arrow_circle_left Back to All Policies

Credit Card Security Policy

JSCC Policy Number: 01.13.00.04

TBR Policy Reference: Not Applicable

TBR Guideline Reference: Not Applicable

Approved By: President's Cabinet

Original Date Effective: 2010-07-13

Last Modified: 2023-08-07

Responsible Office: Information Technology, Business Services

Introduction

The Payment Card Industry Data Security Standards (PCI DSS) is a set of comprehensive requirements for enhancing payment account and credit card data security. Please see https://www.pcisecuritystandards.org for additional information. JSCC leadership is committed to these security policies to protect information utilized by JSCC in serving our students, employees and constituents. All employees are required to adhere to the policies described within this document.

Scope of Compliance

The PCI requirements apply to all systems that store, process, or transmit cardholder data. Currently, JSCC's cardholder dataflow includes only paper media and that is only if necessary. Electronic storage of cardholder data is not conducted or permitted. Due to the limited nature of the in-scope environment, this document is intended to meet the PCI requirements as defined in Self-Assessment Questionnaire (SAQ) C. Should JSCC implement additional acceptance channels, begin storing, processing, or transmitting cardholder data in electronic format, or otherwise become ineligible to validate compliance under SAQ C, it will be the responsibility of JSCC to determine the appropriate compliance criteria and implement additional policies and controls as needed.

Other JSCC and TBR policies address information security and related matters such as the Identity Theft Prevention Program. This policy should be considered in the interpretation and implementation of this program.

Requirement 1: Build and Maintain a Secure Network

FIREWALL CONFIGURATION

Firewall must restrict connections between untrusted networks and any system in the cardholder data environment. An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage. (PCI Requirement 1.2)

Firewalls must prohibit direct public access between the Internet and any system component in the cardholder data environment. PCI equipment has been place in a  segmented VLAN. (PCI requirement 1.3)

Requirement 2: Do not use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

VENDOR DEFAULTS

Vendor-supplied defaults must always be changed before installing a system on the network. Examples of vendor-defaults include passwords used by operating systems, security service software, payment applications, etc and elimination of unnecessary accounts. (PCI Requirement 2.1)

For wireless environments connected to the cardholder data environment or transmitting cardholder data, change all wireless vendor defaults which include default wireless encryption keys, passwords and SNMP community settings. Defaults for wireless systems must be changed before implementation. (PCI Requirement 2.1.1)

Non-Console Administrative Access

Credentials for non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL/TLS. (PCI Requirement 2.3)

Requirement 3: Protect Stored Cardholder Data

Prohibited Data

Sensitive authorization data will be retained only until completion of the authorization of a transaction. Storage of sensitive authorization data post-authorization is forbidden. Specifically, sensitive authorization data includes the following:

  1. The full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track l, track 2, and magnetic-stripe data. (PCI requirement 3 .2.1)
  2. The card verification code or value (three- or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions. (PCI requirement 3.2.2)
  3. The personal identification number (PIN) or the encrypted PIN block. (PCI requirement 3.2.3)

Displaying Primary Account Numbers (PAN)

JSCC will mask the display of PANs, and limit viewing of PANs to only those employees and other parties with a legitimate need. A properly masked number will show only the first six and the last four digits of the PAN. (PCI requirement 3.3)

JSCC does not store PAN information (PCI requirement 3.4)

Requirement 4: Encrypt Transmission of Cardholder Data across Open, Public Networks

Transmission of Cardholder Data

Cardholder data sent across open, public networks must be protected through the use of strong cryptography or security protocols (e.g., IPSEC, SSL,TLS). (PCI Requirement 4.1)

Sending unencrypted PANs by end-user messaging technologies is prohibited. Examples of end-user technologies include email, instant messaging and chat. (PCI requirement 4.2)

Requirement 5: Use and Regularly Update Anti-Virus Software or Programs

ANTI-VIRUS

All systems, particularly personal computers and servers commonly affected by viruses, must have installed an anti-virus program which is capable of detecting, removing, and protecting against all know types of malicious software. (PCI Requirement 5.1.)

All anti-virus programs must be kept current, be actively running, performs periodic scans, and capable of generating audit logs within the PCI network. (PCI Requirement 5.2)

Anti-virus mechanisms must remain actively running and cannot be disable or altered by users unless authorized by management on case by case basis for a limited amount time. (PCI Requirement 5.3).

