Processing and Security Policy (PCI Compliance)

Responsible office
Finance & Administration
Responsible party
Senior VP for Finance & Administration
Last revision
September 2021
Approved by
The Cabinet
Approval date
September 2021
Effective date
October 2021
Last review
September 2021
Additional references

Scope

All financial and administrative policies involving community members across campus, including volunteers are within the scope of this policy. If there is a variance between departmental expectations and the common approach described through college policy, the college will look to the campus community, including volunteers to support the spirit and the objectives of college policy. Unless specifically mentioned in a college policy, the college’s Board of Trustees are governed by their Bylaws.

Policy

This policy applies to all, faculty, and staff of Colorado College who process and manage technology that are related to the handling of cardholder data or overseeing employees that have access to authentication data related to cardholder information. This means that the institution's PCI scope will include any department or group on campus that receives, processes, stores, or transmits cardholder data or has cardholder data collected and processed on their behalf by a third-party entity. These users are responsible for reading, understanding, and complying with this policy.

If there is variance between departmental expectations and the common approach described through college policy, the college will look to the campus community, volunteers and the Board of Trustees to support the spirit and the objectives of college policy.

PURPOSE

The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identity theft and credit card fraud.  PCI‐DSS is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.  As a merchant who handles credit card data, Colorado College is responsible for safeguarding credit card information and adhering to the standards established by the PCI‐DSS.  This includes establishing policy and setting up controls with regard to handling credit card data, computer and internet security related to credit card processing and annually completing a self‐assessment questionnaire.

The purpose of this policy is to define requirements for accepting and processing payment cards in the course of College business that will protect customer’s credit card data, uphold the College’s reputation and minimize risk of financial costs associated with a breach of credit card information.  Colorado College requires that all departments that process, store or transmit credit card data remain in compliance the Payment Card Industry Data Security Standards at all times. 

Penalties for not complying with the security requirements or failure to rectify a security issue may result in fines levied by the merchant bank starting at $50,000 and/or restrictions on the merchant account. Consequences for non‐compliance are severe. Therefore, Colorado College mandates all departments and employees must comply.

1. Every Colorado College department accepting payment cards is subject to the Payment Card Industry Data Security Standards (PCI DSS).

2. Information Technology Services (ITS) is responsible for building and maintaining a secure network, including installing and maintaining a firewall configuration to protect data and assuring vendor‐supplied passwords are changed prior to installing a system on the network. Information Technology Services will ensure that all routers, switches, wireless access points and firewall configurations are properly secured.  

3. Information Technology Services will assure strong cryptography and security protocols are in place for transmission of cardholder data across open, public networks. A P2P encryption is required for transmission of cardholder data through the terminals. Transmitting cardholder data by end‐user technologies (ex: e‐mail, instant messaging or chat) is prohibited.

4. Information Technology Services is responsible for maintaining a vulnerability management program that includes use and regular update of anti‐virus software/programs and developing/maintaining secure systems and applications.

5. Information Technology Services is responsible for regular testing of security systems and processes. This includes running internal vulnerability scans quarterly.  External scans are performed by TrustWave

6. Finance Office will provide training to all the departments to ensure they are able to accept and process credit card payments in compliance with Colorado College’s policy.

7. Outsourcing, or the use of third party providers, must be preapproved in writing by the Finance Office prior to the execution of any agreement. All third party providers must meet the standards set forth by the Payment Card Industry Data Security Standard (PCI DSS) and be certified.  This certification must be obtained before the vendor is contracted and must be reaffirmed annually.

8. Finance Office will verify annually that third party payment applications are compliant and, if applicable, on the Payment Application Best Practice (PABP) list.

9. Access to cardholder data is restricted to those staff members who are responsible for processing or transmitting this data. Staff members accessing card holder data physically/electronically will have to be approved by the Department heads as well as the Finance Office. Staff members approved to access and process this data will be asked to complete PCI Compliance training and testing and will be granted access to these functions on completion of training, using only their unique password.

10. Departments are prohibited from any electronic storage of cardholder data. All paper storage should contain only account numbers masked to display the last 4 digits of the account.  No department should store card validation code, expiration dates, PIN’s, or full data from a card’s magnetic stripe.

11. Employees are prohibited from use of remote‐access technologies, wireless technologies, and storage of credit card data on any type of removable electronic media, laptops, personal data/digital assistants or email to transmit or process credit card data.

12. Paper copies of credit card data, retained for reconciliation purposes, must be stored in a secured and locked area. Departments are prohibited from transmitting credit card data by fax, e‐mail, college wired/ wireless network (without proper configuration), or in unsealed envelopes through campus mail, as these are not secure transmission methods.  Cardholder data should only be accepted by telephone, mail, or in person and never via email or transmitted on electronic forms.  Best practice suggests not writing credit card data on paper, but in case of emergency, if such information needs to be written it should be shredded immediately after the transaction has been authorized by the credit card company.  If it is necessary to hold this paperwork for a short period as it is processed, it must be stored in a secured and locked area.

13. Colorado College currently accepts American Express, Discover, MasterCard and VISA cards. Departments are authorized to accept only credit cards approved by the Finance Office.  The Finance Office must first approve any addition of merchant accounts or changes to existing merchant accounts.  Purchasing, selling or discarding a terminal; purchasing software with any kind of credit card processing capabilities; or selecting/changing a service provider that has credit card processing capabilities must first be approved by the Finance Office.

14. Once notified of a possible / suspected breach, Finance Office and Information Technology Services will be responsible for reporting about the incident to all the relevant stakeholders and for maintaining network security. This will include notifying the credit card company(s).

15. Information Technology Services will annually review their network security policy. All merchant IDs will be annually reviewed for compliance using a Self – Assessment Questionnaire (SAQ). Any updates will be shared with the Finance Office.

POLICY REVIEW

This security policy will be reviewed annually or as deemed necessary by the ITS Security and the Finance Office, given a specific event or change in the College’s environment.

Procedures

Definitions

Cardholder Data

Cardholder Data represents any personal information of the cardholder.  This may be an  account number, expiration date, name, address, telephone number, social security number, card validation number (CVC), or any other identifying cardholder information.

Data Security Standards

Standards developed by the Payment Card Industry council that include controls for secure handling of sensitive consumer information to assure consumers their credit card brands are reliable and secure.  

Merchant  

An organization, department, institution or unit that accepts credit cards as a method of payment for goods, services, information, or gifts.

Merchant Account

An account established for a unit by a bank to credit sale amounts and debit processing fees. 

Payment Card Industry (PCI)

A group formed by the credit card industry (Visa, MasterCard, Discover and American Express) to establish Data Security Standards (DSS) for the industry.  https://www.pcisecuritystandards.org/ 

Policy Compliance Training and Agreement    

The PCTA is a validation tool, primarily used by merchants to enable PCI DSS compliance.

Senior Stakeholders of College

The senior stakeholders include but not limited to:

Vice President – Information Technology Services (ITS)
Associate Vice President - HR
Senior Vice President – Finance & Administration
Report an issue - Last updated: 11/01/2021