---

University of Notre Dame
Payment Card Policy

Responsible Executive(s): Insitutional Oversite Committee

Responsible Department: Credit Card Support Program (CCSP)

Issued: May 4, 2007

Revised: January 30, 2009

Review: Annual

 

Policy Statement

Merchant Account Acquisition and Usage

All card processing activities of the University of Notre Dame will be conducted through merchant accounts obtained through the Merchant Account Acquisition Procedure.

Notre Dame merchant accounts will be issued only to particular Notre Dame entities for a specific use.  Accounts operated by parties other than the approved entity or for a purpose other than that approved may be rescinded without notice.

Protection of Cardholder Information

All card processing activities and payment technologies of the University of Notre Dame must comply with the Payment Card Industry Data Security Standard (PCI DSS) as described in the Notre Dame payment card standards and procedures listed in the Related Documents below.  No activity or technology may obstruct compliance with the PCI DSS.

Through regular meetings with the Operational Oversight Committee and related working groups, the Credit Card Support Program (CCSP) will conduct an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.

The University will screen potential employees to minimize the risk of attacks from internal sources.

The University will contractually require all third parties with access to cardholder data to adhere to PCI DSS requirements.  These contracts will clearly define information security responsibilities for contractors.

Alteration of Card Processing Environment

Any alteration of the card processing environment must receive explicit written approval through the Payment Environment Change Approval Process. Changes include but are not limited to:

• the use of existing merchant accounts for new purposes,
• the alteration of business processes that involve card processing activities,
• the addition or alteration of payment systems,
• the addition or alteration of relationships with third-party payment card service providers,
• and the addition or alteration of payment card processing technologies or channels.

Cellular Modem and Wired-Analog Modem Uplink Devices and Usage

For changes involving the use of cellular wireless technology or the installation of analog wired modems on systems that store, process or transmit cardholder data, the following details must be provided to complete the Payment Environment Change Approval Process:

• A description of authentication technology in place,
• A list of all devices and personnel with access,
• For wired modems, a proposed connectivity time-out period (All modems must automatically disconnect sessions after a specified period of inactivity.)

Approval of the change will include: 

• Specific acceptable use(s) chosen for the technology
• Specific approved network location(s) for the technology
• Specific approval of the product(s) used

In general, the University disallows and discourages the use of cellular wireless uplink technology for card processing activities.  If approved, all devices will be labeled with the owner, contact information, and purpose of the device, prior to deployment of the technology.

802.11 Wireless LANs will not be connected to, or part of, the cardholder environment.

When accessing cardholder data remotely via wireless or wired modem, it is prohibited to store cardholder data on local hard drives, floppy disks or other external media.  It is also prohibited to use cut-and-paste and print functions during remote access. Activation of modems for vendors will occur only when needed, with immediate deactivation after use.

Applicability

This policy applies to all University of Notre Dame employees and students.

Web Address For This Policy

http://controller.nd.edu/policies-and-procedures/
credit_card_support_program/PaymentCardPolicy.shtml

Contacts

Please submit questions regarding the University of Notre Dame Payment Card Policy to ccsp@nd.edu

Related Documents

Policies

• Information Security Policies and Procedures, http://secure.nd.edu

Standards

• Business Standard for Payment Card Processing
• Technology Standard for Card Processing Systems

Procedures

• Merchant Account Acquisition Procedure
• Payment Environment Change Approval Process

External

• Payment Card Industry Data Security Standard, http://www.visa.com/cisp
• Moneris Solutions' PCI DSS Site, http://www.moneris.com/index.php?
  context=/onlineservice/pci

Responsibilities

The CCSP will:

1. Establish, document and distribute security policies and procedures.
2. Make all employees aware of the importance of cardholder information security through a formal security awareness program.
3. Assist merchants with the completion and submission of all PCI-DSS Self Assessment Questionnaire.
4. Administer the Payment Environment Change Approval Process wherein changes to the payment environment are approved by the CCSP Committee and/or by the Vice Presidents for Finance and Business Operations.
5. Administer the Merchant Account Acquistion Procedure wherein new accounts are approved by the Vice Presidents for Finance and Business Operations.
6. Maintain a current list of service providers, and procedures to manage those service providers.

OIT Information Security will:

1. Establish, document and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

Administrators of card processing systems and applications will:

1. Monitor and analyze security alerts and information and distribute to appropriate personnel.
2. Administer user accounts, including additions, deletions and modifications.
3. Monitor and control all access to data.

Merchants will:

1. Ensure that all of their employees and business processes comply with this policy and related procedures.
2. Identify positions that require access to cardholder data, specifying positions with access to multiple instances of cardholder data.
3. Notify Human Resources through their department’s HR Business Partner and the CCSP of all staff changes in positions with priveleged access to Cardholder Data.
4. Make their employees aware of the importance of cardholder information security.

Human Resources will:

1. Screen potential employees in identified positions to minimize the risk of attacks from internal sources.

Review

CCSP will review this policy and related procedures annually.  This policy and related procedures will be updated when the card processing environment changes. 

Exceptions

Exceptions to this policy or related procedures must be approved through the CCSP Operational Oversight Committee.

 

Navigation

• Annual Report
• Finance System
• Download Forms
• Payments & Reimbursements
• Policies & Procedures
• About Us
• Procard
• UltraTime
• International Visitors and Faculty