Payment Card Processing Policy
Initially Approved: October 12, 2015
Policy Topic: Business Administration & Auxiliary Services
Administering Office: Controller
I. POLICY STATEMENT
The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security
standard that includes requirements for security management, policies, procedures,
network architecture, software design and other critical protective measures related
to processing payment card transactions. This comprehensive standard is intended to
help organizations proactively protect customer account data. Agencies found to be
out of compliance that don’t take corrective action within a reasonable time may be
required to stop accepting payment cards and may be liable for fines.
This policy defines the requirements and responsibilities for processing payment cards
at Western Carolina University that allow the university to remain PCI-compliant.
II. SCOPE AND APPLICATION OF THE POLICY
This policy applies to all university departments; vendors who provide services to
the university; and/or contractors that provide services to the university and who
act as a merchant by accepting, maintaining, transmitting or storing payment cardholder
data in any way.
- “Payment Card” shall refer to any of a range of different cards that can be used by
a customer to make a payment, but does not include the University’s declining balance
- “Merchant” shall refer to university departments, and vendors or contractors that
provide services to the university who accept, maintain, transmit, or store payment
cardholder data in any way.
- “Computer” shall refer to desktop personal computers; laptop personal computers; smart
phones; and/or tablet computing devices.
- “Point of Sale” (POS) Terminal shall refer to a device that is used to interface with
a payment card to transmit cardholder data.
- “Card Processing Equipment” refers to any device or equipment that collects, stores
or transmits cardholder data from a payment card. Card Processing Equipment may include
computers (as defined above) or POS terminals (as defined above).
- “Cardholder Data Environment” (CDE) shall refer to all technology that store, process
or transmit cardholder data (i.e., servers, network equipment, applications, etc.)
- “Cardholder Data” shall refer to the primary account number (PAN) of a payment card.
If cardholder name, service code, and/or expiration date are stored, processed or
transmitted with the PAN, or are otherwise present in the CDE, they are also considered
IV. REQUIREMENTS FOR CARD PROCESSING EQUIPMENT
- Card Processing Equipment may only be used in the locations and for the purpose for
which it has been approved. Contact the Controller’s Office for approval of new locations
or usage of Card Processing Equipment.
- Payment cards may only be processed using approved equipment and applications. Information
regarding requirements for approved equipment and applications shall be maintained
by the Controller’s Office in a separate procedure.
- Computers used as Card Processing Equipment may not be used for other purposes unless
approved by the Controller and the CIO or their designees.
V. REQUIREMENTS FOR PROCESSING PAYMENT CARD DATA
The Controller’s Office, in association with the IT Division, shall maintain procedures
for the handling of Payment Card Data.
A. Merchants that handle payment cards must:
- Create and maintain a list of all personnel approved to use Card Processing Equipment;
- Create and maintain a list of all Card Processing Equipment and provide that list
to the WCU Controller’s Office. The list must contain the location, make, model, serial
number or WCU tag number of each piece of Card Processing Equipment;
- Ensure that only approved personnel use Card Processing Equipment;
- Ensure that all staff that handle payment cards must take the PCI training provided
through the Controller’s Office;
- Ensure that all staff must be made aware of this policy; related policies, procedures,
and resources; and University Policy 117 – Information Security Policy (University
- Inspect all Card Processing Equipment at least monthly to look for evidence of tampering,
especially looking for foreign devices being attached to the equipment. If such evidence
is discovered, it must first be reported to the Western Carolina University Police
Department and then to the Controller’s Office; and
- Ensure all users of Card Processing Equipment requiring authentication have a unique
identifier with which to authenticate.
B. Operators of Card Processing Equipment must:
- Take the PCI training provided by the Controller’s Office;
- Be aware of and abide by this policy; related policies, procedures and resources;
and University Policy 117; and
- Report suspicious activities, evidence of tampering or security incidents first to
the Western Carolina University Police Department and then the department manager
or the Controller’s Office if a manager is not available.
C. The IT Division shall:
- Maintain the security, including but not limited to firewalls and network routing
configurations, according to the current PCI DSS standards to protect the CDE;
- Change vendor default passwords or other default settings for systems or network components
that are part of the CDE;
- Maintain logs for critical components of the CDE according to the current PCI DSS
- Maintain network maps that document the flow of data in and out of the CDE.
D. The Controller’s Office shall:
- Maintain a formal payment card security awareness program for university employees
who handle payment cards;
- Approve or deny new locations of Card Processing Equipment;
- Maintain a list of service providers that are involved in processing payment cards
for each merchant number owned by the university and a written agreement from each
service provider acknowledging what their responsibility is for PCI compliance.
VII. POLICY REVIEW
This policy and related procedures, and resources shall be reviewed and revised annually
as a part of the required annual PCI Self-Assessment Questionnaire process.
VIII. RELATED POLICIES, PROCEDURES AND RESOURCES
Payment Card Industry Data Security Standard (current version)
University Policy 117 - Information Security
Controller’s Office Procedure - Requirements for Processing Payment Card Data