Close menu Resources for... William & Mary
W&M menu close William & Mary

Payment Card Procedures

William & Mary requires all departments that accept payment cards to do so only in accordance with PCI DSS and the following procedures. 

Card Acceptance & Handling

Opening a new merchant account to accept and process payment cards is done on a case-by-case basis. Any fees associated with the acceptance of the payment card in that department will be charged to that individual merchant.

A department manager must contact Financial Operations to begin the process following these steps:

  1. Complete and submit the W&M Payment Card Application (xlsx).
  2. Direct department individual(s) to complete required training (W&M PCI training and W&M Information Security Awareness training).
  3. Maintain the PCI DSS Security Awareness Program Roster of the required training completed and systems access of each department individual.
  4. Ensure department individual(s) review and acknowledge the W&M Payment Card Security & Confidentiality Agreement (doc) contained within the W&M PCI training module.
  5. Using the PCI DSS Security Awareness Program Roster (xlsx), review the acknowledgment of these W&M Payment Card Policy and Procedures, and provide proof of ongoing compliance with all policy requirements.
  6. Designate an individual within the department who will have primary authority and responsibility for payment card transactions. The department should also specify a backup, or person of secondary responsibility, should matters arise when the primary is unavailable.
  7. Create department procedures on how your department will handle credit cards with the specific details regarding processing and reconciliation for each departmental merchant, if different, as it will depend on the method of payment card acceptance and type of merchant account. A template has been created that you can use as a base: W&M Departmental Card Handling Procedures (doc).
  8. All service providers and third-party vendors providing payment card services must be PCI DSS compliant and be vetted through the procurement and contracting process. The PCI Committee must maintain a list that documents all service providers and: 
    • Ensure contracts state that the service provider or third-party vendor is PCI compliant and will protect all cardholder data.
    • Annually audit the PCI compliance status of all service providers and third-party vendors. A lapse in PCI compliance could result in the termination of the relationship.
Payment Card Data Security

All departments authorized to accept payment card transactions must document and make their card handling procedures available for periodic review. Departments must implement the following components in their procedures and ensure that these components are maintained continuously. As stated above, the W&M Departmental Card Handling Procedures (doc) can be used as a template.

Processing & Collection
  1. Access to cardholder data (CHD) must be restricted to only those users who need the data to perform their jobs. Each merchant department must maintain a current list of individuals, PCI DSS Security Awareness Program Roster (xlsx), with access to CHD and review the list periodically to ensure that the list reflects the most current access needed and granted.
  2. All equipment used to collect cardholder data must be secured against unauthorized use or tampering in accordance with the PCI DSS, which includes the following:
    • Maintaining an inventory/list of devices and their location - W&M PCI Quality Control Checklist (xlsx)
    • Periodic inspection of the devices to check for tampering or substitution.
    • Training all personnel to be aware of suspicious behavior and reporting procedures in the event of suspected tampering or substitution.
  3. Cardholder data must not be processed, stored or transmitted using the university’s network unless the Chief IT Security Officer has verified the technical controls, including firewalls and encryption, in accordance with the PCI DSS.
  4. Email must never be used to transmit payment card or personal payment information, nor should it be accepted as a method to supply such information. In the event that it does occur, disposal, as outlined below, is critical. If payment card data is received in an email, then:
    • The email should be replied to immediately, with the payment card number deleted, stating that “William & Mary does not accept payment card data via email as it is not a secure method of transmitting cardholder data.”
    • Provide a list of the alternate, compliant option(s) for payment.
    • Delete the email from your inbox and also delete it from your email Trash.
  5. If fax machines transmit payment card information to a merchant department, they must be standalone machines on the appropriate secure network with appropriate physical security; receipt or transmission of payment card data using a multi-function fax machine is prohibited. Departments must work with IT to ensure the fax machine is on the appropriate network.
Storage & Destruction
  1. Cardholder data must be protected against unauthorized access, whether on paper or electronically.
  2. Physical security controls must be in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents, or electronic files containing cardholder data.
  3. No database, electronic file, or other electronic repository of information will store the full contents of any track from the magnetic stripe or the card validation code.
  4. Portable electronic media devices should not be used to store cardholder data. These devices include but are not limited to, laptops, iPads, tablets, smartphones, or other handheld devices, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives.
  5. Cardholder data should not be retained any longer than defined by a legitimate business need and must be destroyed immediately following the required retention period (see Library of Virginia’s Record Retention scheduleusing a PCI DSS-approved method of destruction. The merchant department should establish a regular schedule of deleting or destroying data to ensure that no cardholder data is kept beyond the required retention period.
Risk Assessment

William & Mary should conduct annual risk assessments for PCI DSS compliance. 

