POL-U5380.01 Protecting Payment Card Information

Jump to section

Effective Date:

June 8, 2023

Approved by:

President Sabah Randhawa

Who does this policy apply to?

This policy applies to all aspects of the University’s acceptance of payment cards. This includes:

  • All units accepting payment cards for transactions,
  • All individuals who come into contact with cardholder data,
  • All third parties engaged in processing activities on behalf of the University,
  • All cardholder data in any form (paper or electronic),
  • All payment card processing activities, and
  • The University’s cardholder data environment (Card Data Environment: all systems, services and networks involved in processing activities).

This policy applies in conjunction with other University policies and related laws, regulations, and external policies. For example, units are also subject to cash management policies and accounting responsibilities.

The policy will be reviewed at least annually to ensure it is aligned with legal, industry, operational, and technological changes.

Overview

The University accepts payment cards for certain transactions related to providing goods and services. In order to accept payment cards, the University and its units must demonstrate and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) and with other applicable laws, regulations, and policies (“PCI DSS compliance”). The University is committed to protecting the privacy and security of personal and financial information of its students, employees, vendors, and customers.

Definitions

Card Handler

Any individual who receives, processes, or has access to credit or debit card information, or supervises or is responsible for those people who receive, process, or have access to credit or debit card information for the purpose of receiving payments. Anyone who is responsible for point-of-sale devices, such as Parking Pay Stations (self-service payment devices), is also considered a card handler.

Card Information

Sensitive information printed on a credit/debit card that includes the full account number, the Card Verification Value (three-digit or four-digit value printed on the front or back of a payment card), magnetic stripes, and the expiration date.

Merchant Account

A type of bank account that allows University departments to accept payments by debit or credit cards.

Payment Cards

Credit or debit cards used as a form of payment.

Point of Sale Device

A hardware system for processing card payments that includes software to read card data either through a chip, magnetic strip and/or near field (RFI) embedded in the card.

Policy Statements

1. The University Will Comply with Payment Card Industry Data Security Standard (PCI DSS)

Western Washington University must comply with the PCI DSS to maintain a secure environment by which the University may accept, process, store, or transmit credit or debit card information. The Controller, under the purview of the Vice President for Business and Financial Affairs, has compliance oversight authority over payment card processing activities. The Assistant Director of Treasury Services is delegated responsibility for the administration of the Payment Card Program and implementation of compliance with current PCI DSS requirements across the institution.

In partnership with the Information Security Office, Treasury Services will engage a Qualified Security Assessor (QSA) on a routine basis to assess institutional PCI DSS compliance, identify gaps and recommend remediation actions.

2. Only Authorized Departments May Implement Bank Card Payment Processing

In accordance with the Billing and Receiving Payment for Tuition, Fees, Goods, and Services Policy (POL-U5351.01) and related procedures, all departments wishing to directly receive payments, either in person or over the internet, including credit and debit card payment, must receive prior written approval from Treasury Services. All approved departments will be considered a “University Merchant.”

Employees are prohibited from opening or closing merchant accounts and/or purchasing and implementing point of sale devices or systems. Such activity is to be conducted by Treasury Services only. When replacing or implementing ecommerce solutions, Treasury Services must be involved in the process and will approve the solution as it relates to PCI DSS and payments. See also Authorizing Agreements and Contracts Policy (POL-U5348.05).

3. Department Heads are Responsible for PCI DSS Compliance

Each department head is responsible for working with Treasury Services to develop an internal written department PCI plan consistent with the University’s Standards for Protecting Payment Card Information (STN-U5380.01A) and ensuring implementation and monitoring compliance.  Any changes to department operations impacting payment card processing are to be promptly reported to Treasury Services to determine needed changes to the department’s PCI plan.

If a department has multiple payment card processors and point of sale devices/terminals, the department head may designate an employee to be responsible for monitoring the day-to-day compliance with policy, standards, and procedures. This delegation does not alleviate the overall responsibility of the department head from ensuring compliance.

Department heads are also responsible for participating in third party PCI DSS compliance reviews when directed by Treasury Services. See also Section 10.

4. Only Authorized Employees May Process Payments

No employee or student may accept and/or process payment card transactions unless they have been assigned payment card duties by their supervisor (or financial manager) and completed required training through Treasury Services. See also Section 5. University volunteers are not permitted to be bank card handlers.

All authorized card handlers must abide by all relevant University policies, standards, and procedures to maintain payment card acceptance privileges and ensure the safeguarding of payment card information.

5. PCI DSS Training is Required For Certain Roles

The following employees are required to complete PCI DSS training and then annually or as required by Treasury Services:

  1. Financial managers /department head whose operations have been approved to accept credit cards as a method of payment,
  2. Supervisors of authorized card handlers,
  3. Employees designated by the Financial Manager/department head the authority to initiate authorization for card handlers, and
  4. Cash handlers.

