GA-30 PCI DSS COMPLIANCE POLICY

GA-30 PCI DSS Compliance Policy

Purpose:

This policy provides information to ensure Green River College complies with the Payment Card Industry Data Security Standard (PCI DSS). The purpose of the PCI DSS is to protect cardholder data. Any failures to protect customer information may result in financial loss for customers, suspension of credit card processing privileges, fines, and damage to the reputation of the college.  This policy is intended to be used in conjunction with the Green River College PCI Compliance Procedures and Green River College IT-1 Information Technology Security Policy and related procedures.

Scope:

This policy applies to all faculty, staff, students, organizations, third-party vendors, individuals, systems and networks involved with the transmission, storage, or processing of payment card data (including systems that can impact the security of payment card data).   A list of all employees authorized to collect, maintain or have access to credit card information are described in the Green River College PCI Compliance Procedures. 

Definitions:

PCI DSS: The Payment Card Industry Data Security Standards, which includes technical and operational requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data.  PCI Standards for compliance are developed by PCI SSC.  PCI-DSS 4.0 is the latest version.

PCI SSC: The Payment Card Industry Security Standards Council defines credentials and qualifications for assessors and vendors as well as maintaining the PCI-DSS. The founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

Cardholder Data: Payment card data includes primary account numbers (PAN), cardholder name, expiration date, service code and sensitive authentication data.

Policy:

Any proposal for a new process (electronic or paper) related to the storage, transmission or processing of credit card data must be brought to the attention of and be approved by the Senior Director of Financial Services.

All credit card merchant accounts must be approved by the Senior Director of Financial Services. Web payments must be processed using a PCI-compliant service provider approved by the Senior Director of Financial Services.

Credit card information must not be stored on Green River College network servers, workstations, or laptops. Credit card numbers must not be entered into a web page of a server hosted on the Green River College network.

All employees involved in processing credit card payments must be aware of this policy, understand the risks associated with their handling of sensitive information, and complete security training related to handling of cardholder data upon hire and annually, thereafter.

Credit card numbers may NOT be stored in any electronic format for any reason.  Paper documents containing credit card numbers must be securely locked up for as long as they are required for business purposes and securely shredded as soon as their purpose is completed.  In no instance shall this exceed 45 days and should be limited whenever possible to only 3 business days. Secured destruction must be via cross-cut shredding.

Credit card information must not be transmitted via email or other insecure messaging technologies, such as instant messaging.

Neither the full contents of any track for the magnetic strip nor the three-digit card validation code may be stored in a database, log file, or point of sale product.

Green River College will perform quarterly external vulnerability scans to ensure safety of internet-facing components and network.

Third party vendors that process transmit or store credit card information for Green River College must be PCI compliant and approved by the Senior Director of Financial Services.  Third party vendors covered by this policy will be required to conduct their own PCI DSS assessment, and must provide sufficient evidence to Green River College to verify that the scope of the service providers' PCI DSS assessment covered the services provided to Green River College and that the relevant PCI DSS requirements were examined and determined to be in place. Annually, the college will verify third-party vendor compliance by checking the PCI Security Standards website. The current third-party vendors are listed in the Green River College PCI Compliance Procedures. 

__________________________________________________________________________

Specific Authority:

PCI SSC

PCI DSS

Law Implemented:

PCI DSS 1.0 December 15, 2004

______________________________________________________________________________

History of Policy or Procedure:

Draft: March 19, 2021

Adopted: 7-12-2021

Revised: 7-06-2021

Reviewed by: Green River College Business Office

Contact: Shanna Selvar, Fiscal Analyst 4, ext. 6430, Janee Sommerfield, Senior Director of Financial Services, ext. 3306.

President’s Staff Sponsor:  Shirley Bean, Vice President for Business Administration, ext. 3305