Close menu Resources for... William & Mary
W&M menu close William & Mary

Procedures

Section 2  W&M Payment Card Procedures

William & Mary requires all departments that accept payment cards to do so only in accordance with PCI DSS and the following procedures. 

2.1  Card Acceptance and Handling

The opening of a new merchant account for the purpose of accepting and processing payment cards is done on a case-by-case basis.  Any fees associated with the acceptance of the payment card in that department will be charged to that individual merchant.

A department manager must contact Financial Operations to begin the process following these steps:

  1. Complete and submit the W&M Payment Card Application.
  2. Direct department individual(s) to complete required training (W&M PCI training and W&M Information Security Awareness training).
  3. Maintain the PCI DSS Security Awareness Program Roster of the required training completed and systems access of each department individual.
  4. Ensure department individual(s) review and acknowledge the W&M Payment Card Security & Confidentiality Agreement contained within the W&M PCI training module.
  5. Using the PCI DSS Security Awareness Program Roster review the acknowledgement of this document, W&M Payment Card Policy and Procedures, including proof of ongoing compliance with all requirements of the policy.
  6. Designate an individual within the department who will have primary authority and responsibility for payment card transactions. The department should also specify a back-up, or person of secondary responsibility, should matters arise when the primary is unavailable.
  7. Create department procedures on how your department will handle credit cards with the specific details regarding processing and reconciliation for each departmental merchant, if different, as it will depend on the method of payment card acceptance and type of merchant account. A template has been created that you can use as a base; W&M Departmental Card Handling Procedures.
  8. All service providers and third-party vendors providing payment card services must be PCI DSS compliant and be vetted through the procurement and contracting process. The PCI Committee must maintain a list that documents all service providers and: 
    • Ensure contracts include language stating that the service provider or third-party vendor is PCI complaint and will protect all cardholder data.
    • Annually audit the PCI compliance status of all service providers and third-party vendors. A lapse in PCI compliance could result in the termination of the relationship.
2.2 Payment Card Data Security

All departments authorized to accept payment card transactions must have their card handling procedures documented and made available for periodic review. Departments must have in place the following components in their procedures and ensure that these components are maintained on an ongoing basis. (As stated above the W&M Departmental Card Handling Procedures can be used as a template).

PROCESSING AND COLLECTION
  1. Access to cardholder data (CHD) must be restricted to only those users who need the data to perform their jobs. Each merchant department must maintain a current list of individuals (PCI DSS Security Awareness Program Roster) with access to CHD and review the list periodically to ensure that the list reflects the most current access needed and granted.
  2. All equipment used to collect cardholder data must be secured against unauthorized use or tampering in accordance with the PCI DSS. This includes the following:
    • Maintaining an inventory/list of devices and their location; W&M PCI Quality Control Checklist)
    • Periodic inspection of the devices to check for tampering or substitution.
    • Training all personnel to be aware of suspicious behavior and reporting procedures in the event of suspected tampering or substitution.
  3. Cardholder data must not be processed, stored or transmitted using the university’s network unless the Chief IT Security Officer has verified the technical controls, including firewalls and encryption, in accordance with the PCI DSS.
  4. Email must never be used to transmit payment card or personal payment information, nor should it be accepted as a method to supply such information. In the event that it does occur, disposal as outlined below is critical. If payment card data is received in an email then:
    • The email should be replied to immediately with the payment card number deleted stating that "William & Mary does not accept payment card data via email as it is not a secure method of transmitting cardholder data".
    • Provide a list of the alternate, compliant option(s) for payment.
    • Delete the email from your inbox and also delete it from your email Trash.
  5. If fax machines are used to transmit payment card information to a merchant department, it must be a standalone machine and on the appropriate secure network with appropriate physical security; receipt or transmission of payment card data using a multi-function fax machine is not permitted. Departments must work with IT to ensure the fax machine is on the appropriate network.
STORAGE AND DESTRUCTION
  1. Cardholder data, whether collected on paper or electronically, must be protected against unauthorized access.
  2. Physical security controls must be in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents, or electronic files containing cardholder data.
  3. No database, electronic file, or other electronic repository of information will store the full contents of any track from the magnetic stripe, or the card validation code.
  4. Portable electronic media devices should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, ipads, tablets, smart phones or other handheld devices, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives.
  5. Cardholder data should not be retained any longer than that defined by a legitimate business need and must be destroyed immediately following the required retention period (see Library of Virginia’s Record Retention schedule) using a PCI DSS-approved method of destruction. A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no cardholder data is kept beyond the required retention period.
2.3 Risk Assessment

