Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Office of the Controller
P a g e 1|10
7 Lebanon Street, Suite 302 Hanover, New Hampshire 03755
603-646-3011
Merchant Services and PCI Compliance Policy http://www.dartmouth.edu/~control/policies/PolicyOwner:Controller’sOfficeAdministeringDepartmentsservingontheMerchantServicesCommittee:Controller’sOffice,InformationSecurity,InstitutionalAccounting,RiskManagement,andTreasuryLastRevision:June6,2018PolicySections:
1. Overview2. DartmouthCollegeMerchantServicesPolicy3. DartmouthCollegeProcedures4. PaymentCardIndustryDataSecurityStandard(PCIDSS)5. DartmouthCollegePCIDSSConfidentiality/Non-DisclosureStatement
1. Overview
DartmouthCollegeMerchantServicesMissionDartmouthCollegehasestablishedaChartertomonitorregulatorystatutesandcontractualobligationsspecifictothePaymentCardIndustryDataSecurityStandard,(PCIDSS),merchantservices,andelectroniccommerce(e-Commerce).ThepurposeoftheDartmouthCollegeMerchantServicesPolicyistomaximizesecurityofourcustomers’carddata,Dartmouth’sreputation,andavoidanyfinancialcostsassociatedwithabreachofcardinformationaswellasoutlineBestPracticesinallaspectssurroundinghandlingofcardholderdata.DartmouthComplianceandEthicsHotlineFaculty,staff,orstudentsmayreportPCIcomplianceproblemsthroughstandardmanagementchannels,beginningwiththeirimmediatesupervisor.Alternatively,inquiriesorreportsmaybeaddressedtotheEthicsPoint:http://www.dartmouth.edu/~rmiRiskandInternalControlsServicesprovidesindependentrisk-basedaudit,consulting,andoperationalservicestoprotectandenhanceorganizationalvalueinsupportofthemissionofDartmouthCollege.EntitiesAffectedByThisPolicy–WhoShouldReadThisPolicy?AnyonethatconductsDartmouthCollegebusinessandisaffiliatedwiththeacceptanceofpaymentcardsasaformofpayment.
Office of the Controller
2|P a g e
2. DartmouthCollegeMerchantServicesPolicyDartmouthCollegeMerchantServicesPolicyDartmouthCollegesignedintoacontractualagreementwithChasePaymentechastheirprimarycreditcardprocessor.Bydoingso,DartmouthhasanobligationtothisMerchantServiceProvider,therefore,individualsseekinganyotheralternativeresourcesforpaymentcardacceptanceandprocessingisnotpermissibleunderourcontractualagreementwithChase.Anydepartmentthatchoosestoacceptpaymentcardsasaformofpayment,mustfirstseektheapprovalfromtheController’sOffice.TheController’sOfficewillreviewallMerchantAccountRequestsforacceptanceofcardsandwillmakedeterminationofapprovalbasedonprovidedinformationfromtheMerchantAccountRequestForm.PCITrainingismandatedforanyindividualthatisconductingDartmouthCollegebusinessandisaffiliatedinanyaspectofprocessingcreditcards.Thisincludesbutnotlimitedto,acceptanceofcredit/debit/storedvaluecards,reconciliationofcardrevenueandexpense,andtheuseofreportingtoolsreflectingcreditcarddata.Foron-linecreditcardacceptance,DartmouthCollegehasapprovedthefollowingPCIcompliantPaymentApplicationGateways;JPMorganChase,Authorize.Net,andPayPal.Ifyouchooseanyotheroptionotherthanwhatislistedabove,youmusthavetheapprovalfromtheController’sOffice.Forterminalcreditcardacceptance,DartmouthCollegehasapprovedthefollowingequipment;VerifonesVX520,VX680,MagTekeDynamo,EMVMobileReader(ChaseMobileCheckout),Ingenoco,Micros9700andiTerminalIPP320x3.MembersofthestaffatDartmouthCollegethathaveanyassociationwiththeacceptanceofpaymentcardsmustsignthePCIDSSConfidentiality/Non-DisclosureStatement.SignedstatementsshouldremainwiththeofficeinwhichtheindividualisconductingDartmouthbusiness.ThePCIDSSConfidentiality/Non-DisclosureStatementislocatedonPage10.ASelf-AssessmentQuestionnaire(SAQ)isavalidationtoolthatmustbecompletedbyeachmerchantaccountholderbeforeamerchantaccountwillbesetup,andannuallythereafterinordertodemonstratecompliancewiththePCIDSS.Ifyouhaveanexistingmerchantaccount,andyourbusinessoperationswillbechangingsignificantly,youwouldneedtocompleteanewSAQ.EverybusinessareaneedstoreflectanaccurateSAQonfilewiththeController’sOfficeatalltimes.
