Kenyon College Credit Card Merchant Policy
|Policy:||Credit Card Merchant Policy|
|Approval Date:||August 31, 2014|
|Source:||PCI Compliance Group |
(Steve Martin, Associate Director of Enterprise Systems; Niranjan Davray, Director of Information Technology Services; Jessica Ryals, Assistant Controller; Bonnie Yarman, Fiscal Accountant)
|Purpose:||To establish a policy and procedures for Kenyon credit card processing consistent with PCI-DSS|
The Payment Card Industry Data Security Standard (“PCI-DSS”) was established by the credit card industry in response to increasing identity theft and credit card fraud. Requirements of the standard include controls for handling credit card data, computer and internet security, and an annual self-assessment questionnaire. Noncompliance with this standard may result in Kenyon’s inability to process credit card payments.
The PCI Data Security Standard contains 12 requirements:1
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software and programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Kenyon College will comply with the above standards through the procedures below.
Employee Access & Training
Employees requiring credit card handling by the nature of their positions will only be granted access to the credit card processing devices and information required to complete their job-related tasks. LBIS maintains security logs and will grant access to authorized individuals. No additional services will be installed on POS devices handling credit card information, and all default passwords will be changed. Remote-access technologies will automatically disconnect after a maximum of 30 minutes of inactivity. On an annual basis, all employees handling credit card information / processing must attend an online course in PCI-DSS compliance provided through Trustwave. Authorized merchant users may obtain information on available training from the PCI Compliance Group.
Authorized merchant users must obtain daily Transaction Detail and Transaction Statistics reports from the machine/software/website and submitted to the Accounts Receivable Coordinator at least weekly. Reports for the end of the month must be submitted to the Accounts Receivable Coordinator by the 3rd working day of the following month.
A monthly reconciliation should also be completed to ensure that all daily transactions have been submitted to accounting. This reconciliation should be submitted to the Fiscal Accountant by the 3rd working day of the following month.
Authorized merchant users must collaborate with a member of the PCI Compliance Group to complete the required Self-Assessment Questionnaire (“SAQ”) prior to accepting credit cards. The SAQ must be completed at least annually thereafter, or more frequently in the case of a significant change to a business process or system application. The Associate Vice President for Finance will review and approve the SAQs for submission.
Authorized merchant users should make it a practice not to retain sensitive cardholder data. Limit storage amount and retention time to that which is required for legal or regulatory purposes. No credit card data should be stored on laptops, PCs, or mobile devices. Paper files with credit card information that must be retained for legal/regulatory purposes should be stored in a secure on-site area for 18 months to 3 years, with recommended disposal after a maximum of 3 years. Any paper containing credit card data must be shredded prior to disposal.
Any known or suspected compliance issues should be reported immediately to a supervisor and/or the PCI Compliance Group (firstname.lastname@example.org). Reported incidents will be considered by the Group and if necessary brought to the attention of Senior Staff and/or relevant authorities within two business days of the report.
In the case of disputed charges, payment processors will notify authorized merchant users. The authorized merchant users must provide the bank with written proof of the customer’s authorization. Frequent issues with disputed charges should be reported to the PCI Compliance Group at email@example.com due to potential customer fraud.
Any refunds must only be credited to the credit card account from which the initial purchase was made. Under no circumstances will cash refunds be issued for credit card payments.
Quarterly scans are monitored by the PCI Compliance group as they are completed, and corrective action taken for any vulnerabilities identified. Annually, the PCI Compliance group facilitates completion of the SAQs and the updating of this policy as necessary.
Exhibit 1 – General Guidelines for Credit Card Processors
- Do not transmit cardholder data by email or fax
- Do not store credit card data for repeat customers on paper in an unsecured area
- Do not store PIN or CVV2/CVC2/CID numbers
- Do not electronically store on College servers any unencrypted credit card data
- Do not electronically store any credit card data on laptops, PCs, or mobile devices
- Do not share user IDs for systems access
- Never acquire or disclose any cardholder’s data without the cardholder’s consent
You should DO the following:
- Store all physical documents containing credit card data in locked drawers or locked file cabinets
- Change vendor-supplied or default passwords
- Create strong passwords in compliance with Kenyon policy
- Destroy any media containing credit card information prior to disposal
- If you receive unencrypted emails from customers with credit card data, notify the customers that they should no longer send this information via email and delete the emails immediately. You should also notify the PCI Compliance group (firstname.lastname@example.org)