University of Notre Dame
Payment Card Policy

Responsible Executive(s): CCSP Steering Committee

Responsible Department: Credit Card Support Program (CCSP)

Issued: May 4, 2007

Review: Annual

 

Policy Statement

Merchant Account Acquisition and Usage

All card processing activities of the University of Notre Dame will be conducted through merchant accounts obtained through the Merchant Account Acquisition Procedure.

Notre Dame merchant accounts will be issued only to particular Notre Dame entities for a specific use.  Accounts operated by parties other than the approved entity or for a purpose other than that approved may be rescinded without notice.

Protection of Cardholder Information

All card processing activities and payment technologies of the University of Notre Dame must comply with the Payment Card Industry Data Security Standard (PCI DSS) as described in the Notre Dame payment card standards and procedures listed in the Related Documents below.  No activity or technology may obstruct compliance with the PCI DSS.

The Credit Card Support Program (CCSP) will conduct an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.

The University will screen potential employees to minimize the risk of attacks from internal sources.

The University will contractually require all third parties with access to cardholder data to adhere to PCI DSS requirements.  These contracts will clearly define information security responsibilities for contractors.

Alteration of Card Processing Environment

Any alteration of the card processing environment must receive explicit written approval through the Payment Environment Change Approval Process. Changes include but are not limited to:

  • the use of existing merchant accounts for new purposes,
  • the alteration of business processes that involve card processing activities,
  • the addition or alteration of payment systems,
  • the addition or alteration of relationships with third-party payment card service providers,
  • and the addition or alteration of payment card processing technologies or channels.

Cellular Modem and Wired-Analog Modem Uplink Devices and Usage

For changes involving the use of cellular wireless technology or the installation of analog wired modems on systems that store, process or transmit cardholder data, the following details must be provided to complete the Payment Environment Change Approval Process:

  • A description of authentication technology in place,
  • A list of all devices and personnel with access,
  • For wired modems, a proposed connectivity time-out period (All modems must automatically disconnect sessions after a specified period of inactivity.)

Approval of the change will include: 

  • Specific acceptable use(s) chosen for the technology
  • Specific approved network location(s) for the technology
  • Specific approval of the product(s) used

In general, the University disallows and discourages the use of cellular wireless uplink technology for card processing activities.  If approved, all devices will be labeled with the owner, contact information, and purpose of the device, prior to deployment of the technology.

802.11 Wireless LANs will not be connected to, or part of, the cardholder environment.

When accessing cardholder data remotely via wireless or wired modem, it is prohibited to store cardholder data on local hard drives, floppy disks or other external media.  It is also prohibited to use cut-and-paste and print functions during remote access. Activation of modems for vendors will occur only when needed, with immediate deactivation after use.

Applicability

This policy applies to all University of Notre Dame employees and students.

Web Address For This Policy

http://controller.nd.edu/policies-and-procedures/
credit_card_support_program/PaymentCardPolicy.shtml

Contacts

Subject

Office

Telephone Number

Email or URL

Policy Clarification

Credit Card Support Program,
Project Coordinator

(574) 631-4581

mark.welch@nd.edu

Standards

Credit Card Support Program,
Project Coordinator

(574) 631-4581

mark.welch@nd.edu

Procedures

Controller’s Group
Merchant Card Coordinator

(574) 631-9947

kresnak.1@nd.edu

Violations

Credit Card Support Program,
Project Coordinator

(574) 631-4581

mark.welch@nd.edu

Exceptions

Credit Card Support Program,
Project Coordinator

(574) 631-4581

mark.welch@nd.edu

Related Documents

Policies

Standards

Procedures

External

Responsibilities

The CCSP will:

  1. Establish, document and distribute security policies and procedures;
  2. Make all employees aware of the importance of cardholder information security through a formal security awareness program;
  3. Conduct a formal risk assessment using the PCI-DSS Self Assessment Questionnaire;
  4. Administer the Payment Environment Change Approval Process wherein changes to the payment environment are approved by the CCSP Steering Committee, which is chaired by the Vice President for Finance.

The Merchant Card Coordinator will administer the Merchant Account Acquisition Procedure wherein new accounts are approved by the CCSP Oversight Committee, which is chaired by the Data Steward for cardholder data.

OIT Information Security will establish, document and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

Administrators of card processing systems and applications will:

  1. Monitor and analyze security alerts and information and distribute to appropriate personnel
  2. Administer user accounts, including additions, deletions and modifications
  3. Monitor and control all access to data

Merchants will:

  1. Ensure that all of their employees and business processes comply with this policy and related procedures.
  2. Identify positions that require access to cardholder data, specifying positions with access to multiple instances of cardholder data
  3. Notify Human Resources through their department’s HR Business Partner and the CCSP of all staff changes in positions with Access to Multiple Instances of Cardholder Data
  4. Make their employees aware of the importance of cardholder information security

Human Resources will screen potential employees in identified positions to minimize the risk of attacks from internal sources.

Review

CCSP will review this policy and related procedures annually.  This policy and related procedures will be updated when the card processing environment changes.  The next review will begin November 1, 2007.  Results of the review will be available by December 1, 2007.

Exceptions

Exceptions to this policy or related procedures must be approved by the CCSP Steering Committee.