Approved by the President
December 3, 2010
August 31, 2015
Questions related to the daily operational interpretation of this policy should be directed to:
Information Technology Security Administrator
Business and Finance Policies
SUNY Oneonta must take all appropriate measures to protect credit card numbers used to make payments to SUNY Oneonta.
Credit card transactions have become the preferred method for making payments or donations to SUNY Oneonta. Every business that accepts credit and debit card payments is required to comply with the Payment Card Industry Data Security Standards (PCI-DSS). Additionally, the institution's reputation would be seriously damaged by the exposure of credit or debit card numbers. To comply with the PCI-DSS, employees who work directly with credit card processing and documentation are required to review and sign this policy on an annual basis.
Applicability of the Policy
This policy applies to all SUNY Oneonta employees who have access to credit or debit card numbers accepted for payments to the institution.
Cardholder data – The full magnetic stripe of the card or the entire card number plus any of the following; cardholder name, expiration date, service code.
PCI-DSS – The Payment Card Industry Data Security Standard was adopted to assure the protection of customer data and credit card numbers.
PCI environment – includes computers, network hardware and the segment of the Oneonta network (PCI VLAN) configured to meet the PCI standards for electronic submission, processing or storage of cardholder data.
Point-of-Sale device - Any device in which cardholder data is inputted to facilitate credit card transactions.
- 1. Access to Customer Credit Card Data
1.1 Access is authorized only for SUNY Oneonta personnel who are responsible for processing or facilitating credit card transactions. Access may be granted by the supervisor of a department with SUNY Oneonta approval to handle credit card information. Only authorized SUNY Oneonta personnel may process credit card transactions or have access to documentation related to credit card transactions.
1.2 A copy of this policy must be read and signed by authorized personnel on initial employment and annually thereafter.
1.3 Signed policies will be maintained by the department supervisor.
- 2. Transmission of Credit Card Information
2.1 Insecure (unencrypted) transmission of cardholder data is prohibited. Credit card numbers and cardholder data may not be emailed, faxed, or sent via any electronic messaging technologies such as instant messaging or chat.
- 3. Telephone Payments
3.1 When recording credit card information for processing via a dial-up terminal, only cardholder name, account number, expiration date, zip code, and street address may be recorded. It is not permissible to record and store the three-digit security code (CVV2).
3.2 Store transaction documentation and merchant receipt in a secure (locked) area.
- 4. Card Present Transactions (Point-of-Sale)
4.1 Point-of-Sale devices must be inspected for tampering before the first use of the week and the inspection must be logged.
4.2 Picture ID is required if the card is not signed.
4.3 Provide a receipt to the customer.
4.4 Store transaction documentation and merchant receipt in a secure (locked) area.
4.5 Department supervisors must maintain a list of all POS devices and personnel authorized to use them.
- 5. Receipt of Credit Card Information in Email
5.1 Under no circumstances will credit card numbers received in email be processed.
5.2 The recipient of the credit card number will respond to the sender with the standard template provided at the end of this policy advising that the transaction cannot be processed and offering an acceptable method for transmitting card information. Credit card numbers will be deleted from the response.
- 6. Processing Credit Card Transactions and Storage of Cardholder data on Campus Computers
6.1 Offices that make payment card transactions on the web (that is, enter a customer’s credit card number on a website in payment for a purchase at or donation to the institution) must do so from a computer designated for that purpose on the campus PCI VLAN.
6.2 Card numbers must be entered on a computer that is expressly designated as belonging to the PCI environment.
6.3 Cardholder data should not be stored electronically.
6.4 Credit Card Transactions over the campus WiFi network is forbidden.
- 7. Delivery of Transaction Documents to Student Accounts (for staff at peripheral locations)
7.1 Prepare Funds Transmittal Sheet
7.2 Personally deliver all transaction documentation to Student Accounts, Netzer 240. Never send transaction information through campus mail.
- 8. Securing Transaction Documents (for Student Accounts staff)
8.1 During the window session, place merchant receipt and other transaction documents in a drawer. At the workstation, store securely until session materials are placed in the vault at end of the day.
8.2 Any transaction documentation retrieved from the vault for review or refund purposes must be handled securely and placed back in the vault as soon as possible but no later than the end of the business day.
8.3 Credit card transaction documents must be stored in the vault. When retention period passes it may be taken from the vault and destroyed (shredded) immediately.
- 9. Retention and Destruction of Cardholder Data
9.1 Cardholder data should be retained in a secure location only as long as is necessary for business purposes
9.2 Cardholder data will be destroyed when no longer needed. Paper will be cross-cut shredded. Electronic files will be destroyed in a manner appropriate to the media on which they are stored.
- 10. Processing Involving Third-Party Service Providers
10.1 Offices must maintain a list of service provider used.
10.2 A written agreement must be maintained that includes an acknowledgment that the service provider is responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of SUNY Oneonta or associated entity.
10.3 Service provider PCI DSS compliance must be verified on an annual basis by obtaining the service provider’s Attestation of Compliance or checking for the service provider’s compliance status on the Visa Global Registry of PCI DSS Validated Service Providers.”
10.4 The Information Technology Security Administrator should be consulted during engagements with new service providers to assure PCI DSS compliance and assess risk.
- 11. Security Incident Reporting
11.1 In the event of suspected tampering or substitution of a Point-of-Sale device or computer belonging to the PCI environment, or suspected loss or theft documents or files containing cardholder data the IT Security department should be notified immediately by contact list (in order of preference):
- Information Technology Security Administrator, 607-436-3203
- Information Technology Security Analyst, 607-436-2770
- Office of the Chief Information Officer, 607-436-3663
Related Documents / Policies
I have read the above procedures and agree to abide by them.
Name _______________________________________________ Date____________
Template Response* for Credit Card Number Received in Email
Thank you for your recent communication regarding payment for item or event. For your protection, we cannot accept credit card information via email. Email is an insecure means of transmitting information and you should never use it to send your credit card number or other sensitive personal information (passwords, Social Security Number, etc.). Please call our office at phone number during regular business hours to complete the transaction or visit website if available. Thank you.
*Delete the cardholder data from your response and delete the original message after replying.