June 2016
revisedMay 2021
May 2024
Responsible OfficeTreasurer
Treasurer
The Office of the VP for Finance and Treasurer is responsible for issuing credit card merchant accounts and for overseeing policies and procedures regarding payment processing and adherence to information security policies, guidelines and standards. Information Systems and Computing (ISC) is responsible for the operation of Penn’s data networks (PennNet). The Office of the VP for Finance and Treasurer has the responsibility and authority to ensure that all merchant accounts and any related third-party payment processors adhere to the Payment Card Industry (PCI) requirements to protect cardholder data throughout the University. The Office of the VP for Finance and Treasurer is responsible for submitting the annual Attestation of Compliance (AOC) to the University’s acquiring bank.
The Senior Business Leader(s) in conjunction with the merchant account owners in each School/Center will be responsible for ensuring that their staff members complete the annual PCI training course, their merchant account(s) are PCI Compliant on a daily basis, and fill out a Self Assessment Questionnaire (SAQ) once per year.
The Payment Card Industry (including VISA, Master Card, AMEX, Discover and other major card issuers) has established important and stringent security requirements to protect credit card data. These are called the PCI Data Security Standards or “PCI-DSS.” These standards define the way in which credit card merchant accounts must protect cardholder data and achieve PCI compliance based on the method by which credit cards are processed. This policy is intended to be used in conjunction with the complete PCI-DSS standards as established and revised by the PCI Security Standards Council at: https://www.pcisecuritystandards.org/
This policy defines the responsibilities that merchant account owners and Senior Business Leaders have in assessing and validating compliance with PCI-DSS standards. It also establishes responsibility and accountability in the processing of credit card data, conducting the ongoing self-assessment of the merchant account and undertaking any remediation of processes associated with the transmission, storage or processing of credit card data. Upon review of the PCI self-assessments and any necessary remediation efforts by merchant account owners, the office of the VP for Finance and Treasurer will then complete and submit the annual AOC to the University’s acquiring bank that includes all University merchant accounts.
Without adherence to the PCI-DSS standards and this policy, the University would be in a position of unnecessary reputational risk and financial liability.
Departments who fail to comply are subject to:
A relationship set up by the Office of the VP for Finance and Treasury between the University and a bank in order to accept credit card transactions. The merchant account is tied to a general ledger account to distribute funds appropriately to the School/Center (owner) for which the account was set up.
For purposes of the PCI DSS, a merchant is defined as any School/Center that accepts payment cards bearing the logos of any of the five members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payments cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.
Merchant Account Owner
As defined by Penn: point of contact for the School/Center’s merchant account. This person is responsible for the completion of the Self-Assessment Questionnaire in the approved SAQ portal in conjunction with the Senior Business Leader. This should be a full time, exempt Penn employee approved by the Senior Business Leader.
Cardholder Data
At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
Primary Account Number (PAN)
Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. It is also called Account Number.
Payment Card Industry Data Security Standard (PCI-DSS)
The PCI-DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council (PCI-SSC), including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
PCI Security Standards Council (PCI-SSC)
The Security Standards Council defines credentials and qualifications for assessors and vendors as well as maintaining the PCI-DSS.
Approved Scanning Vendor (ASV)
A company approved by the PCI-SSC to conduct external vulnerability scanning services.
Penetration Test
Penetration tests attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment.
PCI Self-Assessment Questionnaire (SAQ)
The PCI Self-Assessment Questionnaire (SAQ) is a validation tool that is primarily used by merchants to demonstrate ongoing compliance to the PCI-DSS. The University will provide Merchant Account Owners access to an approved, third-party portal to automate the Self-Assessment Questionnaire (SAQ) process. The University will communicate the due dates and administer logins to the approved SAQ portal on an annual basis.
This policy applies to all persons who come in contact with credit card data. It applies to any computing devices owned or leased by the University of Pennsylvania that store, transmit, or process credit card data over the Penn network (PennNet). It also applies to all third parties who process credit card data on behalf of a University-issued merchant account. The use of a PennCard as a debit card (PennCash) is not within the scope of this policy.
Use of any alternative SAQ Validation types must be approved, on a case-by-case basis, by the Office of the VP for Finance and Treasurer. Details on SAQ validation types can be found here: https://www.pcisecuritystandards.org/pci_security/completing_self_assessment.
*SAQ A shall mean using a PCI-compliant service provider approved by the Office of the VP for Finance and Treasurer such that the credit card number is NOT entered into a web page of a server hosted on the Penn network, and the card data is not entered by University staff into a University computer or through a University network.