PCI Compliance: 9.15

ADMINISTRATIVE PROCEDURES

Title: PCI COMPLIANCE

 Identification: 9.15

Effective Date: July 11, 2023

Authority: FS 1001.64; 1001.65

Signature/Approval: Dr. Ken Atwater

PURPOSE

The purpose of this procedure is to ensure Hillsborough Community College complies with the Payment Card Industry Data Security Standard (PCI DSS). PCI Standards Council has developed a financial and information technology set called Payment Card Information Data Security Standards (PCI-DSS) to protect credit cardholders’ data.

This procedure represents the College’s processes to prevent the loss or disclosure of customer information, including credit card numbers.

PROCEDURE

The College does not support payment card processing on college-owned systems. Payment card processing should be managed off-site by PCI-compliant vendors, thereby minimizing the PCI compliance scope for college- owned business processes.

Standards

The processing of any credit card transactions at the College must meet the following requirements:

  • Any proposal for a new process (electronic or paper) related to the storage, transmission, or processing of credit card data must be approved by the Finance Department in conjunction with OIT.

  • The Finance Department must approve all credit card merchant accounts. Web payments must be processed using a PCI-compliant service provider approved by the Finance Department and vetted by OIT using their standard policies and procedures for adding new services to the IT infrastructure.

  • Credit card information must not be stored on college network servers, devices, or any other college-owned IT asset.

Responsibility

  • College employees must follow the college’s PCI DSS policies and procedures.

  • Finance Department

    • Maintains a list of all systems that capture payment card data to identify the locations, purpose, and users of the systems. The list will be updated when systems are added, relocated, or decommissioned.

  • College departments

    • If credit card processing is part of the department’s business process, the Office of Information

      Technology will perform periodic PCI DSS assessments.

    • Any department accepting payment card data must designate an individual(s) with primary authority and responsibility for payment acceptance.

    • All departments and users accepting payment cards will complete Security Awareness Training for PCI- covered data upon hire and annually after that.

    • Any College department accepting payment cards will utilize only systems that have undergone assessments through the IT Risk Assessment process.

  • College Information Security

    • Perform regular vulnerability scanning of network devices where PCI payments are submitting risk reports to the VP of The Office of Information Technology.

  • College Network Management Staff: Address, Identify, and correct any deficiencies or risks identified in network security evaluations or infrastructure. Corrections may include denying network services to non- approved merchant activities.

Transmitting

  • Neither the contents of any track of the magnetic strip nor the three-digit card validation code may be stored in a database, log file, or point-of-sale system.

  • Network transmission of payment card information must use a segregated network to transmit PCI data.

  • The transmission of credit card data must comply with the College’s Data Classification Procedure and utilize fully encrypted pathways from the card entry to the payment processing merchant.

HISTORY:

NEW