Administrative Policies
University Policy Number 2110
Subject: Credit and Debit Card Security
Responsible Parties: Fiscal Services, Information Technology Unit, All Heads of Departments and Activities
Procedures: Request for Verification of Technical Controls
Related Policies: Data Stewardship Policy 1114, Public Internet Address Policy 1304, Review of Data Internal Controls Policy 2103, Cash Handling Policy 2105, and Criminal Background Investigations Policy 2221
I. SCOPE
This policy applies to all George Mason University faculty, staff, students,
organizations and individuals who, on behalf of the University, handle
electronic or paper documents associated with credit or debit card receipt
transactions or accept payments in the form of credit or debit cards.
The scope includes any credit or debit card activities conducted at all
George Mason University campuses and locations.
II. POLICY STATEMENT
University departments may accept credit and debit cards as a form of
payment for goods and services provided, after receiving advance written
approval from the Associate Vice President and Controller in accordance
with the University
Cash Handling Policy 2105 and following the objectives set forth in
this policy.
This policy addresses Payment Card Industry (PCI) Security Standards that are contractually imposed by VISA and MasterCard on merchants that accept these cards as forms of payments. The policy covers the following specific areas contained in the PCI Security Standards related to cardholder data: Collecting, Processing, Transmitting, Storing and Disposing of cardholder data.
Procedures must be documented by authorized departments and be available for periodic review. Departments seeking final authorization must ensure that the following objectives are met:
1. Cardholder data collected is restricted only to those users who need it to perform their jobs.
2. Cardholder data, whether collected on paper or electronically, is protected against unauthorized access.
3. All equipment used to collect data is secured against unauthorized use in accordance with the PCI Data Security Standard.
4. Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment or documents containing cardholder data.
5. Cardholder data is not processed, stored or transmitted using the University’s network unless the ITU Security Office has verified the technical controls, including firewalls and encryption, in accordance with the PCI Data Security Standard. [See Procedures].
6. Databases do not store either the full contents of any track from the magnetic stripe or the card-validation code.
7. Portable electronic media devices should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives.
8. Cardholder data is deleted or destroyed before it is disposed. Paper documents should be shredded, and computer drives erased, degaussed, or physically destroyed in accordance with the Commonwealth’s Information Technology Resource Management Standard for Removal of Commonwealth Data from Surplus Computer Hard Drives and Electronic Media.
III. DEFINITIONS
Cardholder: The customer to whom a credit card or debit card has been
issued or the individual authorized to use the card.
Cardholder data: All personally identifiable data about the cardholder gathered as a direct result of a credit or debit card transaction (e.g. account number, expiration date, etc.).
Card-validation code: The three-digit value printed on the signature panel of a payment card used to verify card-not-present transactions. On a MasterCard payment card this is called CVC2. On a Visa payment card this is called CVV2.
Credit or Debit Card Receipt Transactions: Any collection of cardholder data to be used in a financial transaction whether by facsimile, paper, card presentation or electronic means.
Database: A structured electronic format for organizing and maintaining information that can be easily retrieved. Simple examples of databases are table or spreadsheets.
Encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information from unauthorized disclosure between the encryption process and the decryption process (the inverse of encryption).
Firewall: Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources.
Magnetic Stripe Data (Track Data): Data encoded in the magnetic stripe used for authorization during a card present transaction.
Network: A network is defined as two or more computers connected to each
other so they can share resources.
IV. RESPONSIBILITIES
Fiscal Services: The Accounting Director for Internal Controls is responsible for the periodic reviews of departmental procedures and practices in connection with credit and debit card receipt transactions. Results will be reported to the Associate Vice President and Controller.
Information Technology Unit (ITU): The Information Technology Unit is responsible for regularly monitoring and testing the Mason network. The ITU will coordinate the University’s compliance with the PCI Standard’s technical requirements and verify the security controls of systems authorized to process credit cards.
Heads of departments and activities: Department heads are responsible for documenting departmental procedures and for ensuring that credit and debit card activities are in compliance with this policy. Departments will be responsible for any fines levied against the University that result from noncompliance by the department.
V. COMPLIANCE
The Associate Vice President and Controller will terminate credit and debit card collection privileges for any department not in compliance with this policy.
VI. EFFECTIVE DATE AND APPROVAL
The policies herein are effective November 1, 2006. This policy shall
be reviewed and revised, if necessary, annually to become effective at
the beginning of the University's fiscal year, unless otherwise noted.
Approved:
_______________________
Maurice W. Scherrens
Senior Vice President
________________________
Peter N. Stearns
Provost
Date approved: December 13, 2006