Office of the Controller
3|P a g e
DepartmentmembersservingontheMerchantServicesCommitteemayconductaninternalauditofamerchantholder’sbusinessoperation,toensurecomplianceandregulatorypoliciesandproceduresareinaccordancewithpolicies.Anybusinessoperationfoundnotincompliance,risklosingtheirprivilegeforacceptanceofcreditcardpayments.MerchantAccountHolder’sResponsibilitiesYoushouldNOTdothefollowing:
1. Donottransmitcardholder’screditcarddatabye-mail,faxorotherelectronicmeans
2. Donotstorecreditcarddataforrepeatcustomersonpaperinanunsecuredarea
3. DonotstorePINorCVV2/CVC2/CIDnumberorthefullcreditcardnumber4. Donotelectronicallystoreanycreditcarddataonanycomputerfiles,servers,
laptops,PCs,mobilephones,tabletsoranyotherelectronicdevices5. DonotshareuserIDsand/orpasswordsforsystemsaccess6. Neveracquireordiscloseanycardholder’sdatawithoutthecardholder’s
consent
YoushouldDOthefollowing:1. Storeallphysicaldocumentscontainingcreditcarddatainalockeddrawer,
lockedfilecabinet,orlockedofficewithoutthefullcreditcardnumber2. Maintainstrictcontrolovertheinternalandexternaldistributionthatcontains
creditcarddata3. Changevendorsuppliedordefaultpasswords4. Ensurethatyourdepartment,computersystemsandoperationsareinfull
compliancewiththeDartmouthInformationSecurityCommittee(DISC)policy:1https://tech.dartmouth.edu/itc/services-support/help-yourself/knowledge-base/dartmouth-information-security-policy
5. Properlydisposeofanymediacontainingcreditcarddata6. Ifyoureceiveanunencryptedemailfromacustomerwithcreditcarddatanotify
thecustomerthattheyshouldnolongersendthisinformationviaemailanddeleteemailimmediately
ResponsibilitiesforExecutiveOfficers,FiscalOfficers,andManagementOfficers1. ComplywithPaymentCardIndustryDataSecurityStandard(PCIDSS)and
DartmouthInformationSecurityCommittee(DISC)
Office of the Controller
4|P a g e
2. ObtainapprovalbyProcurementServicespriortoenteringintoanycontract,purchase,oracquisitionforsoftwareorsystemapplications
3. ObtainapprovalfromtheController’sOfficeforneworreplacementofequipment,wirelessdevicesandInternetGatewayProviders
4. Establishprocedurestorestrictphysicalaccesstodataorsystemsthathousecardholderdata
5. CommunicatetheDartmouthCollegeMerchantServicesPolicytoallemployees6. Restrictaccesstocreditcarddatabybusinessneed-to-knowbasis7. Establishappropriatesegregationofdutiesbetweenpersonnelhandlingcredit
cardprocessing,refundsandreconciliations8. AssignauniqueIDandpasswordtoeachpersonwithcomputeraccesstocredit
carddata9. Donotallowcreditcarddatatobesentbyemail,faxorotherelectronicmeans10. DonotallowthestorageofPINorCVV2/CVC2/CIDnumberson
Laptops,PCs,mobilephones,tabletsorotherelectronicdevices11. DonotallowoutsideconsultantstostorecreditcarddataontheirownPC
equipment12. DonotallowemployeestoshareuserIDsforsystemsaccess13. Neverallowthedisclosureofcardholder’sdatawithoutthecardholder’sconsent
3. DartmouthCollegeProceduresDartmouthCollegeMerchantServicesProceduresThestepsoutlinedbelowmustbefollowedforamerchantaccounttobeconsideredforcreditcardacceptance.1.RequestingaMerchantAccountRequestForm**Note**Ifyourintentionsforcreditcardacceptanceisforbothon-lineandterminalacceptance,youwillneedtocompleteaseparateMerchantAccountRequestFormforeachprocessingtype.DepartmentsinterestedinacceptingpaymentsforgoodsandservicesviaacreditcardmustfirstobtainaMerchantAccountRequestFormlocatedattheURLprovidedbelowhttp://www.dartmouth.edu/~control/docs/accounting/dc_merchant_account_request_form.docorbysendingane-mailrequesttoInstitutional.Accounting@Dartmouth.EDU.Thisformmustbecompletedthoroughlyandaccuratelyfordeterminationintheapprovalprocess.Oncetheformhasbeencompleted,ascannedcopyshouldbesentto
