This policy defines the Policy and Guidelines for Electronic Commerce for Security and Privacy data along with Merchant Cards Security Incident Plan.
This policy applies to all employees of the University and all University credit card transactions.
MSA Master Service Agreement
PCI DSS Payment Card Industry Data Security Standard
STMS SunTrust Merchant Services
SAQ Self-Assessment Questionnaire
OSC Office of State Controller
NCOSC North Carolina Office of State Controller
CVV Card Verification Code or Value – also known as Card Validation Code or Value, or Card Security Code. Refers to either: 1) magnetic-stripe data, or 2) printed security features.
B. Card Brand Specific Data Elements
The Data Element on a card’s magnetic stripe uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. This Data Element is referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:
CVC – Card Validation Code (MasterCard payment cards)
CVV – Card Verification Value (Visa and Discover payment cards)
CSC – Card Security Code (American Express)
For some payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The following list provides the terms for each card brand:
CID – Card Identification Number (American Express and Discover payment cards)
CAV2 – Card Authentication Value 2 (JCB payment cards)
CVC2 – Card Validation Code 2 (MasterCard payment cards)
CVV2 – Card Verification Value 2 (Visa payment cards)
It is University policy to manage Electronic Commerce in compliance with regulations set forth by the State of North Carolina. http://www.ncosc.net/SECP/index.html
IV. State and Contractual Requirements Governing Credit Cards
A. Cash Collection Point Approval for Departments
Approval must be obtained from the Controller in order for the department to accept credit cards from its customers as a payment option. Approval is only given to departments that meet Payment Card Industry Data Security Standards, NCOSC Electronic Commerce Policies, and State Cash Management Law.
B. State Requirements
Senate Bill 222 passed in 1999 amended several statutes that authorized the State Controller to issue policies relating to “electronic payments,” which support the Statewide Electronic Commerce Program (SECP). All entities subject to the State’s Cash Management Law and all entities that participate in one or both of the Master Services Agreements (Electronic Funds Transfer and Merchant Cards) are subject to the policies. Entities are encouraged to be fully aware of the policies to ensure compliance.
As a prerequisite for participating under the MSA, University of North Carolina at Asheville is required to comply with all Payment Card Industry Data Security Standards.
C. Contractual Requirements Concerning Fines
A department can be fined even if a security breach has not occurred. It is uncertain as to how aggressive the card associations will be in levying fines for such non-compliant merchants that might be detected, but fines may reach an estimated high of $25,000 per month for non-compliance.
In the event of a breach, all fines and expenses associated with the breach will be borne by the department accepting the credit card that was compromised. Related expenses in addition to the fine could include but are not limited to labor and supply cost associated with identifying and notifying the population exposed by the breach. All costs associated with any required external audits will also be paid by the department, which could be significant.
D. The Credit Card Compliance Committee
In an effort to ensure compliance with MSA, State’s Cash Management Law and PCI DSS, the Credit Card Compliance Committee has been established. This committee is made up of members from Finance, Internal Audit, and Information Technology. This Committee has been charged to provide oversight of credit card activity, the University’s participation in the MSA and compliance with PCI Standards.
V. Payment Card Industry Data Security Standards (PCI-DSS)
PCI-DSS are national standards which apply to all organizations anywhere in the country that process, transmit or store credit cardholder information. The University and all departments that process payment card data have a contractual obligation to adhere to the PCI-DSS to annually certify their continued compliance by submitting the PCI-DSS Self-Assessment Questionnaire (SAQ) appropriate to their credit card activities.
Any costs incurred by a department to become and remain compliant with the PCI Data Security Standards, including but not limited to an annual penetration test (if applicable), shall be borne by the department. Any costs incurred by the University associated with an onsite security audit or a forensic investigation that may be required shall be borne by the department.
Individual credit card information is confidential. Failure to maintain strict controls over this data could result in unauthorized use of credit card data. Credit card information is confidential information and should be treated with great care.
Key Data Control Items:
1) Under no circumstances should a department store sensitive authentication data (track data from the magnetic stripe, card-validation code CVV2 data,) after authorization (not even if encrypted). Once the credit card has been processed, all credit card information must be destroyed immediately via a cross shredder. It is not sufficient to simply mark out the credit card information.
2) Never send or request cardholder information to be sent via email. Department forms (web and mail order forms) should not ask for credit card information.
3) Under no circumstances should a department retain electronically (including Excel files, thumb drives, shadow databases, etc.) the card numbers and expiration dates of the customer credit cards.
4) Campus computers may be used, if necessary, to access external web portals of credit card processors that have been pre-approved by the Controller; however, campus networks, wired or wireless, may not be used to process credit card payments or store credit card data.
5) All credit card information temporarily recorded on paper should be processed immediately and then the paper document should be properly destroyed in cross cut shredder.
6) The customer copy of the credit card receipt can only contain the last 4 digits of the credit card number. It is required that departments use double truncation which permits only the last 4 digits to be printed on both the merchant and customer receipt.
7) Never send credit card information to the University Archives. Receipts should be destroyed via cross cut shredder immediately after the approved business need has expired.
VI. Campus Operating Policies
A. Merchant Accounts and Credit Card Transactions
Departments cannot initiate their own contracts with credit card processing companies until approval has been received from the Controller. All merchant accounts for accepting credit cards must be preapproved by the Controller and must participate in the State’s MSA, and be approved by the appropriate state offices.
Each Department is responsible for all expenses associated with credit card merchant accounts and it cannot adjust the price of goods or services based on the method of payment.
B. Financial Controls
When an item or service is purchased using a credit card, and a refund is necessary, the refund must be credited to the same credit card account from which the purchase was made.
All transactions must be settled and recorded daily in the University’s financial system via proper reporting to The Cashier’s Office.
The department’s (merchant’s) copy of the receipt should not contain the full card number and expiration date. The merchant copy of the receipts must be kept in a secure place (i.e. locked cabinet with minimal access) for no more than 90 days. At the end of 90 days, the receipts should be destroyed in a secure manner, via cross cut shredder.
C. Reporting Requirements for Actual or Suspected Security Incidents
Departments must report any actual or suspected security incident in which cardholder information may have been compromised. The incident should be reported to the Associate VC for Finance and the University Controller. THIS MUST BE DONE IMMEDIATELY. The University must report all breaches to the State Controller’s Office within 24 HOURS OF DETECTION.