Payment Card Merchant Security Policy

Purpose

Northern Illinois University (NIU) Merchant Services is managed in Finance and Treasury within the Division of Administration and Finance. Finance and Treasury coordinates payment card acceptance for the university. Payment card acceptance includes MasterCard, VISA, Discover, and American Express credit cards as well as bank-issued debit cards. Finance and Treasury is responsible for overseeing and approving all payment card processing. In addition, the department acts as the liaison between university merchant departments who process payment card transactions for the sale of goods and/or services and the university’s payment card processors. Methods for processing payment card transactions include point-of-sale terminals, internet e-commerce solutions, and various third-party software applications.

Scope

Any NIU employee, contractor, consultant or agent who, in the course of doing business on behalf of NIU, is involved in the acceptance of credit card data, handles cardholder data, and/or is involved in the acceptance of electronic payments is subject to this policy.

Policy

Finance and Treasury and the Office of Information Security manage the university’s Payment Card Industry Data Security Standard (PCI DSS) compliance program, consult with prospective and existing merchant departments, set up new campus merchants, provide guidance, training and troubleshooting assistance related to payment card processing, offer security awareness training which includes best practice recommendations in protecting sensitive data, and monitor adherence with the Payment Card Merchant Security Policy. Campus credit card merchants must comply with PCI DSS, complete annual self-assessment questionnaires, and attest to their PCI DSS compliance each year. Merchants shall be responsible for costs associated with PCI DSS compliance as well as any fines or other fees associated with their non-compliance. All NIU employees working with credit cards must read and abide by to the conditions of this policy.

Approval from Finance and Treasury or its designee is required before a credit card merchant account can be established. Departments must inform Finance and Treasury of their need to become a merchant, complete a Merchant Request form, and return it to Finance and Treasury for review and approval prior to engaging in any credit card merchant activity. Those departments wishing to use e-commerce solutions must undergo a Credit Card Merchant Security Assessment conducted by the Division of Information Technology’s Office of Information Security prior to the purchase of third-party software or engaging in any contractual services.

Any technology-based equipment used in the processing of card and/or electronic payment transactions will be designated as an asset of the merchant department under the custodianship of the responsible officer for property control. Additionally, while a department may maintain local administrative rights to specific servers and processing equipment, an administrative account will be configured for central IT support.

Merchant Requirements and Approval

1. Merchants must receive approval from Finance and Treasury to process credit card payments and/or before entering into any contracts or purchases of software and/or equipment related to credit card processing.
2. Employees shall not use vendor-supplied defaults for system passwords. Also, group, shared, or generic accounts and passwords are prohibited.
3. Employees must complete PCI security training prior to working with PCI data and systems.
4. Ecommerce merchants who input card information directly into their payment application, for example, mail orders and/or telephone orders, are required to use secure PC’s designated for that single purpose.
5. Merchants must notify Finance and Treasury of system changes, software upgrades and personnel changes related to credit card processing.
6. Ecommerce merchants must provide the Office of Information Security with all public IP addresses used in the processing and/or transmitting of credit card data for the purpose of performing required external scans.
7. Ecommerce merchants agree to provide the Office of Information Security complete system details and undergo a systems security validation performed by university assigned IT specialists prior to the installation of a new system, during system upgrades, and at random intervals as appropriate.
8. The Office of Information Security and Finance and Treasury have adopted P2PE (point-to-point encryption) as the standard for credit card transactions. New systems and POS (point of sale) devices should support this standard.
9. Systems and point of sale devices must be placed on the PCI network segment. Exceptions may be requested for P2PE devices.
10. Merchants are required to obtain an Attestation of Compliance (AOC) annually from its third-party service providers and keep on file for audit purposes. A third-party service provider’s failure to provide an annual AOC must be immediately reported to the Chief Information Security Officer and Controller.
11. Credit card numbers must not be transmitted in an insecure manner, such as by email, IM’s, unsecured or stored fax, or through campus mail. When physically transporting credit card data across campus, the information should be in an envelope marked “Confidential” and accurately tracked.
12. Printing and scanning cardholder information is not permitted using Anywhere Prints.
13. It is prohibited to store sensitive cardholder data [i.e., full account number, expiration date, PIN, and card validation value] in any university system and/or departmental server, third-party software, personal computer, cash register system, e-mail account, portable electronic device (including, but not limited to, laptop, flash drive, floppy disc, CD, PDA, and external or portable hard drive), or on paper.
14. Employees shall not disclose or acquire any information concerning a cardholder’s account without the cardholder’s consent.
15. The entire credit card number must not be printed on either the merchant copy or customer copy of any receipts or reports. Documents with the entire credit card number should have all but the last four digits redacted (blacked out) or be shredded with a cross-cut shredder.
16. Employees who handle or have access to credit card data are required to participate annually in online credit card security training provided by the Office of Information Security.

Maintain a Vulnerability Management Program

1. Anti-virus software must be installed and remain current on all systems directly processing and/or transmitting credit card transactions.
2. Anti-virus software must be installed and remain current on all systems connected to systems that process and/or transmit credit card transactions.
3. Software applications must be developed and based on industry best practices, all of which shall be in accordance with PCI DSS requirements.
4. All systems directly processing and/or transmitting credit card transactions must comply with the vulnerability and patch management policy.
5. All systems connected to systems that process and/or transmit credit card transactions must comply with the vulnerability and patch management policy.
6. All systems directly processing and/or transmitting credit card transactions must undergo regular internal and external vulnerability scans. Vulnerabilities that cannot be directly eliminated will be mitigated through compensating controls.

Implement Strong Access Control Measures

1. All documentation containing card account numbers must be stored in a secure environment until processed. Secure environments include locked drawers and safes, with limited access to only individuals who are processing the credit card transaction.
2. Processing should be done as soon as possible and the credit card number should immediately be redacted to the last four digits or that portion of the form be removed and shredded. Also, the card expiration date must be masked. Do not retain card validation values (CVV codes) from backs of cards.
3. All media used for credit cards must be destroyed when it is no longer needed for business or legal reasons. All hardcopy must be shredded with a cross-cut shredder prior to disposal.
4. Background checks must be performed prior to the hiring of any positions with access to cardholder information.
5. The merchant department must assign an individual to administer the control of login privileges, limit software access to secure locations, and timely delete access to software for terminated employees and those employees whose responsibilities have changed. Access to system components and cardholder data must be limited to those individuals whose jobs require specific access. Assignment of privileges may be based on job classifications or functions and requires written approval of management that specifies required privileges.

Maintain an Information Security Policy

1. Departmental procedures must be established for safeguarding cardholder information and securing storage of data. This pertains to ALL transactions initiated via the telephone, over the counter, mail order, Internet, etc.
2. All third parties with access to cardholder data are contractually required to adhere to PCI DSS requirements and provide proof of PCI certification to the merchant department. Written agreements must include the service provider’s statement of responsibility regarding the security of cardholder data that is processed, transmitted, and/or stored on its system.
3. Suspected compromise or theft of credit card data must be immediately reported to the Chief Information Security Officer and Controller.

Compliance

Departments not complying with approved safeguarding, storage, processing, transmitting and administrative procedures put the University assets and reputation at risk.  Departments failing to comply with this policy may lose the privilege to serve as a credit card merchant.