  • Information Technology should implement a formal risk assessment process to analyze current threats and vulnerabilities to the institution’s network and processing environment, including staff. The IT department should also conduct a risk assessment of the infrastructure and threats. 
  • Departments accepting payment cards must also assess their physical environments and risks to the payment card environment, which includes devices and cardholder data.
  • Each area must address all threats with mitigation tasks, timelines and/or acceptance statements.
  • Each area must prepare and maintain documented output from the risk assessment exercise(s).
Incident Response

William & Mary Information Technology Security maintains the Incident Response Plan, which will be executed in the event of a breach or suspected security breach. Departments must immediately contact IT Security for any breach or suspected breach, including any suspected activity involving computers (hacking, unauthorized access, etc.). For the fastest response, information security incidents should be reported directly using one of the options below. The Security Incident Response Team monitors these communication channels continuously during business and most non-business hours. 

  • calling the Chief Information Security Officer at 757-221-1822 or 757-870-9806
  • emailing [[abuse]] with a description of the incident
  • emailing the Information Security Teams site at General - IT - Security Engineers

Immediately upon receipt of an incident reported, a Security Incident Response team member will document necessary information about the incident using the Information Security Report Form.

Security Incident Response Team
A multi-column table containing contacts for the security incident response team
Member Department Role Phone Email

Pete Kellogg

IT

CISO and IRP Lead

757-870-9806

[[pckell]]

Matt Keel

IT

Network Security Engineer and IRP Secondary

757-603-6883

[[mikeel]]

Eric Myers

IT

Network Security Engineer

757-608-8724

[[emmeyer]]
Incident Response Plan (IRP)

William & Mary’s Security Incident Response Plan is summarized as follows:

  1. All incidents must be reported to the Security Incident Response Team using the methods mentioned.
  2. The Security Incident Response Team will confirm receipt of the incident notification.
  3. The Security Incident Response Team will investigate the incident and assist the compromised department in limiting the exposure of cardholder data.
  4. The Security Incident Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.
  5. The Security Incident Response Team will determine whether policies and processes need to be updated to prevent a similar incident from occurring again.

In the event of a suspected or confirmed PCI DSS incident involving a payment station (PC used to process credit cards):

  • Do NOT turn off the PC.
  • Disconnect the network cable connecting the PC to the network jack. If the cable is secured and you do not have the key to the network jack, cut the network cable.
  • Document any steps taken until the Response Team arrives. Include the date, time, person/persons involved, and action taken for each step.
  • Assist the Response Team as they investigate the incident.

The Incident Response Plan will be reviewed and tested at least annually by IT.

Policy & Training
Policy

The PCI Committee, Financial Operations and Chief IT Security Officer will review this policy document annually to ensure it is up-to-date and covers the entirety of the PCI DSS.  

  • Departments will maintain the following:
    • PCI DSS Security Awareness Program Roster (xlsx) - a log of departmental personnel who have completed the W&M PCI Training, Payment Card Security and Confidentiality Agreement, W&M Payment Card Policy & Procedures, Departmental Procedures, and W&M Information Security Awareness Training and marking them with their access status.
  • Departments will maintain their departmental procedures and review annually.
  • The PCI Committee will audit departments annually for compliance.
Training

All departments and associated users accepting payment cards must complete W&M PCI training and W&M Information Security Awareness training before accepting payment cards. After that, all personnel must complete the pieces of training annually. Departments will maintain a log of the completed training using the PCI DSS Security Awareness Program Roster (xlsx).