Denison University accepts credit cards as payment for a variety of goods and services. By accepting credit cards, Denison assumes significant risks with respect to protecting cardholder data. The Payment Card Industry (PCI) Security Standards Council has developed a set of financial and information technology standards, called Payment Card Information Data Security Standards (PCI-DSS), to protect credit cardholders’ data.
Credit Card Processing Policy
Without adherence to the PCI-DSS standards, the University would be in a position of unnecessary reputational risk and financial liability. To manage the data protection risks, all credit card transactions processed at Denison must comply with PCI-DSS.
The PCI-DSS requirements vary depending on how the merchant (in this case, Denison University) processes credit card transactions. The most stringent requirements are for organizations that store credit card numbers in any form. Therefore, it is the policy of the university that no credit card numbers may be stored in any electronic format for any reason. Paper documents containing credit card numbers must be securely locked up for as long as they are required for business purposes and securely shredded as soon as their purpose is completed. Credit card transactions may be processed through PCI-DSS compliant third party or online providers.
The processing of any credit card transactions at Denison University must meet the following requirements:
- Any proposal for a new process (electronic or paper) related to the storage, transmission or processing of credit card data must be brought to the attention of and be approved by the Office of the Controller.
- All credit card merchant accounts must be approved by the Controller. Web payments must be processed using a PCI-compliant service provider approved by the Controller.
- Credit card information must not be stored on University network servers, workstations, or laptops. Credit card numbers must not be entered into a web page of a server hosted on the Denison University network. Vendor solutions using a local host server or gateway within the university network must be physically located in the Fellows Hall data center.
- Departments which accept credit cards may be subject to a risk assessment. The results of all such assessments will be reported to the Office of the Controller.
- All employees involved in processing credit card payments must be aware of this policy, understand the risks associated with their handling of sensitive information, and complete security training related to handling of cardholder data.
- Credit card information must not be transmitted via email or other insecure messaging technologies, such as instant messaging.
- Although electronic storage of credit card data is prohibited by this policy, the University will perform periodic scans to insure that the policy has not been violated.
- Neither the full contents of any track for the magnetic strip nor the three-digit card validation code may be stored in a database, log file, or point of sale product.
Enforcement
Compliance with the PCI-DSS requirements shall be enforced by the Director of Infrastructure, Operations, and Cybersecurity (Director of IOC). The Director of IOC is responsible for risk assessments, vendor review and periodic scanning for sensitive information. Additionally, the Director of IOC is the authorizing entity for the quarterly university compliance statements required by PCI-DSS.
Incident Response
All employees should be familiar with this policy. Anyone may report cases of suspected fraud or abuse. All employees are required to report any actual incidence of theft or fraud. If you believe that an incident has occurred, please notify the Director of Infrastructure, Operations, and Cybersecurity or the campus Security office immediately. Any questions regarding this policy may be addressed to the Director of Infrastructure, Operations, and Cybersecurity.