7.3 Payment Card Data Security Policy
All payment card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must be conducted as described herein and in accordance with the standards and procedures listed in the Related Documents section of this policy. No activity may be conducted nor any technology employed that might obstruct compliance with any portion of the PCI-DSS.
This policy applies to all Alexandria Technical and Community College (ATCC) employees: full-time and part-time, student, temporary and permanent, and contractors and consultants who are on site. Relevant sections of this policy apply to vendors, off-site contractors and business partners.
Adherence to Standards
Configuration standards must be maintained for applications, network components, critical servers and wireless access points with access to cardholder data. These standards must be consistent with industry-accepted hardening standards.
Handling of Cardholder Data
Distribution, maintenance and storage of media containing cardholder data must be controlled, including that distributed to individuals. Procedures must include periodic media inventories in order to validate the effectiveness of these controls.
Procedures for data retention and disposal must follow ATCC data retention policies. Destruction of media when it is no longer needed for business or legal reasons shall be as follows:
- cross-cut shred and/or incinerate, or pulp hardcopy materials or
- purge, degauss, shred, or otherwise destroy electronic media such that data cannot be reconstructed.
Credit card numbers must be masked when displaying cardholder data. PCI allows no more than the first six or the last four digits to be displayed. Those with a need to see full credit card numbers must request a written exception to this policy.
Unencrypted Primary Account Numbers may not be sent via email, fax, IM or text.
Access to Cardholder Data
Access rights to cardholder data shall be restricted to least privileges necessary to perform job responsibilities. Assignment of privileges is based on individual personnel's job classification and function and is to be determined by ATCC Department Manager.
Critical Employee-facing Technologies
For employee-facing technologies with access to cardholder data (inclusive of remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops and personal data/digital assistants), departmental procedures shall require management approval to use the devices. All device use shall be authenticated with username and password or other authentication item, if available. A list of all devices and personnel authorized to use the devices shall be maintained by department management. Remote access technologies used by vendors may only be activated when needed by vendors, with immediate deactivation after use and must prohibit copy, move, storage and print functions during remote access sessions. Storage of cardholder data onto local hard drives and removable electronic media is strictly prohibited.
Any suspected breach in security or potential loss of PCI sensitive or critical information must be reported to the ATCC Chief Information Officer (CIO) or ATCC Lead Campus Authority immediately.
Roles and Responsibilities
Coordinating authority for this policy resides in the Business Office with the Chief Financial Officer (CFO), or designee.
The Chief Information Officer (or equivalent) is responsible for overseeing all aspects of information security, including but not limited to:
- creation and distribution of security policies and procedures,
- security incident response and notification procedures,
- analysis of legal requirements for reporting compromises and
- maintaining a formal security awareness program for all employees.
System and Application Administrators shall:
- monitor and analyze security alerts and information,
- administer user accounts and manage authentication, and
- monitor and control all access to data.
The Human Resources Office (or equivalent) is responsible for tracking employee participation in the security awareness program, including:
- facilitating participation upon hire and at least annually and
- ensuring that employees acknowledge in writing at least annually that they have read and understand the company's information security and payment card data security policies.
General Counsel (or equivalent) will ensure that for service providers with whom cardholder information is shared:
Conditions of Use
Failure to observe the Payment Card Data Security Policy can result in disciplinary action. Violation of this or other college computer policies may result in disciplinary and legal actions.
Effective Date: 11/23/10
Last Date Revised: 11/18/10