Credit Card Payment Processing Security and Compliance with PCI-DSS Standards
This Practice Directive sets forth the guidelines and best practices for protecting credit card payment information as required by merchant banks and controls required by the Payment Card Industry Data Security Standard (PCI-DSS).
Purpose & Scope
SF State is committed to limiting the proliferation of sensitive data and maintaining the security of customer information, including payment cardholder information such as: payment card account number, expiration date, and payment cardholder verification number. To uphold this commitment, SF State follows the standards for protecting payment card information as required by merchant banks and the security controls required by the Payment Card Industry Data Security Standard (PCI-DSS).
To minimize exposure of sensitive payment information that could be misused for unauthorized transactions or used to execute identity theft, SF State requires the following:
- SF State entities (also known as university merchants) accepting credit cards on line, in person or over the phone are required to obtain pre-approval by the Bursar’s Office, UCorp, Procurement and the Information Security Office before accepting transactions. All merchant accounts for processing credit cards must be registered with SF State Fiscal Affairs, Bursar’s Office or UCorp. This is to ensure that all requirements for credit card processing systems, including but not limited to, establishing a new merchant account, setting up credit card equipment, and processing transactions, etc., are compliant with PCI-DSS. Also, this will ensure that all depository requirements and interfaces are satisfactorily met.
- All payment card transactions must use 3rd party vendor services. Payment card data may NOT be transmitted, processed or stored on SF State owned infrastructure.
- SF State currently contracts with Cashnet for electronic bill presentment and payment card processing services. Fee information and payments can be found here: https://bursar.sfsu.edu/Student-Services/payment-methods#cc
- University personnel, including but not limited to full-time and part-time employees, student workers, temporary employees, contractors and consultants who are “resident” on campus or otherwise have access to cardholder data environments are required to take annual PCI-DSS security training and follow security procedures to protect payment card information.
- SF State maintains a PCI-DSS Council Charter that outlines roles and responsibilities for campus stakeholders to maintain PCI-DSS program compliance.
- A university merchant must ensure any credit card equipment purchased, leased or supplied from vendors is PCI compliant and approved or otherwise endorsed by their merchant bank and/or payment processor and maintain evidence that it has been approved or endorsed. The Technology Acquisition Review (TAR) process should be used to obtain security and accessibility reviews and approvals for credit card equipment acquisitions. The Bursar’s Office or UCorp approval is also required and should be submitted with the TAR.
Compliance with PCI-DSS Standards
SF State complies with PI-DSS standards, as defined below:
The SF State Information Security Office maintains and disseminates this practice directive; reviews it annually as defined in the PCI-DSS Council Charter, and updates it when the environment changes.
SF State publishes guides and procedures for using critical technologies to define their proper use by all personnel, including roles and responsibilities. These include:
- Remote Access
- Secure Storage
- Mobile Devices
- CSU Responsible Use Policy
- Using Multi-Factor Authentication
SF State maintains a PCI Council and PCI-DSS Council Charter to oversee compliance activities and provide guidance in regard to PCI-DSS standards.
The SF State Information Security Office is responsible for monitoring, distributing and analyzing security alert and vulnerability information for SF State owned infrastructure. In addition, the SF State Information Security Office maintains the information security incident response plan and associated incident roles and responsibilities document. All account management functions, such as provisioning and de-provisioning are authorized through appropriate access management teams on campus with approval from data owners. Access to critical systems is audited annually.
SF State has a formal security awareness program to make all personnel aware of security policies and procedures, this includes: regular phishing exercise tests, just-in-time awareness messages/campaigns, and specialized PCI-DSS training for those that have access to cardholder data environments that is required upon starting their role and annually thereafter.
SF State Human Resources (HR) follows personnel hiring screening requirements set forth by CSU that includes background checks for personnel that are expected to have access to Level 1 information.
SF State manages service providers that process cardholder data. A PCI service provider inventory is maintained by the PCI Council. The SF State Procurement Office maintains a list of PCI service provider contracts and applies IT Supplemental provisions to each contract/agreement to meet PCI-DSS compliance obligations. In some cases, contracts will include specific guidance on how the provider validates their PCI-DSS compliance and what evidence they will provide to SF State. As part of the annual campus SAQ/AOC process, SF State will monitor service providers’ compliance with the PCI-DSS standards.
SF State requires all service providers acknowledge in writing their responsibility for the security of cardholder data that they possess or otherwise store, process, or transmit on behalf of the customer, or to the extent they could impact the security of the customer’s cardholder data environment.
SF State contractually requires each service provider to maintain an incident response plan and to provide notification within 24-hours of discovery. In addition, SF State maintains a security incident response plan and associated incident roles and responsibilities document.