

Primary Account Number (PAN)

Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. It is also called Account Number.

Payment Card Industry Data Security Standard (PCI-DSS)

The PCI-DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council (PCI-SSC), including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

PCI Security Standards Council (PCI-SSC)

The Security Standards Council defines credentials and qualifications for assessors and vendors as well as maintaining the PCI-DSS.

Approved Scanning Vendor (ASV)

A company approved by the PCI-SSC to conduct external vulnerability scanning services.

Penetration Test

Penetration tests attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment.

PCI Self-Assessment Questionnaire (SAQ)

The PCI Self-Assessment Questionnaire (SAQ) is a validation tool that is primarily used by merchants to demonstrate ongoing compliance to the PCI-DSS. The University will provide Merchant Account Owners access to an approved, third-party portal to automate the Self-Assessment Questionnaire (SAQ) process. The University will communicate the due dates and administer logins to the approved SAQ portal on an annual basis.

This policy applies to all persons who come in contact with credit card data. It applies to any computing devices owned or leased by the University of Pennsylvania that store, transmit, or process credit card data over the Penn network (PennNet). It also applies to all third parties who process credit card data on behalf of a University-issued merchant account. The use of a PennCard as a debit card (PennCash) is not within the scope of this policy.

• Penn requires that Schools/Centers using credit cards to process payments on behalf of the University to comply with the requirements and obligations set forth in Sections B and C below. If you are establishing a merchant account for the University of Pennsylvania Health System (UPHS), you must refer to the UPHS PCI policy.
• General Requirements
  • • Schools/Centers using credit cards to process payments must ensure that:
      • Their credit card merchant accounts are approved by the Senior Business Leader for the School/Center and by the Office of the VP for Finance and Treasurer. A new credit card merchant account should not be requested without a full understanding of the responsibilities and alternatives of accepting funds on behalf of the University. Approval will generally be given only to those who have an anticipated annual credit card sales volume of approximately $100,000unless otherwise documented and approved by the Office of the VP for Finance and Treasurer.
      • Management and employees who process or have access to credit card data are familiar with and are adhering to the applicable PCI-DSS requirements of the PCI Security Standards Council and have taken the annual University PCI course located in Workday Learning.
      • Senior Business Leaders in conjunction with the merchant account owners conduct an ongoing self-assessment against the PCI-DSS standards in the SAQ portal.
      • All employees involved in processing credit card payments shall acknowledge electronically a statement that they have read, understood, and agree to adhere to Computer Security Policy, Incident Response Policy (see section D. – References) and this policy.
      • Any proposal for a new process (electronic or paper) related to the storage, transmission or processing of credit card data must be brought to the attention of and be approved by the Office of the VP for Finance and Treasurer. This includes both internal processes and those of approved third-party vendors (See Appendix A) whose applications or software store or process credit card data on the University’s behalf.
      • If credit card data must be transmitted through University computers or across University networks, then PCI Validated P2PE (Point-to-Point Encryption) technology should be utilized.
    • Any third-parties processing credit card payments on behalf of the University must be approved by the Office of the VP for Finance and Treasurer in accordance to Section E.
    • Approved SAQ validation Types. Only the following SAQ validation types highlighted in Table 1 below are allowed:
      • SAQ A*
      • SAQ B
      • SAQ P2PE

  Use of any alternative SAQ Validation types must be approved, on a case-by-case basis, by the Office of the VP for Finance and Treasurer. Details on SAQ validation types can be found here: https://www.pcisecuritystandards.org/pci_security/completing_self_assessment.
  *SAQ A shall mean using a PCI-compliant service provider approved by the Office of the VP for Finance and Treasurer such that the credit card number is NOT entered into a web page of a server hosted on the Penn network, and the card data is not entered by University staff into a University computer or through a University network.

• Compliance
  • Training: All merchant account users, individuals involved in any way with the processing of credit/debit card transactions to accept/refund money for products or services on behalf of the University are responsible for taking the University Payment Card Industry – Data Security Standards Workforce Education course located in Workday Learning annually.
  • Notification: The Office of the VP for Finance and Treasurer will notify departments of any upcoming trainings, changes to the SAQ portal and other PCI-DSS related updates.
  • Self-Assessment: The PCI-DSS Self-Assessment Questionnaire (SAQ) must be maintained by the merchant account owner and updated anytime a credit card related system or process changes or is added.
  • Remediation: Any systems or processes that do not meet the current version of the PCI-DSS requirements must be remediated to meet PCI-DSS standards. Merchant account owners are responsible for remediation and the Office of the VP for Finance and Treasurer is responsible for the final approval of the SAQ in the SAQ portal.
  • Attestation of Compliance: Upon completion of remediation efforts across the University’s Schools and Centers, the Office of the VP for Finance and Treasurer will submit the annual AOC to our acquiring bank.
  • Financial Implications: The department shall bear the costs associated with ensuring compliance with this policy and the PCI-DSS standards as well as any fines imposed by the payment card industry for non-compliance and any additional monetary costs associated with remediation, assessment, forensic analysis, fraudulent card activity or legal fees.
  • Review: Information Systems and Computing (ISC) is responsible for reviewing the Computer Security Policy and Information Security Incident Response Policy (listed in Section D) annually. The Office of the VP for Finance and Treasurer is responsible for reviewing the Credit Card Sales PCI Compliance policy annually and for conducting an appropriate awareness and training program.
  • Responsibility: Responsibility for compliance with this policy lies with the merchant account owner and the School/Center’s Senior Business Leader.
  • Enforcement: Compliance with this policy will be enforced by the Office of the VP for Finance and Treasurer. The Office of the VP for Finance and Treasurer will be monitoring compliance of participating Schools/Centers by reviewing self-assessments in the SAQ portal.
• References
  • PCI Data Security Standards: (https://www.pcisecuritystandards.org)
  • Information Systems & Computing (ISC) Computer Security Policy
  • Information Systems & Computing (ISC) Information Security Incident Response Policy
• Approved Vendor List
  The intent of the Office of the VP for Finance and Treasurer is to standardize the vendor relationships that handle credit card data on behalf of the University. Please contact the Office of the VP for Finance and Treasurer at dof-ccard@pobox.upenn.edu for a current listing of approved vendors. Any additional vendor relationships must be requested by the Senior Business Administrator and must be approved by the Office of the VP for Finance and Treasurer before any negotiations are started. Third-party relationships will only be considered for accounts with significant transaction volume.