William & Mary should conduct annual risk assessments for PCI DSS compliance. 

  • Information Technology should implement a formal risk assessment process in which current threats and vulnerabilities to the institution’s network and processing environment, including staff, are analyzed. IT should also conduct the risk assessment of the infrastructure and threats. 
  • Departments accepting payment cards must also conduct an assessment of their physical environments and assess risks to the payment card environment which includes devices and cardholder data.
  • Each area will need to address all threats with mitigation tasks, timelines and/or acceptance statements.
  • Each area will need to prepare and maintain documented output from the risk assessment exercise(s).
2.4 Incident Response

William & Mary Information Technology Security maintains the Incident Response Plan it will execute in the event of a breach or suspected breach of security.  Departments must immediately contact IT Security for any breach or suspected breach. This includes any suspected activity involving computers (hacking, unauthorized access, etc.)  For the fastest response, information security incidents should be reported directly using one of the options below.  The Security Incident Response Team monitors these communication channels continuously during business and most non-business hours. 

  • calling the Chief Information Security Officer at 221-1822 or 757-870-9806
  • emailing [[abuse]] with a description of the incident
  • emailing the Information Security Teams site at General - IT - Security Engineers

Immediately, upon receipt of an incident reported, a member of the Security Incident Response team will document necessary information about the incident using the Information Security Report Form.

Security Incident Response Team

Name

Department

Role

Telephone

Email

Pete Kellogg

IT

CISO and IRP Lead

757-870-9806

[[pckell]]

Matt Keel

IT

Network Security Engineer and IRP Secondary

757-603-6883

[[mikeel]]

Eric Myers

IT

Network Security Engineer

757-608-8724

[[emmyer]]

 

Incident Response Plan (IRP)

William & Mary’s Security Incident Response Plan is summarized as follows:

  1. All incidents must be reported to the Security Incident Response Team using the methods provided above.
  2. The Security Incident Response Team will confirm receipt of the incident notification.
  3. The Security Incident Response Team will investigate the incident and assist the compromised department in limiting the exposure of cardholder data.
  4. The Security Incident Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.
  5. The Security Incident Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future.

In the event of a suspected or confirmed PCI DSS incident involving a payment station (PC used to process credit cards):

  • Do NOT turn off the PC.
  • Disconnect the network cable connecting the PC to the network jack. If the cable is secured and you do not have the key to the network jack, simply cut the network cable.
  • Document any steps taken until the Response Team has arrived. Include the date, time, person/persons involved and action taken for each step.
  • Assist the Response Team as they investigate the incident.

The Incident Response Plan will be reviewed and tested at least annually by IT.

2.5  Policy and Training
Policy

The PCI Committee, Financial Operations and Chief IT Security Officer will review this policy document annually to ensure it is up-to-date and covers the entirety of the PCI DSS.  

  • Departments will maintain the following:
    • PCI DSS Security Awareness Program Roster - a log of departmental personnel who have completed the W&M PCI Training, Payment Card Security and Confidentiality Agreement, W&M Payment Card Policy & Procedures, Departmental Procedures and W&M Information Security Awareness Training and marking them with their access status.
  • Departments will maintain their departmental procedures and review annually.
  • The PCI Committee will audit departments annually for compliance.
Training
All departments and associated users accepting payment cards must complete W&M PCI training and W&M Information Security Awareness training prior to accepting payment cards.  Thereafter, all personnel must complete the trainings annually.  Departments will maintain a log of the completed training using the PCI DSS Security Awareness Program Roster.