Credit Card Payment Processing Security and Compliance with PCI-DSS Standards

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / nish@sfsu.edu

Effective Date:

Monday, November 1, 2010

Revised Date: 

Tuesday, July 14, 2020

Authority: 

ICSUAM 8000 et sq. - Information Security Policy

ICSUAM 6340 - Credit/Debit Card Payment Policy

Objective: 

This Policy sets forth the guidelines and best practices for protecting credit card payment information as required by merchant banks and controls required by the Payment Card Industry Data Security Standard (PCI-DSS).

Statement: 

Purpose & Scope

SF State is committed to limiting the proliferation of sensitive data and maintaining the security of customer information, including payment cardholder information such as: payment card account number, expiration date, and payment cardholder verification number. To uphold this commitment, SF State follows the standards for protecting payment card information as required by merchant banks and the security controls required by the Payment Card Industry Data Security Standard (PCI-DSS).

Policy

To minimize exposure of sensitive payment information that could be misused for unauthorized transactions or used to execute identity theft, SF State requires the following:

  1. SF State entities (also known as university merchants) accepting credit cards on line, in person or over the phone are required to obtain pre-approval by the Bursar’s Office, UCorp, Procurement and the Information Security Office before accepting transactions.  All merchant accounts for processing credit cards must be registered with SF State Fiscal Affairs, Bursar’s Office or UCorp. This is to ensure that all requirements for credit card processing systems, including but not limited to, establishing a new merchant account, setting up credit card equipment, and processing transactions, etc., are compliant with PCI-DSS.  Also, this will ensure that all depository requirements and interfaces are satisfactorily met.
  2. All payment card transactions must use 3rd party vendor services. Payment card data may NOT be transmitted, processed or stored on SF State owned infrastructure.  
  3. SF State currently contracts with Cashnet for electronic bill presentment and payment card processing services.  Fee information and payments can be found here: https://bursar.sfsu.edu/Student-Services/payment-methods#cc
  4. University personnel, including but not limited to full-time and part-time employees, student workers, temporary employees, contractors and consultants who are “resident” on campus or otherwise have access to cardholder data environments are required to take annual PCI-DSS security training and follow security procedures to protect payment card information. 
  5. SF State maintains a PCI-DSS Council Charter that outlines roles and responsibilities for campus stakeholders to maintain PCI-DSS program compliance. 
  6. A university merchant must ensure any credit card equipment purchased, leased or supplied from vendors is PCI compliant and approved or otherwise endorsed by their merchant bank and/or payment processor and maintain evidence that it has been approved or endorsed. The Technology Acquisition Review (TAR) process should be used to obtain security and accessibility reviews and approvals for credit card equipment acquisitions. The Bursar’s Office or UCorp approval is also required and should be submitted with the TAR.    

Compliance with PCI-DSS Standards

SF State complies with PI-DSS standards, as defined below:

Section 12.1
The SF State Information Security Office maintains and disseminates this policy; reviews it annually as defined in the PCI-DSS Council Charter, and updates it when the environment changes.         

Section 12.2
The SF State Information Security Office Implements risk assessment processes in accordance with ICSUAM 8020, and with the SF State Enterprise Risk Management (ERM) Office. 

Section 12.3
SF State publishes guides and procedures for using critical technologies to define their proper use by all personnel, including roles and responsibilities. These include:

Section 12.4
SF State maintains a PCI Council and PCI-DSS Council Charter to oversee compliance activities and provide guidance in regard to PCI-DSS standards. 

Section 12.5
The SF State Information Security Office is responsible for monitoring, distributing and analyzing security alert and vulnerability information for SF State owned infrastructure. In addition, the SF State Information Security Office maintains the information security incident response plan and associated incident roles and responsibilities document.  All account management functions, such as provisioning and de-provisioning are authorized through appropriate access management teams on campus with approval from data owners.  Access to critical systems is audited annually. 

Section12.6
SF State has a formal security awareness program to make all personnel aware of security policies and procedures, this includes: regular phishing exercise tests, just-in-time awareness messages/campaigns, and specialized PCI-DSS training for those that have access to cardholder data environments that is required upon starting their role and annually thereafter.   

Section 12.7
SF State Human Resources (HR) follows personnel hiring screening requirements set forth by CSU that includes background checks for personnel that are expected to have access to Level 1 information. 

Section 12.8
SF State manages service providers that process cardholder data.  A PCI service provider inventory is maintained by the PCI Council. The SF State Procurement Office maintains a list of PCI service provider contracts and applies IT Supplemental provisions to each contract/agreement to meet PCI-DSS compliance obligations. In some cases, contracts will include specific guidance on how the provider validates their PCI-DSS compliance and what evidence they will provide to SF State.  As part of the annual campus SAQ/AOC process, SF State will monitor service providers’ compliance with the PCI-DSS standards. 

Section 12.9
SF State requires all service providers acknowledge in writing their responsibility for the security of cardholder data that they possess or otherwise store, process, or transmit on behalf of the customer, or to the extent they could impact the security of the customer’s cardholder data environment.

Section 12.10
SF State contractually requires each service provider to maintain an incident response plan and to provide notification within 24-hours of discovery.  In addition, SF State maintains a security incident response plan and associated incident roles and responsibilities document.  

Additional Resources

SF State Bursar’s Office

SF State Confidential Data Handling

Supporting PCI-DSS Documents