TCU Credit Card Usage and PCI Compliance Policy

I. Introduction:

The purpose of this document is to describe the requirements and responsibilities one assumes when one undertakes the collection, processing, storage, or dissemination of other people’s credit card data. This policy excludes cardholder data from University issued credit cards. Credit Card Data is classified as Confidential Data according to the TCU Data Classification Policy.

II. Applicability:

This policy applies to anyone at TCU, its service providers or agents that undertakes the collection, processing, storage, or dissemination of other people’s credit card data. This policy also applies to the equipment involved in those functions.

III. Definitions:

  1. Cardholder Data – At a minimum, cardholder data contains the full PAN (primary account number). Cardholder data may also appear in the form of the full PAN plus any of the following:
    • Cardholder name
    • Expiration date
    • Service Code

IV. Policy Statement:

General TCU Eligibility Requirements

  • All credit card processing must be approved by Financial Services before being implemented. This includes credit card payments received via:
    • Web forms (also requires the approval of Information Technology)
    • Walk-in, phone calls, faxes, mail (Note: Email is not acceptable)
    • Off-site events
    • Payments accepted by TCU departments as the merchant (a TCU Merchant ID)
    • Payments accepted by TCU departments using a service provider that owns the Merchant ID
    • Payments accepted by outside companies on behalf of TCU
    • Payments accepted on the TCU campus or using the TCU network by outside companies for the company’s benefit
    • Any email received with cardholder data must be permanently deleted and the sender directed to use another method
  • No cardholder data is allowed to be stored electronically on any device (e.g. computer hard drives, CDs, disks, and other external storage media). Only paper reports or receipts with cardholder data may be retained if necessary and if physically secured from unauthorized use.
  • If paper documents are stored with cardholder data then that data must not have be received electronically. This means that Cardholder Data cannot be accepted through email and if it is accepted via fax then the fax must be a standalone (non-networked) fax machine.
  • All payment applications must qualify for a PCI SAQ A, B or P2PE.

TCU Policy Oversight

  • This policy must be reviewed at least once a year and updated when the environment changes. (PCI 12.1.1)
  • Usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, mobile devices, e-mail, and Internet usage) must be developed to define proper use of these technologies for all personnel, and must require the explicit approval by authorized parties to use the technologies, a list of all such devices and personnel with access, and acceptable uses of the technologies. (PCI 12.3)
  • The security policy and procedures must clearly define information security responsibilities for all personnel (PCI 12.4)
  • Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations are assigned to the Information Technology. (PCI 12.5)
  • A formal security awareness program must be taught annually to make all personnel aware of the importance of cardholder data security. (PCI 12.6)

TCU Employees

  • If a merchant stores any paper (for example, receipts or paper reports) that contain account data, the merchant only stores the paper as long as it is needed for business, legal, and/or regulatory reasons and destroys the paper once it is no longer needed. (PCI 3.1)
  • Do not store the full contents of any track from the magnetic stripe (that is on the back of a card, contained in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data. (PCI 3.2.1)
  • The PIN, PIN block, CVV2 or card verification code (on the back of the card) is NEVER allowed to be stored. (PCI 3.2.2, 3.2.3)
  • The PAN must be masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) with the exception of those having a specific need to see the full PAN. (PCI 3.3)
  • Unencrypted PANs must not be sent or received by end-user messaging technologies (for example, e-mail, instant messaging and chat). The message must be rejected or returned with instructions on the proper procedures for submitting the information. (PCI 4.2)
  • All hardcopy material that contains cardholder data must be physically secured. (PCI 9.5)
  • Strict control must be maintained over the storage and accessibility of media and all media must be physically secured. (PCI (9.5, 9.7)
  • All media must be destroyed when not needed for business purposes. (PCI 9.8)
  • When paper copies of cardholder data are no longer necessary, hardcopy materials must be shredded, incinerated, or pulped so that cardholder data cannot be reconstructed. All shredders must be crosscut or micro-cut shredders. (PCI 9.8.1)
  • The following controls must be maintained over the internal or external distribution of any kind of media that contains cardholder data. (PCI 9.6)
    • Any media, including paper copies that contain cardholder data, must be designated as confidential. (PCI 9.6.1)
    • The media must be sent by secured courier or other secure delivery method. You must record and track the delivery. (PCI 9.6.2)
    • Delivery of credit card payment slips to TCU cashiers must follow the appropriate Financial Services’ policies.
    • Logs must be maintained when moving any and all media containing cardholder data from a secured area (especially when media is distributed to individuals). (PCI 9.6.3)
  • Access to system components and cardholder data must be limited by User ID to only those individuals whose jobs require such access and restricted to least privileges necessary and based on individual the personnel’s job classification and function. (PCI 7.1, 7.1.2, 7.1.3)

Service providers or payment application software vendor

  • A list of service providers must be maintained by Information Technology. (PCI 12.8.1)
  • The engagement of service providers must follow the established procedures and be approved by Financial Services and reviewed by Information Technology. This engagement must include a written contract including the acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess. (PCI 12.8.2, 12.8.3)
  • There must be an annual review of all credit card processing service providers including the service provider’s PCI compliance status. (PCI 12.8.4)
  • Information must be maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the University. (PCI 12.8.5)

Computer systems, networks or POS devices

  • Devices that capture payment card data via direct physical interaction must be protected from tampering and substitution. An inventory of these devices must be maintained and include make, model, location and serial number. The devices must be periodically inspected for tampering. All personnel must be trained to spot suspicious issues. (PCI 9.9)

V. Related Policies:

VI. Enforcement:

If you suspect the Confidential Data may have been compromised please email or notify Aaron Munoz, Chief Information Security Officer, 817-257-6851, or Bryan Lucas, Chief Information Officer, Information Technology, 817-257-7682, immediately