The following are responsible for the accuracy of the information contained in this document:

 Responsible University Officers

            Senior Vice President for Finance and Administration (SVPFA)
            Chief Information Officer (CIO)

 Responsible Coordinating Offices

            Bursar’s Division
            Office of Information Security 
            Internal Auditing Division

 1.     Executive Summary and Purpose

This policy provides requirements and guidance for all credit and debit card processing activities for the University of Georgia, including UGA Athletic Department, Arch Foundation, and UGA Alumni Association.

At the initial publication of this policy the following sources were consulted and provided the basis for this program:  ISO 17799, Payment Card Industry (PCI) Security Standards, and the Card Association Merchant Operating Regulations (Visa, MasterCard, American Express, and Discover).   As card association regulations change, this policy will be updated as needed, and adhered to on a continued basis.

This policy deals with access to The University of Georgia’s computing and network resources.  All relevant provisions in the Computer Security and Ethics Policy are applicable and included by reference in this document.  This policy preempts all other campus policies and procedures and ALL issues within the scope of this policy.

2.     Scope      

This policy applies to:

• All units, affiliates, and employees of The University of Georgia who accept credit/debit card payments for University business
• All external organizations contracted by the aforementioned parties to provide outsourced services for credit/debit card processing for University business
• All units, affiliates and employees of The University of Georgia who provide credit/debit card processing services for third parties

3.     Definitions

 Account Number:  The unique number identifying the cardholder’s account which is used in financial transactions

 Cardholder Data:  Cardholder data is any personally identifiable data associated with a cardholder.  This could be an account number, expiration date, name, address, social security number, etc.

Cardholder Information Security Program (CISP):  CISP defines a standard of due care for securing Visa cardholder data, wherever it is located.  CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data.

Credit/Debit Card Processing:   Act of storing, processing, or transmitting credit/debit cardholder data.

Data Security Standard (DSS):  Data security standards mandated by American Express.

Payment Card Industry Data Security Standard (PCI):  Set of requirements adopted by the Card Associations to protect and safe guard against cardholder data exposure and compromise.  This standard is inclusive of the Visa CISP, MasterCard SDP, and American Express DSS.

Payment Application Best Practices(PABP):  Set of recommended practices for software vendors to create secure payment applications to help their customers comply with PCI.

Sensitive Cardholder data:  This is defined as the account number, expiration date, CVC2/CVV2 (a three-digit number imprinted on the signature panel of the card), any sensitive authentication data subsequent to authorization, PVV (PIN Verification Value) and data stored on track 1 and track 2 of the magnetic stripe of the card.

Cardholder Information Security Program (CISP):  CISP defines a standard of due care for securing Visa cardholder data, wherever it is located.  CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data.

Credit/Debit Card Processing:  Act of storing, processing, or transmitting credit/debit cardholder data.

 Data Security Standard (DSS):  Data security standards mandated by American Express.

 e-Commerce Applications:  Any internet enabled financial transaction application.

 Employee:  Any employee as defined by the UGA Human Resource Policy & Procedure, http://www.busfin.uga.edu/manual/.

Employee In Key Roles:  Any employee with the following roles concerning credit card sales: manager overseeing credit card sales, accountant for credit card sales, technical support to credit card solutions and equipment, and any other staff member with access to physically stored credit card receipts.

ISO 17799:  The International Standards Organization document defining computer security standards

POS Device:  Point-of-sale (POS) computer or credit card terminals either running as a stand alone system or connecting to a server at The University of Georgia or at a remote off site location.

Site Data Protection Program (SDP):  The formal data protection program mandated by MasterCard.  The SDP Program provides acquiring members with the ability to deploy security compliance programs, ensuring that online merchants and member service providers are adequately protected against hacker intrusions and account data compromises.

Web Development:  The design, development, implementation and management of the user interface of the e-Commerce application.

4.  Statement of Policy

1. The approval process for all credit/debit card processing activities will be as follows:
    
   • The SVPFA, CIO or delegates(s) must approve all credit/debit card processing activities at The University of Georgia before a unit enters into any contracts or purchases software and/or equipment.  Please refer to The University of Georgia Credit/Debit card processing procedures for additional information.  This requirement applies regardless of the transaction method used (e.g., e-commerce, POS device, or e-commerce outsourced to a third party).  Approved units must register their credit/debit card processing information with the Bursar’s Office.
      
