All UCSB merchants/departments must abide by the following guidelines:
- No electronic storage of cardholder data (on computers, or stored electronically in any database, application, or system), and credit card information (credit card number, expiration date, card verification codes, etc.) must not be transmitted via email or fax
- Credit card terminals, if used, must be monitored and tracked at all times
- VoIP phones (e.g. Zoom Phone) are not PCI compliant. Credit card information received over the phone for manual entry into a POS terminal may only be accepted over a phone that is not connected to any UCSB network, either by wired (Ethernet) or wireless (WiFi) connection. See Accepting Payments Over the Phone for more information
- Designate an individual who holds the primary authority and responsibility for payment card processing
- Pay the costs associated with payment card processing (bank and gateway fees, equipment fees if applicable, PCI compliance fees, and other fees as deemed appropriate)
- Comply with all PCI DSS guidelines, UCOP’s Business & Finance Bulletin 49 (BUS-49), Policy for Cash and Cash Equivalents Received, and UCSB’s policies and procedures for payment card acceptance and security
- Validate PCI compliance annually, which includes the completion of the appropriate Self-Assessment Questionnaire (SAQ) and associated processes, if applicable, as required by the University’s acquiring bank and credit card associations
- Require all those involved with handling cardholder data, either directly or as a supervisor, to participate in PCI Security Awareness Training (available in the UCSB Learning Center) upon hire and annually thereafter
- Notify the Campus Credit Card Coordinator promptly when a merchant credit card account is no longer needed
- Respond to chargeback notifications and credit card company inquiries in a timely manner (within the timeframe specified on the notification)
- Maintain the physical protection of departmental credit card receipts and the secure destruction of payment card receipts and cardholder data once a program has ended and all payments have been reconciled
- Provide full cooperation with the University’s Campus Credit Card Coordinator and/or authorized third-party assessors whenever necessary
- Authorize and complete deposit settlement daily (strongly recommend setting up auto-settle, where possible)
Physical Access Control
- Credit card terminals must be kept in a secure location with limited physical access
- Terminals need to be inspected for tampering at the start of every shift/daily, if applicable, or when putting a terminal into service for those that are stored when not in use. Note: For most campus merchants, the Campus Credit Card Coordinator’s office is responsible for thorough periodic inspections required for PCI compliance validation. For more information, request a copy of “UCSB Device Inspection Guidelines” from the Coordinator
- Cardholder information (receipts, reports, supporting documentation, etc.) must be secured and limited to only those individuals whose job requires such access
- "Media” refers to all paper and electronic media containing cardholder data. Most UCSB departments should never have a need to store cardholder data on any media (and NEVER electronically). See “Storage of Cardholder Data” below, and contact the Coordinator with any questions
- Strict control must be maintained over the internal or external distribution of any kind of media
- Media must be classified so that the sensitivity can be determined, and it can be adequately safeguarded if it contains sensitive data
- Physically secure paper media containing sensitive cardholder data at all times (e.g. locked down). A secure location would minimally be defined as one that is not accessible to the public, particularly if authorized personnel are not always available to monitor security
- Management’s approval must be obtained prior to moving media, especially when media is distributed to individuals. Logs must be maintained to track all media that is moved from a secured area, and media must be safeguarded during transport
- Destroy media containing cardholder data when no longer needed in accordance with PCI DSS guidelines
- Secure locations must have physical access controls (key cards, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security
- Develop procedures to help all personnel easily distinguish between employees and visitors
Personnel Access Control
- Passwords should be added for refunds/voids, where possible (used by someone other than who is processing charges).
- Restrict access to cardholder data by business need-to-know basis.
- Limit access to system components and cardholder data to only those individuals whose job requires such access.
- Restrict access rights to privileged user IDs to the least privileges necessary to perform job responsibilities.
- Assign privileges based on individual personnel’s job classification and function.
- Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to deny all unless specifically allowed.
