15.55 – Payment Card Industry Data Security Standards

PART 1:  INTRODUCTION

This Rule facilitates the protection of payment cardholder data and the compliance with RPM 15.50 Information Data Security and with applicable data security standards set forth by the payment card industry.   Because many NMSU entities accept payment card payments, the university is a payment card-processing merchant, and as such, must comply with the Payment Card Industry Data Security Standard (PCI DSS). The following details the requirements for compliance with PCI DSS.

PART 2:  SCOPE

 The PCI DSS Rule applies to all NMSU entities, individuals, and contractors to NMSU who:

1. Accept payment card payments at NMSU;
2. Oversee the technology used to accept payment card payments;
3. Have oversight over payment card transactions, or;
4. Are responsible for training personnel who accept payment card payments.

PART 3: COMPLIANCE, OVERSIGHT AND ADMINISTRATION

The NMSU PCI DSS Compliance Steering Committee (The Committee) oversees and administers NMSU’s PCI DSS compliance efforts. The Committee shall work with the various merchants and other parties to ensure compliance with the applicable regulations relating to the security of payment cardholder information.  For more information, visit pcidss.nmsu.edu or email the Committee at pci-Team@nmsu.edu.

PART 4: DEFINITIONS

1. Data/Process Flow: “Data/process flow” refers to a graphical representation of how payment card data flows through a logical and/or physical system.
2. Merchants: “Merchants” are any NMSU entities or contractors to NMSU that accept, process, or store payment card data.
3. Payment Card: “Payment card” refers to a credit or debit card used to purchase goods or services.
4. Payment Card Activities: “Payment card activities” refers to the acceptance, processing, storing, or transmission of cardholder data.
5. Payment Cardholder Data: “Payment Cardholder Data” refers to the PAN in conjunction with any of the following: cardholder name, payment card expiration date, or payment card service code (three/four-digit security code).
6. PCI DSS: “PCI DSS” refers to the Payment Card Industry Data Security Standards, which are the proprietary security standards mandated by the major card companies, including Visa, MasterCard, American Express, Discover, and JCB.
7. Point of Sale (POS): “Point of Sale” refers to the place where a sales transaction is completed.
8. Primary Account Number (PAN): “PAN” is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account (a.k.a. Account Number).

PART 5:  GENERAL REQUIREMENTS, MERCHANT REQUIREMENTS, AND GOVERNANCE 

A. General Requirements

Appropriate security and control measures must be in place to ensure the security of payment cardholder data. The following chart outlines the PCI DSS goals and requirements for the security of payment cardholder data.  For more information, visit pcidss.nmsu.edu for specific procedures.

B. Merchant Requirements

NMSU merchant responsibilities include network, data and physical-access security, merchant training, compliance reviews, and reporting. A list of current and specific duties and responsibilities of merchants, which are amended by the Payment Card Industry periodically, can be found at pcisecuritystandards.org. The following are the general requirements for merchants:

1. Only merchants and vendors pre-approved by the Controller’s Office and the Committee are authorized to handle university credit card processing.  Third-party vendors or service providers contracted by a merchant must supply a contract addendum or other certification assuring their compliance with the current PCI DSS as appropriate.  If applicable, a list of service providers must be maintained by the department or unit contacts, as well as the compliance status of each vendor, must be verified by the department or unit at least annually.
2. Any post-authorization storage of cardholder data must have prior approval by the Controller’s Office and The Committee and must meet current PCI DSS.  A current inventory must be provided to the Controller’s Office and The Committee, reflecting any storage locations for cardholder data.
3. Merchant shall engage approved software and hardware vendors and obtain approval from The Committee before maintaining and/or retrieving payment cardholder data for future or recurring transactions or accepting payment cardholder data over the internet.
4. Merchant shall designate personnel to document cardholder activities, develop procedures, coordinate training, and act as primary contact in regards to cardholder data before the merchant can accept, process, or store cardholder data.
5. Merchant shall immediately notify Treasury Services, ICT, and The Committee of any breach involving payment cardholder data and document and cooperate with the investigation as directed.
6. Departments and units which operate payment card systems must maintain documentation of all procedures, including data/process flows, for handling payment card data and systems consistent with PCI DSS. Documentation required of PCI DSS and this Rule must be readily available during business hours at the request of the Controller’s Office or The Committee.
7. Departments and units which operate payment card systems must maintain a list of current devices and software used to process credit card data or used in the cardholder environment and monitor devices for attempted tampering or replacement.  Each device must be labeled appropriately.  The list must be supplied to the Committee annually. The inventory list must include:
   1. Make and model of devices;
   2. Location of each device;
   3. Device serial number or asset tag, and;
   4. Software and software version.
8. Each department or unit must complete a PCI DSS Self-Assessment Questionnaire (SAQ) for each merchant ID, along with the corresponding Attestation of PCI Compliance prior to operation of any payment card processing system, and on an annual basis at a time communicated from the Controller’s Office or The Committee with at least 30-day notice,

C. PCI DSS Governance

The following are the official governance authorities responsible for ensuring the university maintains compliance with PCI DSS requirements:

1. The NMSU PCI DSS Compliance Steering Committee (the Committee) will require that all university merchant processes meet PCI DSS requirements, and;
2. The Committee will review the implementation, operation and certification of merchant processes in order to manage risk, complexity, and expense of maintaining compliance with PCI DSS.
3. The Committee shall:
   1. Create or procure, distribute, and review for relevance and value, training courseware and materials for NMSU merchant departments;
   2. Review with Information and Communication Technologies (ICT) personnel new cardholder technologies in use at NMSU and emerging in the industry;
   3. Conduct bi-annual review of Payment Card Industry DSS compliance rules and procedures with ICT and Treasury Services;
   4. Conduct periodic visits to merchant business sites for merchant site and procedural reviews, and;
   5. Review each merchant department’s payment card procedures to assure PCI DSS compliance.
4. Treasury Services shall:
   1. Through the Controller’s office, be the final approver for all merchant payment card processing applications and merchant processing locations;
   2. Review monthly third party scans of computers used by departments for merchant payment card processing and notify ICT and The Committee of any failures for ICT follow-up;
   3. Coordinate annual merchant SAQ completion;
   4. Review each merchant department’s yearly training logs;
   5. Oversee new payment card merchant account requests, and;
   6. Coordinate corrective action and reporting with relevant merchant departments, Administration and Finance, University Communications, and ICT, upon discovery of a cardholder data breach.
5. Information and Communication Technologies shall:
   1. Maintain availability and security of central servers, networks, and associated hardware that process or transmit cardholder data;
   2. Verify that all controls, such as firewalls and encryption technologies are in place, up-to-date and functioning;
   3. Ensure network penetration testing takes place as required by PCI DSS;
   4. Take corrective action on failures identified in monthly third-party scans;
   5. Maintain logs for required periods as appropriate for certain hardware equipment;
   6. Recommend technical solutions to enhance compliance and security, and;
   7. Provide technical expertise to merchant departments in support of payment card activities.