Office of the Controller
5|P a g e
Institutional.Accounting@Dartmouth.EDUormailedtoInstitutionalAccounting,Hinman6015.Therequestorwillbenotifiedofthestatusoftheirrequestafterthereviewprocess.Pleaseallow3-5businessdaysfortheapprovalapplicationprocess.2.Self-AssessmentQuestionnaire(SAQ)TheSAQisavalidationtoolthatmustbecompletedbyeachmerchantaccountholderbeforeamerchantaccountwillbesetup,andannuallythereafterinordertodemonstratecompliancewiththePCIDSS.Ifyouhaveanexistingmerchantaccount,andyourbusinessoperationswillbechangingsignificantly,youwouldneedtocompleteanewSAQ.EverybusinessareaneedstoreflectanaccurateSAQonfilewiththeController’sOfficeatalltimes.Themerchantaccountholderorsupervisor/managerthatisrequestingtheestablishmentofanewmerchantaccount,willalsoneedtocompleteaninitialSelf-AssessmentQuestionnaire(SAQ)basedonthescopeoftheirbusinessoperation.TheappropriateSAQforyourbusinesstypewillbesenttotherequestorforcompletionuponreceiptoftheMerchantAccountRequestForm,andwillbeassistedinthecompletionandthesubmissionoftheSAQ.
3.PurchasingnewsystemsorsoftwareapplicationsThispolicypertainstoexistingmerchantaccountswherethebusinessoperationwillbechangingsignificantly, and for anynewmerchant account thatmay require anew systemor softwareapplicationforprocessingcreditcarddata.YoumustsubmitvendorcontractstoProcurementServicesfortheirreview/approval.Whereapplicable,somecontractsmayalsorequirefurtherreview/approvalfromtheofficesofRiskandInternalControls,andInformationSecurityaroundcomplianceandsecurityconcerns.Oncethecontracthasbeenapproved,asignedcopyofthedocumentshouldbescannedtoInstitutional.Accounting@Dartmouth.Edu.4.ApprovedMerchantAccountRequestOncethemerchantaccountrequestformhasbeenapproved,InstitutionalAccountingwillcompleteamerchantaccountapplicationwithChasePaymentechandoneforAmericanExpresswhereapplicable.Pleaseallow10businessdaysforthisprocesstobecompleted.Oncethemerchantaccount(s)havebeenassignedbythebanks,youwillbenotifiedbyInstitutionalAccounting.AllindividualslistedontheMerchantAccountRequestformthatrequirePaymentCardIndustry(PCI)training,willbesetupbyInstitutionalAccountingandnotifiedbye-mailoftheirtraining.Ifthoseindividualsdonottaketherequiredtraining,theyshouldnothandlecreditcardfunctions.Onereminderwillbesenttotheindividualaftertheinitiale-mailnotificationhasbeensent.Iftraininghasn’toccurredwithintenbusinessdaysofthefinalreminder,the
Office of the Controller
6|P a g e
recommendationwouldbesuspensionoftasksaffiliatedwithanycreditcardfunctionsuntilfurthercompliant.5.ReconciliationofMerchantAccountsReconciliation–ItishighlyrecommendedthatareconciliationbetweentheSoftwareand/orPaymentApplicationGatewayandDartmouth’sGeneralLedgerbecompletedatleastonceamonthforcreditcardsettlementaccountability.Anydiscrepanciesshouldbefollowedupinareasonabletimeframe.Chargeback-Thebankwillnotifyamerchantholderofadisputedcharge.Themerchantholderisresponsibletoprovidethebankwithproofthatthetransactionwasauthorizedbythecustomer.Caseinformationisavailablefortwoyearsanddocumentinformationisavailableforsixmonthsfromthelastcasestatuschangedate.Ifyouneedassistancewiththechargebackprocess,theChasePaymentechChargebackManagementGuideisavailable,pleasecontactInstitutional.Accounting@Dartmouth.Edu.Refund-Whenanitemorserviceispurchasedusingacreditcard,andarefundisnecessary,therefundmustbecreditedtothesamecreditcardaccountfromwhichthepurchasewasoriginallymade.Inaddition,undernocircumstancesisitpermissibletoissueacashrefund.OnlineReporting-IfyouencounteranyreportingissuesorneedassistancewiththeChasePaymentechResourceOnlinemodule,[email protected].