Requirement 6: Develop and Maintain Secure Systems and Applications

Security Patches

Penetration testing must be completed by a third-party vendor on an annual basis to identify security vulnerabilities (PCI Requirement 6.1).

All critical security patches must be installed with one month of release. (PCI Requirement 6.2)

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

Limit Access to Cardholder Data

Access to JSCC's cardholder data is limited to only those individuals whose job requires such access. (PCI requirement 7.1)

Access limitations must include the following:

  1. Restriction of access rights to cardholder data to the least access needed to perform job responsibilities.
  2. Access to cardholder data is based on an individual's job classification and function.
  3. Access to cardholder data will be granted only after completing an authorization request form. JSCC will use the Banner Security Form which will be signed by management and security officer for the Finance system.

Requirement 8: Assign a Unique ID to Each Person with Computer Access

Accounts

All users are given unique user names which allows them into system components (PCI Requirement 8.1)

Any non-console administrative access and all remote access to the cardholder data environment must use multifactor authentication. (PCI Requirement 8.3).

 Service providers that have access to customer environment must use a unique authentication credential for the customer database. (PCI Requirement 8.5)

Requirement 9: Restrict Physical Access to Cardholder Data

Restrict Physical  Access to Cardholder Data

At this time JSCC does not store any hard copy materials. At any point, if the need arises for JSCC to maintain hard copy material then the following will apply.

Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines:

  1. Printed reports containing cardholder data are to be physically retained, stored or archived only within secure office environments, and only for the minimum time deemed necessary for their use. (PCI requirement 9.6)
  2. All hardcopy media containing cardholder data must be stored in a secure and locked container ( e.g. locker, cabinet, desk, storage bin). (PCI requirement 9.6)
  3. Hardcopy material containing cardholder data should never be stored in unlocked or insecure containers or open workspaces. (PCI requirement 9.6)
  4. All hardcopy material containing cardholder data must be easily distinguishable through labeling or other methods. (PCI requirement 9.7.1)
  5. All confidential or sensitive hardcopy material must be sent or delivered by a secured courier or other delivery methods that can be accurately tracked. (PCI requirement 9.7.2)
  6. At no time is printed material containing cardholder data to be removed from any JSCC office without prior authorization from management. (PCI requirement 9.8)
  7. Custodians of hardcopy media containing cardholder data must perform an inventory of the media at least annually. Results of inventories shall be recorded in an inventory log. (PCI requirement 9.9)

Destruction of Cardholder Data

JSCC does not accept payment via the phone except under excruciating circumstances. When JSCC does accept a payment over the phone,the normal process is to enter the card number directly into the POS system for processing.  No information is written down or stored..

If a situation arises that we must write down a credit card  number the following will apply.

All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. (PCI requirement 9.10)

Hardcopy media must be destroyed by crosscut shredding, incineration or pulping so that cardholder data cannot be reconstructed. (PCI requirement 9.10.1)

Requirement 10: Intentionally Omitted - Not Applicable to Current Operations

Users do not have access to card holder data.

Requirement 11: Regularly Test Security Systems and Processes

Testing for Unauthorized Access Points

The PCI computers are on their own VLAN. The computers do not have wireless cards and the DVD and USB connections have been disabled. The computers are all behind locked doors so access is limited. Unused ports are disabled and ports in use are assigned to specific MAC addresses. (PCI Requirement 11.1)

Vulnerability Scanning

At least quarterly, and after any significant changes in the network, JSCC will perform vulnerability scanning on all in-scope systems. (PCI Requirement 11.2)

Vulnerability scanning shall consist of external and internal scans. External scans must be performed on any public-facing devices, and conducted by an Approved Scan Vendor qualified by the PCI Security Standards Council. We currently perform these scans via our SIEM monthly.  (PCI Requirement11.2)

Pen testing is required on a yearly basis. (PCI Requirement 11.3).

Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors

Information Security Policy

JSCC maintains an Identity Theft/Red Flag policy  that is reviewed annually. This policy addresses how the institution protects cardholder data, as well as other sensitive information. This policy must be updated as needed to reflect changes to business objectives or the risk environment. (PCI requirement 12. l, 12.1.3)

Risk Assessment process must be reviewed on an annual basis. (PCI Requirement 12.2).

