3.10 – Payment Card Industry Data Security Standard (PCI DSS) Policy

Purpose of Document:

To establish the security requirements regarding credit card information and its security at Asbury Theological Seminary.

Policy:

Definitions: 

  • Cardholder Data Environment – Any physical area where credit card information is received, processed, stored, or destroyed. 
  • Employee – For the purposes of this agreement, “employee” refers to full-­time, part-­time, or temporary employees, as well as contractors and consultants who are “resident” on the entity’s site or otherwise have access to the Seminary’s cardholder data environment. 
  • Payment Card – A credit card, such as VISA, Mastercard, Discover, etc. 
  • PAN – Primary account number, aka credit card number 
  • PIN – Personal identification number 

For the purposes of this policy, “credit card information” includes the following: 

  • Cardholder name
  • Primary Account Number (PAN)
  • Personal Identification Number (PIN)
  • Expiration Date
  • Service Code

Scope

All employees of Asbury Theological Seminary are affected by this policy. 

Policy

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for credit card account data security, developed by the credit card industry in response to an increase in identity theft and credit card fraud. As a merchant who handles credit card data, Asbury Theological Seminary is obliged to safeguard that information and adhere to the standards established by the Payment Card Industry Council, including setting up controls for handling credit card data, ensuring computer and internet security, and completing an annual self assessment questionnaire. 

All credit card and debit card transaction acceptance, including web-­based transactions, must be managed through the Business Office. 

Departments who need to accept credit/debit cards and obtain a physical terminal to either swipe or key transactions need to contact the Business Office to execute the required paperwork, obtain a Merchant Number, and be given direction as how to process those transactions for accounting purposes. 

All transactions processed by the Seminary must meet the standards outlined below:

  1. Whenever possible, direct all in­-person and telephone payments to the Business Office for processing. 
  2. No credit card information shall be stored electronically. 
  3. Credit card information shall not be processed via remote access technologies, through wireless technology, removable media, laptops, tablets, cell phones, except where explicitly authorized. 
  4. No credit card information should be transmitted via end­-user messaging technology (i.e. email, fax, SMS, instant message, etc.) unless protected by strong cryptographic and security protocols. 
  5. Under no circumstances should the card verification code/value (three or four digit security code) or the personal identification number (PIN) be stored anywhere.
  6. Credit card information should only be accepted online (through approved methods), by telephone, mail, or in person. This information should not be accepted via e­mail and departments should not email credit card information. 
  7. Physical credit card information must be locked in a secure area. Access should be limited to individuals that require the use of the data. Access should also be restricted on a ‘need to know’ basis. 
  8. If credit card information must be removed from the cardholder data environment, management approval must be secured prior to movement. All such moves must be logged. Any media sent outside the Seminary will be done by a secured courier or other trackable methods (i.e. registered mail, FedEx, UPS, etc.) 
  9. Move logs must be available for inspection during regular business hours. 
  10. Physical credit card information should be classified as such and marked in such a way so as to display this classification. 
  11. Credit card information should be destroyed by shredding (cross­cut or micro­cut) when it is no longer needed for business or legal reasons. 
  12. Credit card information may be kept in a secured, locked, container while awaiting destruction. 
  13. Credit card receipts may only show the first six and the last four digits of the credit card number. If receipts show more than this, the receipts must be shredded or retained in a secure area. 
  14. Limit access to cardholder information only to those individuals whose job requires such access. 
  15. All departments must comply with the Payment Card Industry Data Security Standard (PCI DSS) issued by the Security Standards Council at all times. 
  16. Any loss or breach of credit card information should be reported in accordance with the Payment Card Security Incident Response Plan. 

Staff responsible for processing, storing or transmitting credit card data must sign a confidentiality statement (Appendix A). 

Risk of Non-Compliance

If an employee does not comply with the security requirements of the payment card companies or fails to rectify a security issue, the payment card companies may: 

  • Fine the Member Bank 
  • Impose restrictions on the Seminary, or 
  • Permanently prohibit the Seminary from participating in payment card programs. 

Incident Response Policy

LITS has adopted a formal Payment Card Security Incident Response Policy to be implemented in the event of a security breach.

This policy will be reviewed and updated at least annually. LITS Staff reserve the right to modify this policy at any time.

Approvals: 

  • LITS: October 11, 2019
  • Provost: February 2020