Treasury Operations Payment Card Merchant Security Policy

Purpose

Northern Illinois University (NIU) Merchant Services is a unit of Treasury Operations within the Division of Finance. NIU Merchant Services coordinates payment card acceptance for the University. Payment card acceptance includes MasterCard, VISA, Discover and American Express credit cards, and debit cards. NIU Merchant Services is responsible for overseeing and approving all payment card processing. More specifically, NIU Merchant Services acts as the liaison between University merchant departments who process payment card transactions for the sale of goods and/or services and the University’s payment card processors. Methods for processing payment card transactions include point-of-sale card swipe terminals, internet e-commerce solutions, and various third-party software applications.

Scope

NIU Merchant Services manages the University’s Payment Card Industry Data Security Standard (PCI DSS) compliance program, consults with prospective and existing merchant departments, sets up new campus merchants, provides guidance, training and troubleshooting assistance related to payment card processing, offers awareness training which includes best practice recommendations in protecting sensitive data, and monitors adherence with the University’s Payment Card Merchant Security Policy. Campus credit card merchants must comply with Payment Card Industry Data Security Standards, must complete annual self-assessment questionnaires, and must attest to their PCI DSS compliance. Merchants shall be responsible for costs associated with PCI DSS compliance as well as any fines or other fees associated with their non-compliance. All Northern Illinois University employees working with credit cards must read and agree to the conditions of this policy.

Approval from NIU Merchant Services is required before a credit card merchant account can be established. Departments must inform NIU Merchant Services of their need to become a merchant, and complete a Merchant Request form and return it to Treasury Operations for review and approval prior to engaging in any activity. Those departments wishing to use e-commerce solutions must undergo a Credit Card Merchant Security Assessment conducted by the Division of Information Technology prior to the purchase of third party software or engaging in any contractual services. Departments not complying with approved safeguarding, storage, processing, transmitting and administrative procedures will lose the privilege to serve as a credit card merchant.

Any technology-based equipment used in the processing of card and/or electronic payment transactions will be designated as an asset of NIU Merchant services. Additionally, while a department may maintain local administrative rights to specific servers and processing equipment, an administrative account will be configured for central IT support.

Any NIU employee, contractor, consultant or agent who, in the course of doing business on behalf of the University, is involved in the acceptance of credit card data, handles cardholder data information, and/or is involved in the acceptance of electronic payments is subject to this policy.

Policy

1. Approval must be obtained from the Department of Treasury Operations to process credit card payments and/or before entering into any contracts or purchases of software and/or equipment related to credit card processing.
2. Employees shall not use vendor-supplied defaults for system passwords. Also, group, shared, or generic accounts and passwords are prohibited.
3. Ecommerce merchants who input card information directly into their payment application, for example, mail orders and/or telephone orders, are required to use secure PC’s designated for that single purpose.
4. Merchants must notify Treasury Operations of software upgrades and personnel changes related to credit card processing.
5. Ecommerce merchants must provide Treasury Operations with all outward facing IP addresses used in the processing and/or transmitting of credit card data for the purpose of performing required external scans.
6. Ecommerce merchants agree to a systems security validation performed by University assigned IT specialists prior to the installation of a new system, during system upgrades, and at random intervals as appropriate.

Procedure

1. Credit card numbers must not be transmitted in an insecure manner, such as by email, IM’s, unsecured or stored fax, or through campus mail. When physically transporting credit card data across campus, the information should be in an envelope marked “Confidential” and sent by a delivery method that can be accurately tracked and trusted.
2. It is prohibited to store sensitive cardholder data [i.e., full account number, expiration date, PIN, and card validation value] in any University system and/or departmental server, third-party software, personal computer, cash register system, e-mail account, portable electronic device (including, but not limited to, laptop, flash drive, floppy disc, CD, PDA, and external or portable hard drive), or on paper.
3. Employees shall not disclose or acquire any information concerning a cardholder’s account without the cardholder’s consent.
4. The entire credit card number must not be printed on either the merchant copy or customer copy of any receipts or reports. Old documents with the entire credit card number should have all but the last four digits redacted (blacked out) or be shredded with a cross-cut shredder.
5. Employees who handle or have access to credit card data are required to annually participate in online credit card security training provided by NIU Merchant Services.

Maintain a Vulnerability Management Program

1. Anti-virus software must be installed and remain current on all systems directly processing and/or transmitting credit card transactions.
2. Anti-virus software must be installed and remain current on all systems connected to systems that process and/or transmit credit card transactions.
3. Software applications must be developed and based on industry best practices, all of which shall be in accordance with PCI DSS requirements.

Implement Strong Access Control Measures

1. All documentation containing card account numbers must be stored in a secure environment until processed. Secure environments include locked drawers and safes, with limited access to only individuals who are processing the credit card transaction.
2. Processing should be done as soon as possible and the credit card number should immediately be redacted to the last four digits or that portion of the form be removed and shredded. Also, the card expiration date must be masked. Do not retain card validation values (CVV codes) from backs of cards.
3. All media used for credit cards must be destroyed when it is no longer needed for business or legal reasons. All hardcopy must be shredded with a cross-cut shredder prior to disposal.
4. Background checks must be performed prior to the hiring of any positions with access to cardholder information.
5. e. The merchant department must assign an individual to administer the control of log-in privileges, limit software access to secure locations, and delete access to software for terminated employees and those employees whose responsibilities have changed. Access to system components and cardholder data must be limited to those individuals whose jobs require specific access. Assignment of privileges may be based on job classifications or functions and requires written approval of management that specifies required privileges.

Maintain an Information Security Policy

1. Departmental procedures must be established for safeguarding cardholder information and securing storage of data. This pertains to ALL transactions initiated via the telephone, over the counter, mail order, Internet, etc.
2. All third parties with access to cardholder data are contractually required to adhere to PCI security requirements and provide proof of PCI certification to the merchant department and/or Treasury Operations. Written agreements must include the service provider’s statement of responsibility regarding the security of cardholder data that is processed, transmitted, and/or stored on its system.
3. Suspected compromise or theft of credit card data must be immediately reported to the Director of Treasury Operations.