Employees shall not use or otherwise employ employee-facing technologies to store, process or otherwise handle cardholder data. Employee-facing technologies include remote-access technologies, wireless technologies, removable electronic media, laptops, , email, and internet usage. (PCI requirement 12.3)

The policies and procedures delineated in this document will apply to all employees and contractors involved in the processing, or other handling of cardholder data. (PCI requirement 12.4)

Incident Response Plan

The Director of Business Services and the Director of Information Technology will serve as Co-Directors of Incident Response for any breach involving card data. Designated members of JSCC's Information Security Committee will serve on the Incident Response Team ( RT) in addition to Campus Security and Public Relations. The RT shall establish, document, and distribute an Incident Response Plan to ensure timely and effective handling of all situations. (PCI requirement 12.5.3)

Incident Identification

Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents or red flags that an employee might recognize in their day to day activities include, but are not limited to:

    1. Theft, damage, or unauthorized access (e. g. papers missing from their desk, broken locks, missing file logs, alert from campus police, or other evidence of a break-in or unauthorized physical entry).
    2. Fraud - Inaccurate information identified within systems, logs, files or paper records.

Reporting an Incident

The Director of Business Services or the Director of Information Technology must be notified immediately of any suspected or real security incidents involving cardholder data. Unless it is reasonably certain that confidential information has not been compromised, the RT must be assembled to assess the situation.

    1. Employees should only communicate with their immediate supervisor or members of the Incident Response Team regarding any details or generalities surrounding a suspected or actual incident. All communications with law enforcement or the public will be coordinated by the Executive Director of Institutional Advancement (Public Relations).
    2. Employees should document the date, time and the nature of the incident. Any additional information available will aid in responding in an appropriate manner.

Incident Response

The IRT will gather information and take care to preserve the evidence in accordance to the JSCC Incident Response Plan. After reviewing evidence, the IRT will make an assessment as to whether or not confidential information was compromised. If a data compromise has occurred, the IRT must take whatever action is necessary to contain the damage and implement the following responses:

    1. The Director of Business Services will notify the following:
      1. Visa - Provide the compromised Visa accounts to Visa Fraud and Breach Investigations within ten (10) business days. For assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information. See Visa's "What to do if compromised" documentation for additional activities that must be performed. That documentation can be found at   What To Do If Compromised (visa.com)
      2. MasterCard - Contact your merchant bank for specific details on what to do following a compromise. Your merchant bank will assist when you call MasterCard at l-(636)-722-4100.
      3. Discover Card - Contact your relationship manager or call the support line at 1-(866-255-6019) for further guidance. Log In (discovernetwork.com)
      4. Merchant Services l-(800)-490-7332
      5. Local TBI/FBI Office who will determine additional notifications
      6. U.S. Secret Service (if Visa payment data is compromised)
      7. TBR Office of General Counsel
    2. In concert with TBR legal counsel,  the RT will perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used: Security Breach Notification Laws (ncsl.org) Collect and protect information associated with the intrusion. In the event that forensic investigation is required the
    3. Director of Business Services or the Director of Information Technology will work with legal and management to identify appropriate forensic specialists.
    4. Eliminate the intruder's means of access and any additional vulnerability.
    5. Research potential risks related to or damage caused by intrusion method used.

Root Cause Analysis and Lessons Learned

    1. Not more than one week following the incident, members of the Information Protection Committee and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan.
    2. Review other security controls to determine their appropriateness for the current risks.
    3. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.

Security Awareness

JSCC shall implement and maintain a security awareness program with the intent of ensuring all employees who process, store, or are otherwise involved in handling cardholder data are aware of the importance of cardholder data security. (PCI requirement 12.6)

JSCC will ensure employees who have access to credit card data will receive security awareness training upon hire and at least annually. The security awareness program must provide multiple methods of educating employees, including posters, letters, memos, web-based training, meetings, or promotions. (PCI requirement 12.6.1)

Third Party Service Providers

JSCC has verified the PCI compliance of the Point of Sale Terminals  used in collecting cardholder information as published by the PCI Security Standards Council (www.pcisecuritystandards.org). . Third partyy hosts (Touchnet Information Systems, Inc. and Nelnet) will be required to provide certification of their PCI compliance annually.

JSCC will implement policies and procedures to manage service providers. (PCI requirement 12.8) This process must include the following:

  1. Maintain a list of service providers (PCI requirement 12.8.1)
  2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of the cardholder data the service providers possess (PCI requirement 12.8.2)
  3. Implement a process to perform proper due diligence prior to engaging a service provider (PCI requirement 12.8.3)
  4. Monitor service providers' PCI DSS compliance status (PCI requirement 12.8.4)