Date Approved: April 11, 2019
Effective Date: April 11, 2019
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 1.1; dated July 22, 2019
Related legislation and University policies: <as referenced in the policy>
Review Period: 5 Years
Date of Last Review: July 22, 2019
Related to: Staff, on campus merchants
Purpose
Technical controls are an integral part of the PCI-DSS (referred to as PCI) compliance framework. CWRU intends to maintain compliance to PCI in two ways. First, by restricting the scope of permitted networks where of PCI data may reside or be transmitted, and second, by ensuring sufficient technical controls are applied to all payment processes where permitted. University business units with the need to apply PCI-based workflows shall ensure their product or service provider addresses these technical controls as part of their request for approval to operate PCI compliant services.
Approval from the University Treasurer for PCI processing will be contingent on adherence to one or more (as applicable) of these standards.
Scope
This standard applies to all CWRU related merchant activity on the university campus that intends to use payment card technologies.
Standards
Required technical controls are grouped into four categories depending on the method of payment and the vendor relationship with the university.
Card Present - University Merchant
This category is for university offices, departments, or schools who take credit cards in face-to-face transactions. Card processing is compliant with this policy under any of these circumstances:
- The card is swiped on, inserted into, or tapped on a certified point-to-point encryption (P2PE) device working with a certified P2PE bank or provider. This type of device can be connected to any network, including the campus wired or wireless networks.
- The card is swiped on, inserted into, or tapped on a non-certified encrypted device with a service provider that certifies that their solution is PCI compliant. This type of device can only be used with an external network connection, such as a cellular data connection, a dedicated internet connection that is physically distinct from the CWRU network, or is behind a router that creates an encrypted virtual private network (VPN) connection to an off-campus service.
- The card is swiped on a legacy device that is connected to an analog telephone line.
- The departmental P2PE device has been inventoried and certified by the Treasurer's office.
Examples of non-compliance:
- Use of a non-P2PE device on the campus network.
- University employees or representatives typing a credit card number directly into a web page
Documentation of current certification of devices and services must be submitted to the Treasurer's office. Updated certification is required upon expiration.
Card Not Present - University Merchant
This category is for university offices, departments, or schools that accept card payments over the telephone or through the mail. Card processing is compliant with this policy under any of these circumstances:
- The card number is entered directly on a certified P2PE device working with a certified P2PE bank or provider. This type of device can be connected to any network, including the campus wired or wireless networks.
- The card number is entered directly on a non-certified encrypted device with a service provider that certifies that their solution is PCI compliant. This type of device can only be used with an external network connection, such as a cellular data connection, a dedicated internet connection that is physically distinct from the CWRU network, or is behind a router that creates an encrypted VPN connection to an off-campus service.
- The card number is entered directly on a legacy device that is connected to an analog telephone line.
- The card number is entered into a secure website using a SRED-certified protected transaction keypad.
Examples of non-compliance:
- Use of a non-P2PE device on the campus network.
- University employees or representatives typing a credit card number directly into a web page.
- Accepting credit card information via electronic mail.
- Storing the 3- or 4-digit security code in any manner.
Documentation of current certification of devices and services must be submitted to the Treasurer's office. Updated certification is required upon expiration.
Online - University Merchant
This category is for university offices, departments, or schools that accept card payments on a non-CWRU website where the customer enters the payment information themselves. Card processing is compliant with this policy under any of these circumstances:
- The website is hosted entirely by an external service provider that certifies that both their site and their processors service are PCI compliant.
- The entire payment process is handled by an authorized third-party service for which we have documented PCI compliance (i.e. QuikPAY, PayPal ) and the originating website does not have access to any cardholder data.
Examples of non-compliance:
- A non-PCI site or service that accepts or handles any non-encrypted credit card information.
- Accepting any credit card information directly on a server located on the campus network or under the control of a university office, department or school.
Documentation of current certification of sites and services must be submitted to the Treasurer's office. Updated certification is required upon expiration.
Partner Merchant
To ensure all possible steps are taken to secure student, faculty, staff, and customer personal data, all in-person and e-commerce processing must be PCI compliant with the current PCI Data Security Standard. We recommend that vendors follow the same guidelines outlined for university merchants. Vendors must provide a statement acknowledging they are in compliance with the current PCI standards and shall continue to provide any PCI certification documentation that may be required annually.
Definitions:
Merchant - an entity collects funds by credit card and has a direct relationship with a bank or service that provides credit card processing services
University Merchant - a university office, program, department, or school where the name of the university appears on the buyer's credit card statement
Partner Merchant - a merchant that does business on campus or closely with the university online, but the name of the university does not appear on a credit card statement
Card Present - a face-to-face purchase that is made the physical card at the time of sale, and the card is inserted, tapped, or swiped at a terminal, either by the customer or cashier
Card Not Present - a purchase that is made indirectly with a customer providing the card number, expiration date and security code to a merchant representative, usually by phone or mail
Online - a purchase that is made with a customer providing the card number, expiration date, and security code to the merchant or a processing service via a web page
Standards Review Cycle
This standard will be reviewed every two years on the anniversary of the revision date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.