This policy sets forth the guidelines for compliance with Payment Card Industry Data Security Standards (PCI DSS) and incident response in case of a breach of cardholder data on or off campus.
The purpose is to protect cardholder information from being exposed to unauthorized individuals.
This policy applies to all departments and organizations that process payment card transactions or work with 3rd party processors on or off campus.
IV. Terms and Definitions
V. Procedures and Guidelines
A. It is against Luther College Policy to store sensitive card information (full account number, type, expiration date, or track data) on any server, computer, flash drive or database.
B. Treat payment card receipts like you would cash.
C. Keep payment card data secure and confidential.
D. Restrict access to card data to “those who need to know”.
E. Documents containing cardholder data should be kept in a secure environment (I.E. safe, locked file cabinet, etc.).
F. Cardholder data must be transmitted securely (I.E. encrypted).
G. Email is not an approved way to transmit credit card numbers.
H. Fax transmittal is not an approved way to transmit credit card numbers.
I. All media containing cardholder data must be destroyed when no longer needed for business or legal reasons.
J. Hardcopy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed.
K. Manual swipers or imprinters are not authorized for use.
L. Technology changes that affect payment card systems are required to be approved by the College Controller prior to being implemented.
M. Any new systems/software that process payment cards are required to be approved by the College Controller prior to being purchased.
N. Any agreement with a 3rd party processor for online sales needs to be approved by the College Controller prior to being entered into. The requesting department will need to show proof of due diligence and provide documentation that the 3rd party processor is PCI Compliant.
O. All staff and student workers that will have access to cardholder information will be required to read the Statement of Responsibility and sign the Statement of Responsibility Acknowledgement that will be kept on file at their respective departments. A copy of these forms can be accessed at http://hr.luther.edu/common forms/index.html
P. Computer systems that process payment cards must be behind a firewall.
Q. Use and regularly update antivirus software.
R. Assign a unique ID to each person with computer access.
S. Do not use vendor-supplied defaults for system passwords and other security parameters. Change system passwords at least once every six months.
T. Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.
U. Report all suspected or known security breaches to the College Controller and Campus Security.
V. The Office for Financial Services will perform periodic audits of each department or organization that process payment card transactions or work s with 3rd party processors to ensure compliance to PCI DSS.
W. The Office for Financial Services and Library Information Services will complete a Self Assessment Questionnaire and Attestation of Compliance for each Luther merchant account on an annual basis.
X. The Office for Financial Services will be available to assist any department or organization to achieve PCI DSS Compliance.
VI. Incident Response Policy
A. Incident Identification
Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of incidents that an employee might recognize in their day to day activities include, but are not limited to,
B. Reporting an Incident
Campus Safety and Security should be notified immediately of any suspected or real security incident involving cardholder data:
C. Incident Response
Response can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.
Contain, Eradicate, Recover and perform Root Cause Analysis.
1. Notify applicable card associations.
2. Alert all necessary parties. Be sure to notify:
a. Merchant bank
b. Local FBI Office
c. U.S. Secret Service
d. Local authorities (if applicable)
3. Perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used: http://www.ncsi.org/programs/lis/cip/priv/breach.htm
4. Collect and protect information associated with the intrusion. In the event that forensic investigation is required Campus Safety and Security will work with legal and management to identify appropriate forensic specialists.
5. Eliminate the intruder’s means of access and any related vulnerabilities.
6. Research potential risks related to or damage caused by intrusion method used.
D. Root Cause Analysis and Lessons learned
Not more than one week following the incident, members of Campus Safety and Security and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.
VII. Confidentiality and Record
The department or organization is responsible for the safe keeping of all cardholder information and to keep it from being exposed to unauthorized individuals, including any monetary loss suffered by the college due to theft or improper use of payment card numbers and associated information.
Controller, Office for Financial Services
Accounting Manager, Office for Financial Services
Director, Information Systems