- Strong security must be used for all applications, devices, and systems (including shared or dedicated web servers hosting e-commerce sites) in the Cardholder Data Environment (“CDE”), including at a minimum:
- All default passwords must be changed prior to deploying a system or device.
- Any unnecessary generic or default user accounts must be removed or disabled prior to deploying a system or device.
- User IDs and/or passwords must never be shared for any reason.
- All system access requires at a minimum a User ID and strong password.
- Passwords must at a minimum have seven or more characters, and contain at least one letter and one number.
- All access must be immediately terminated when an employee or contractor leaves the company.
Storage of Cardholder Data
Merchants that do not store any cardholder data automatically provide stronger protection by having eliminated a key target for data thieves. However, if a legitimate business need exists, documentation must detail procedures for handling this information, from intake to destruction, and the following is required:
- Keep cardholder information storage to a minimum. Storage of sensitive cardholder data on any local device or system is prohibited
- Paper storage is permissible where justified by business needs
- Destroy stored cardholder information as soon as no longer needed for business purposes. See “Disposal and Reuse of Hardware, Electronic and Paper Media” below
- Do not store the Card Verification Value (three-digit or four-digit value printed on the front or back of a payment card, e.g., CVV2 and CVC2 data)
- Ensure secure storage and distribution of university keys
- Periodically change keys and destroy old keys
- An inventory must be maintained of all systems, electronic, and paper media containing sensitive cardholder data
Transmission and Distribution of Cardholder Data
- Where authorized, all transmission and distribution of sensitive cardholder data must use a secure method to avoid unauthorized access
- Cardholder data must not be collected over the phone unless using an approved device. See Accepting Payments Over the Phone for details
- Never send or accept cardholder or other sensitive information via unencrypted e-mail, Instant Messaging or any other insecure method (e.g. File Transfer Protocol (FTP), Hypertext Transport Protocol etc.).
- Mask the credit card’s Primary Account Number (PAN) when displayed.
Protecting Cardholder Data
- When sensitive authentication data is received and deleted, there must be a process in place to securely delete the data and to assure the data is unrecoverable
- All systems must adhere to the PCI DSS requirements regarding non-storage of sensitive authentication data after authorization
- Under no circumstance should the full contents of any track from the magnetic stripe be stored
- In the normal course of business, the following data elements from the magnetic stripe may need to be retained. To minimize risk, store only these data elements as needed for business. If you feel this applies to your department/unit, you must consult with the Coordinator before proceeding – there is rarely a true business need to store this sensitive information
- The cardholder’s name
- Primary account number (PAN)
- Expiration Date
- Under no circumstance should the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) be stored
- Under no circumstance should the personal identification number (PIN) or the encrypted PIN block be stored
Maintain an Information Security Policy
All merchants should maintain a policy that addresses information security for all personnel. “Personnel” refers to full time and part time employees, temporary employees, contractors and consultants have access to the cardholder data environment.
A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. The security policy should be reviewed at least once a year and updated as needed to reflect any changes to business objectives or the risk environment.
Disposal and Reuse of Hardware, Electronic and Paper Media
- Hardcopy media must be destroyed when it is no longer needed for business or legal reasons.
- Destruction of hardcopy media must be cross-cut shredded, incinerated or pulped so that cardholder data cannot be reconstructed. If this is not possible, credit card numbers and personal information must be “blacked-out” before destroying.
- Containers that store cardholder data to be destroyed must be secured to prevent access to the contents. Example: a “to-be-shredded” container must have a lock preventing access to its contents.
- Shred, incinerate, pulp or “black-out” paper media containing cardholder data so that it cannot be reconstructed.
Incident Reporting
In the event of a verified or suspected security breach in which a person’s Personal Information is reasonably believed to have been stolen by an unauthorized person, the breach must be reported immediately to a supervisor, and the department/merchant responsible party must follow the instructions in the section referring to Incident Response: Suspected Cardholder Data Compromise, below.