II-2: Cardholder Data Security and PCI Compliance Policy
Policy Number: II-2
Effective Date: October 8, 2012
Last Reviewed: October 8, 2012
Responsible Dept.: Financial Services
Purpose
To establish policies and procedures to comply with Payment Card Industry Data Security Standard (PCI DSS)
and to insure that the agency properly safeguards against identify theft and the release of sensitive
information. This policy applies to all employees, systems and networks involved with cardholder data
handling which includes transmission, storage, and/or processing of credit card numbers.
Policy
The PCI DSS is a mandated set of requirements agreed upon by the five major credit card companies: VISA,
MasterCard, Discover, American Express and JCB. These security requirements apply to all transactions
surrounding the payment card industry. Electronic and paper handling are covered by this standard. The
requirements apply to any organization involved with cardholder data handling.
Procedure
The following procedures are established for credit card acceptance and handling:
- Cardholder data collected will be restricted only to those users who need the data to perform their
jobs. Access wil! be limited to the Cashiers in Chapman Ha!!, Accountant, Business Manager and Vice
President of Finance. The Accountant prepares the daily deposit. Additional access may be granted
to those performing a Cashier function or deposit preparation on a temporary basis, when approved
by the Accountant, Business Manager and/or the Vice President of Finance.
- Cardholder data, whether collected on paper or electronically will be protected against
unauthorized access. Unauthorized persons will not be permitted in secure areas unaccompanied.
- Credit card payments will only be accepted in person, not over the telephone or by email.
- Email will not be used to transmit credit card or personal payment information, nor should it be accepted as a method to supply such information.
- Portable electronic media devices will not be used to store cardholder data. These devices include
laptops, compact disks, floppy drives, USB flash drives, personal digital assistants and portable
external hard drives.
- Physical security over the data shall be paramount and require that data be stored in a locked
drawer, file cabinet, and/or vault and that the Cashier's Office be kept locked at all times. Cardholder
data may not be left out on desks or in open areas when not needed. Cardholder data should be kept
in a folder and locked in a desk when employees are required to leave the area unattended.
- When not in use, the equipment used to transact credit cards shall also be secured.
- When credit card receipts are transported from one location to another they must be in a locked
bank bag.
- Cardholder data will not be retained any longer than necessary and will be deleted and/or
destroyed immediately after the documented business need. In the case of paper transmitted
cardholder data, the information will be destroyed immediately following the recording of the
payment transaction.
- Proper disposal of cardholder data requires a cross-cut type shredder, incineration, or use of
CINTAS for proper disposal.
- Any record or file removed from the Cashier's Office for storage must be secured in a locked file
cabinet in the Fiscal Services file room located on the first floor of Fishburn Hall.
- Fiscal Services adheres to the Virginia Public Records Act as it relates to the retention and
destruction of records. Destruction of Commonwealth of Virginia records must be properly
documented and approved on a Certificates of Records Destruction Form (RM-3), prior to
destruction.
- Any employee who becomes aware of a breach of security in relation to the receipt, handling,
storage, and or disposition or cardholder data has an obligation to report such activity immediately
under the guidelines outlined in the college's Information Security Incident Handling Policy (9.4.2),
(dated December 2011).