Failure to complete required training may result in an employee or department losing their credit card handling/ processing permissions. See also Section 8.

6. Exceptions to Requirements Must be Approved by Treasury Services

Exceptions to policy, standards or procedures must be justified by operational or technical needs and supported with a sufficient risk mitigation plan. Requests for exceptions must be approved in writing by the department head and Treasury Services in consultation with the IT Security Office (ISO) when appropriate. The ISO will work in an advisory capacity to assist units in finding alternatives to security controls that cannot be administratively, operationally, or technically implemented.

7. Employees Must Report Suspected Data Breaches, Fraud, Noncompliance, or other Risk Concerns

Protecting student, employee, and customer payment card information is the responsibility of every employee and essential to maintaining the trust of Western’s constituents. Changes in business operations, such as new procedures, systems, and employee turnover, can create gaps in compliance and controls. Therefore, employees must report:

  1. Suspected security or privacy data breaches in which a customer’s payment card information is reasonably believed to have been compromised, including possible tampering with card terminals, by promptly reporting incidents to your supervisor and the ATUS Help Desk in accordance with the Securing Information Systems Policy (POL-U3000.07).
  2. Suspected fraud, non-compliance, or other risk concerns in writing to their supervisor when there is suspected non-compliance, fraud, or issues that may pose a risk to the University. Supervisors are to promptly forward employee reports to Treasury Services and Audit and Consulting Services (ACS) for consultation.

Risk concerns include, but are not limited to:

  • Processing payment cards using unauthorized or insecure methods, systems, or services,
  • Improper recording, storage, or disposal of payment information,
  • Compromised payment card devices, or
  • Fraudulent processing activities.

Treasury Services will assess noncompliance and implement corrective action to resolve issues and mitigate risk in collaboration with campus partners. Concerns that involve employee behavior will be referred to Human Resources for review.

Individuals found to have engaged in noncompliant behaviors or fail to follow corrective action plans may be subject to disciplinary action, suspension, or termination of employment. It is important for employees to understand that some violations may constitute criminal or ethical offenses under local, state, or federal laws.

8. Corrective Action to be Taken for Non-Compliance or Risk Concerns

Upon notice or identification of non-compliance or other risk concerns, the Head of Treasury Services may temporarily suspend the department or an individual employee’s card handling permissions until risks are sufficiently mitigated.

All violations and risk concerns will be reported to Treasury Services. Treasury Services will consult with pertinent PCI partners which may include QSA,ACS, ISO, IT, Risk, Legal, and/or HR to determine recommendation of:

  1. Suspension of payment card handling permissions (if not already suspended),
  2. Program, department, and/or employee corrective action required to resume payment card handling, and/or
  3. Termination of payment card handling permissions.

Treasury Services, at its discretion, may immediately suspend or revoke a merchant account for failure to comply with relevant policy, standards, or procedures prior to PCI partner review. Revocation of a merchant account will preclude the affected University unit from being able to process payment cards.

Department heads are responsible for ensuring sufficient internal controls and the remediation of risk issues observed during daily operations or discovered during assessments, as well as updating Treasury Services on the status of remediation efforts.

9. The University Must Attest Institutional PCI DSS Compliance on an Annual Basis

The University is required to complete annual PCI DSS compliance attestation documentation with industry standards to maintain merchant accounts. Each department approved for payment card processing must participate in and fully cooperate with completing the annual attestation and auditing activities when directed by Treasury Services or other authorities.

All employees listed in Section 5 must annually attend PCI DSS training and attest to their PCI DSS compliance responsibilities.

10. The University May Contract with PCI DSS Compliant Third Parties to Support Payment Card Processing Activities

Any third-party agreement that will involve the storage, processing, or transmitting of payment card data must be reviewed by Treasury Services through Contract Administration including contract renewals. Treasury Services will maintain a list of approved third parties with whom authorized departments may engage. Third parties will be required to attest to PCI DSS compliance requirements upon each contract renewal.

11. Departments are Responsible for Costs Associated with Payment Card Processing

Departments are responsible for the associated cost for payment card processing. Costs include bank and interchange fees, equipment fees, if applicable, and other fees as deemed appropriate.

Departments may consider costs when assessing fees for their goods and services. All fees, and subsequent adjustments, for goods and services must receive prior approval in accordance with the University Fee and Rate Manual.

Department Heads will also be held responsible for costs associated with non-compliance related to their processing activities. These costs may include:

  1. Fines and penalties imposed by the payment card industry,
  2. Monetary costs associated with remediation, assessment, forensic analysis, fraudulent activity, or legal fees, and/or
  3. Suspension or termination of their merchant account and their authorization to accept payment cards.

Policy Information