6.ClosingaMerchantAccountWhenamerchantaccountisnolongerneeded,themerchantholderwillneedtocontactInstitutional.Accounting@Dartmouth.Edu andprovidethemerchantaccount(s)thatneedtobeclosed.Priortorequestingaclosure,youshouldalwaysallowampletimeforanyrefunds,chargebacksorfeesthatmayneedtoprocessagainstthemerchantaccount.Ifyouwereusingapaymentgatewayprovider,and/orsoftwareapplicationit’stheresponsibilityofthemerchantaccountholdertocanceltheaccountthatwasestablishedforusewiththemerchantaccount(s).Thisshouldoccurwhenthemerchantaccounthasbeenrequestedtobeclosed,otherwise,youmaypotentiallybesubjecttomonthlyfees.
Office of the Controller
7|P a g e
7.ReturnofcreditcardequipmentItistheresponsibilityofthemerchantaccountholdertoensurethatallleasedorrentedequipmentfromChasePaymentech,oranyotherprovider,bereturnedwhenthemerchantaccounthasbeenrequestedtobeclosed.IftheequipmentisownedbyChasePaymentech,contactInstitutional.Accounting@Dartmouth.Eduandyouwillbeprovidedwithacontactinworkingoutthereturndetails.IftheequipmentisDartmouthCollegepropertyandrequiresdisposal,pleasecontactMaterials.Management@Dartmouth.EDUforassistancewiththisremoval.8.RetentionPeriodofcreditcardinformationPCIDSSrecommendskeepingtoaminimumthecreditcardinformationthatisretained.Localpolicyshouldmakeitapracticenottoretainsensitivecardholderdata.Limityourstorageamountandretentiontimetothatwhichisrequiredforlegalorregulatorypurposes.Electronic/Paper-Dartmouth’spolicyisnocreditcarddatashouldbestoredonlaptops,I-padsPC’soranyothertechnicaldevice.Paperdocumentscontainingcreditcarddatashouldbesecuredinalockedofficeandstoredinacabinet.Inanopenofficeenvironmentpaperdocumentsshouldbestoredinlockedcabinetsandnotbeleftinanunsecuredofficeatanytime.Dartmouth’spolicyiskeepingtransactionalreconciliationsforsevenyears,whetherstoredelectronicallyoronpaperforinternal/externalauditpurposes.Youshouldneverstoreacardholder’sentireaccountnumber.Intheeventthecardholder’snumberneedstobewrittendownforkeyinginlater,thedocumentneedstobeshreddedimmediatelyafterwards.
4. PaymentCardIndustryDataSecurityStandardPaymentCardIndustryDataSecurityStandard(PCIDSS)TheOfficialPCIDSSURL-http://www.pcisecuritystandards.orgPCIDSSwasestablishedbythecreditcardindustryinresponsetoanincreaseinidentitytheftandcreditcardfraud.Everymerchantwhohandlescreditcarddataisresponsibleforsafeguardingthatinformationandcanbeheldliableforsecuritycompromises.Thisstandardhas12requirements,includingcontrolsforhandlingcreditcarddata,computerandinternetsecurityandanannualself-assessmentquestionnaire.ThePCIDSSisamultifacetedsecuritystandardthatincludesrequirementsforsecuritymanagement,policies,procedures,networkarchitecture,softwaredesignandothercriticalprotectivemeasures.Thiscomprehensivestandardisintendedtohelporganizationsproactivelyprotectcustomeraccountdata.ThePCIstandardiscomprisedof12requirementsandaresummarizedbelow.