   • All technology implementation (including approval of authorized payment gateways) associated with the credit/debit card processing must be in accordance with The University of Georgia Credit Card Processing Procedures, PCI (Payment Card Industry) standards and the Board of Regents policies and approved by the SVPFA, CIO or delegate(s) prior to entering into any contracts or purchasing of software and/or equipment.  Approved vendors and software must be confirmed as PCI compliant by the card associations and not just a third party assessor.  When possible, all approved equipment should be validated as being  PABP.
      
   • Sensitive cardholder data should not be stored in any fashion on University of Georgia computers or networks.  Transmission of sensitive cardholder data must follow guidelines for point of sale and ecommerce as described in the University credit card/debit card procedures.  Credit Card point of sale receipts should follow approved procedures for storage and retention.  Exemptions to this must be approved by both the SVPFA and CIO. 

2. Units approved for credit card processing activities must maintain the following standards:

• All employees (business managers, operations personnel, and technical staff) involved in e-commerce or POS transactions must attend appropriate training.

• All units should create, maintain and test annually, business continuity and disaster recovery plans as well as incident response capabilities.  Incident response procedures can be found in the university’s procedures for credit/debit card processing.

• All servers and POS devices will be administered in accordance with the requirements of the Credit/Debit Card Processing Procedures.

• Access to credit/debit card processing systems and related information must be restricted to appropriate personnel.  These persons are defined as needing access to credit card information in order to perform their day to day job responsibilities.

• The university will contract with an approved and certified PCI 3^rd party assessor to review our processes and determine any vulnerabilities as it relates to PCI compliance.  Each unit responsible for credit/debit card processing must have a completed PCI questionnaire on file with the approved assessor.  This questionnaire needs to be reviewed annually to ensure compliance with this policy and the associated procedures and provide an update should current procedures/operations change.  Each unit with the exception of point of sale merchants must also enroll and participate in quarterly network scans with the approved third party assessor.  Each merchant’s questionnaire and scans will be documented and tracked by the approved third party assessor .  The Bursar’s Office, Internal Audit and the Office of Information Security will have access to each merchant’s status on a continual basis.    The Chief Information Security Officer and the Bursar’s Office will, at the request of the unit, assist in the initial PCI questionnaire.  Audits will be performed periodically by the Internal Auditing Division to confirm the results of the PCI questionnaire. 

3. On an annual basis,  the Chief Information Security Officer, Bursar’s Office, Internal Auditing and/or the PCI Evaluator for  the University will provide appropriate training to all employees associated with credit/debit card processing.

D.   The Bursar’s Office will monitor the PCI compliance list weekly so that any changes that effect one or all of our merchants can be addressed immediately. 

5. The Bursar’s Office will monitor each merchant’s level of compliance via the PCI compliance portal maintained by the University’s third party assessor.

F.   Employees in key roles are required to acknowledge in writing that they have read and understand the University’s policy and procedures.  

G.   Require a background check as a condition of employment to any employee hired to be involved with credit card processing including key roles such as sales clerk before hiring.  Please refer to Human Resources for the university’s policy regarding background checks.

H.   Should you become aware cardholder data has been compromised, you need to follow the incident response as outlined in the credit card procedures. 

5.  Procedures

 The Credit/Debit Card Processing Procedures document provides details for implementation of this policy.  This separate document carries the full force of this policy.  This separation allows for easier modifications to the procedures due to the changing nature of business, technology and security.

6. Revisions and Exceptions

This policy should be reviewed at least annually and revised as needed according to new standards and laws.

This policy may be revised only with approval of the SVPFA of The University of Georgia.

The SVPFA and the CIO may grant exceptions to this policy or revise the Credit/Debit Card Processing Procedures document by mutual agreement.

7. Compliance

Failure to comply with this policy and the associated required procedures will be deemed a violation of University policy and subject to disciplinary action up to and including termination as noted in the Guide to Progressive Discipline.  Technology that does not comply with this policy and the associated required procedures is subject to disconnection of network services.

 8.  Communication

Upon approval, this policy shall be published on the appropriate University of Georgia web site(s).  The following offices and individuals shall be notified in writing with any subsequent revisions or amendments made to this policy:

____     Associate Vice Provosts                        _____      Deans, Directors and Department Heads

____     Associate Vice Presidents