Policy Number: II-2
Effective Date: October 8, 2012
Last Reviewed: November 5, 2020
Responsible Dept.: Financial Services
A signed copy of this policy is available in the President’s Office.
To establish policies and procedures to comply with Payment Card Industry Data Security Standard (PCI DSS) and to ensure that the agency properly safeguards against identify theft and the release of sensitive information. This policy applies to all employees, systems and networks involved with cardholder data handling which includes transmission, storage, and/or processing of credit card numbers.
The PCI DSS is a mandated set of requirements agreed upon by the five major credit card companies: VISA, MasterCard, Discover, American Express and JCB. These security requirements apply to all transactions surrounding the payment card industry. Electronic and paper handling are covered by this standard. The requirements apply to any organization involved with cardholder data handling.
The following procedures are established for credit card acceptance and handling:
- Cardholder data collected will be restricted only to those users who need the data to perform their jobs. Access will be limited to the Cashiers in Fishburn Hall, Cashier, Student Accounts Coordinator, Business Manager and Vice President of Finance. The Cashier prepares the daily deposit. Additional access may be granted to those performing a Cashier function or deposit preparation on a temporary basis, when approved by the Student Account Coordinator, Business Manager and/or the Vice President of Finance.
- Cardholder data, whether collected on paper or electronically will be protected against unauthorized access. Unauthorized persons will not be permitted in secure areas unaccompanied.
- Credit card payments will only be accepted in person unless approved by the Student Accounts Coordinator or the Business Manager.
- Email will not be used to transmit credit card or personal payment information, nor should it be accepted as a method to supply such information.
- Portable electronic media devices will not be used to store cardholder data. These devices include laptops, compact disks, floppy drives, USB flash drives, personal digital assistants and portable external hard drives.
- Physical security over the data shall be paramount and require that data be stored in a locked drawer, file cabinet, and/or vault in the control of the Cashier’s Office. This cabinet is located inside Financial Services and will be locked at the close of business each day. Cardholder data may not be left out on desks or in open areas when not needed. Cardholder data should be kept in a folder and locked in a desk when employees are required to leave the area unattended.
- When not in use, the equipment used to transact credit cards shall also be secured.
- When credit card receipts are transported from one location to another, they must be in a locked bank bag.
- Cardholder data will not be retained any longer than necessary and will be deleted and/or destroyed immediately after the documented business need. In the case of paper transmitted cardholder data, the information will be destroyed immediately following the recording of the payment transaction.
- Proper disposal of cardholder data requires a cross-cut type shredder, incineration, or use of the contracted shredding vendor for proper disposal.
- Any record or file removed from the Cashier’s Office for storage must be secured in a locked file cabinet in the Fiscal Services file room located on the first floor of Fishburn Hall.
- Fiscal Services adheres to the Virginia Public Records Act as it relates to the retention and destruction of records. Destruction of Commonwealth of Virginia records must be properly documented and approved on a Certificates of Records Destruction Form (RM-3), prior to destruction.
- Any employee who becomes aware of a breach of security in relation to the receipt, handling, storage, and or disposition or cardholder data has an obligation to report such activity immediately under the guidelines outlined in the college’s Information Security Incident Handling Policy (9.4.2), (dated December 2011).
Reviewed/Revised: 8/2012, 11/2020