Office of the Controller
8|P a g e
BuildandMaintainaSecureNetwork
Requirement1:InstallandmaintainafirewallconfigurationtoprotectcardholderdataRequirement2:Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters
ProtectCardholderData
Requirement3:ProtectstoredcardholderdataRequirement4:Encrypttransmissionofcardholderdataacrossopen,publicnetworks
MaintainaVulnerabilityManagementProgram
Requirement5:Useandregularlyupdateanti-virussoftwareRequirement6:Developandmaintainsecuresystemsandapplications
ImplementStrongAccessControlMeasures
Requirement7:Restrictaccesstocardholderdatabybusinessneed-to-knowRequirement8:AssignauniqueIDtoeachpersonwithcomputeraccessRequirement9:Restrictphysicalaccesstocardholderdata
RegularlyMonitorandTestNetworks
Requirement10:TrackandmonitorallaccesstonetworkresourcesandcardholderdataRequirement11:Regularlytestsecuritysystemsandprocesses
MaintainanInformationSecurityPolicy
Requirement12:Maintainapolicythataddressesinformationsecurityforallpersonnel
PCIDSSGlossary–mostcommonlyusedApplication Includesallpurchasedandcustomsoftwareprogramsorgroupsof
programsdesignedforendusers,includingbothinternalandexternal(web)applications
Backup Duplicatecopyofdatamadeforarchivingpurposesorforprotecting
againstdamageorloss
Office of the Controller
9|P a g e
Cardholder Customertowhomacreditisissuedorindividualauthorizedtousethe
cardCardholderdata FullmagneticstripeorthePANplusanyofthefollowing:
*Cardholdername*Expirationdate*ServiceCode
Chargeback Processwhenthecardholdercontactsthecreditcardcompanyorthe
issuingbankregardinganinconsistencyintheircreditcardstatement.Theissuingbankwillcreditbacktothecardholderforthedisputedtransactionthenchargeafeetothemerchant
DataEntryProcessor Anindividualwhoisresponsibleforcreditcarddataentryforday-to-day
operationsEncryption Processofconvertinginformationintoanunintelligibleformexceptto
holdersofaspecificcryptographickey.Useofencryptionprotectsinformationbetweentheencryptionprocessandthedecryptionprocess(theinverseofencryption)againstunauthorizeddisclosure
Merchant Aunitthatacceptscreditcardsasamethodofpaymentforgoods,
services,information,orgiftsMerchantAccount Anaccountestablishedforaunitbyabanktocreditsaleamountsand
debitprocessingfeesSAQ Self-AssessmentQuestionnaireisavalidationtoolformerchantsand
serviceprovidersthatarenotrequiredtoundergoanon-sitedatasecurityassessmentperthePCIDSSSecurityAssessmentProcedures,whichmayberequiredbyyouracquirer(bank)orpaymentbrand
SensitiveData SensitiveDatainclude,theaccountnumber,magneticstripedata,
CVV2/CVC2andexpirationdateServiceCode Three-orfour-digitnumberonthemagneticstripethatspecifies
acceptancerequirementsandlimitationsforamagneticstripereadtransaction
Office of the Controller
10|P a g e
5. DartmouthCollegePCIDSSConfidentiality/Non-DisclosureStatementDartmouthCollegePaymentCardIndustryDataSecurityStandardConfidentiality/Non-DisclosureStatement**NOTE**Allcompletedformsremainonfilewithmember’smanagerAsamemberoftheDartmouthCollegeCommunity,IacknowledgethatinthecourseofmyemploymentImayhaveaccesstopersonal,proprietary,transaction-specific,and/orotherwiseconfidentialdataconcerningfaculty,staff,students,alumniand/orotherpersonsthroughtheprocessingofcreditcardtransactions.Asanindividualwithresponsibilitiesforprocessing,storingand/ortransmittingcreditcarddata,Imayhavedirectaccesstosensitiveandconfidentialinformationinpaperorelectronicformat.ToprotecttheintegrityandthesecurityofthesystemsandprocessesaswellasthepersonalandproprietarydataofthosetowhomDartmouthprovidesservice,andtopreserveandmaximizetheeffectivenessofDartmouthresources,Iagreetothefollowing:
• Iwillmaintaintheconfidentialityofmypasswordandwillnotdiscloseittoanyone.
• IwillutilizecreditcarddataforDartmouthCollegebusinesspurposesonly.
• IwillupholdDartmouthCollege’sCodeofEthicalBusinessConduct,availableatEthicsPoint:http://www.dartmouth.edu/~rmiandIagreetoabidebyit.
• IhavebeenprovidedaccesstoDartmouthCollege’sMerchantServicesPolicyregardingtheproperstoring,protection,anddisposalofsuchconfidentialdataandIwillensurethatanysuchdataisshreddedorotherwisedisposedofasperapprovedofficepolicywhennolongerneeded.
• Ihaveread,understand,andagreetoabidebyDartmouthCollegeMerchantServicesPolicy.
Theuseofsensitivecreditcarddataforpersonalpurposesisillegalandisgroundsfortermination.Theabuseofsystemsaccessorunauthorizeddisclosureordistributionofanycustomer’screditcarddatamayresultinprosecution.Name(Print)_______________________________Signature/Date______________________________Department________________________________Phone#___________________________________