Payment Card Policy

Policy Statement

Merchant Account Acquisition and Usage

All Card Processing Activities of the University of Notre Dame will be conducted through merchant accounts obtained through the Merchant Account Acquisition Procedure.

Notre Dame merchant accounts will be issued only to particular Notre Dame entities for a specific use.  Accounts operated by parties other than the approved entity or for a purpose other than that approved may be rescinded without notice.

Protection of Cardholder Information

All card processing activities and payment technologies of the University of Notre Dame must comply with the Payment Card Industry Data Security Standard (PCI DSS) as described in the Notre Dame payment card standards and procedures listed in the Related Documents below.  No activity or technology may obstruct compliance with the PCI DSS.

Through regular meetings with the Information Governance Committee and related working groups, the Credit Card Support Program (CCSP) will conduct an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.

The University will screen potential employees to minimize the risk of attacks from internal sources.

The University will contractually require all third parties with access to cardholder data to adhere to PCI DSS requirements.  These contracts will clearly define information security responsibilities for contractors.

Alteration of Card Processing Environment

Any alteration of the card processing environment must receive explicit written approval through the Payment Environment Change Approval Process. Changes include but are not limited to:

  • the use of existing merchant accounts for new purposes,
  • the alteration of business processes that involve card processing activities,
  • the addition or alteration of payment systems,
  • the addition or alteration of relationships with third-party payment card service providers,
  • the addition or alteration of payment card processing technologies or channels.

Cellular Modem and Wired-Analog Modem Uplink Devices and Usage

For changes involving the use of cellular wireless technology or the installation of analog wired modems on systems that store, process or transmit cardholder data, the following details must be provided to complete the Payment Environment Change Approval Process:

  • A description of authentication technology in place,
  • A list of all devices and personnel with access,
  • For wired modems, a proposed connectivity time-out period (All modems must automatically disconnect sessions after a specified period of inactivity.)

Approval of the change will include: 

  • Specific acceptable use(s) chosen for the technology
  • Specific approved network location(s) for the technology
  • Specific approval of the product(s) used

In general, the University disallows and discourages the use of cellular wireless uplink technology for card processing activities.  If approved, all devices will be labeled with the owner, contact information, and purpose of the device, prior to deployment of the technology.

802.11 Wireless LANs will not be connected to, or part of, the cardholder environment.

When accessing cardholder data remotely via wireless or wired modem, it is prohibited to store cardholder data on local hard drives, floppy disks or other external media.  It is also prohibited to use cut-and-paste and print functions during remote access. Activation of modems for vendors will occur only when needed, with immediate deactivation after use.

Applicability

This policy applies to all University of Notre Dame employees and students.

Information Security & Compliance will:

  1. Establish, document and distribute security policies and procedures;
  2. Make all employees aware of the importance of cardholder information security through a formal security awareness program;
  3. Assist merchants with the completion and submission of all PCI-DSS Self-Assessment Questionnaires
  4. Administer the Payment Environment Change Approval Process wherein changes to the payment environment are approved by the Information Governance Committee.
  5. Administer the Merchant Account Acquisition Procedure wherein new accounts are approved by the Information Governance Committee.
  6. Maintain a current list of service providers, and procedures to manage those service providers.
  7. Establish, test, document, revise as needed, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
  8. Monitor and analyze security alerts and information and distribute to appropriate personnel
  9. Information Security will conduct an annual risk assessment of the CCSP. The assessment will identify threats and vulnerabilities and will include input from managers, administrators, and users of the environment. The results of the assessment will be documented and available for review. 
     

Administrators of card processing systems and applications will:

  1. Administer user accounts, including additions, deletions, and modifications.
  2. Monitor and control all access to data.

Merchants will:

  1. Ensure that all of their employees and business processes comply with this policy and related procedures.
  2. Identify positions that require access to cardholder data, specifying positions with access to multiple instances of cardholder data.
  3. Notify Human Resources through their department's HR Business Partner and the CCSP of all staff changes in positions with Privileged Access of Cardholder Data.
  4. Make their employees aware of the importance of cardholder information security.

Human Resources will:

Screen potential employees in identified positions to minimize the risk of attacks from internal sources.

Office of Information Technologies will:

CCSP technical duties and privileges are assigned by job classification and function. The following CCSP roles have been assigned to these departments or groups:
 

Server OS engineering and administration: OIT CTS

VMWare engineering and administration: OIT IS

Network engineering (not firewall): OIT IS

Active Directory engineering: OIT CTS

Firewall services: OIT IS and OIT ITSD

Monitoring and testing: OIT CTS

Desktop support: OIT CITS

Application administration: Merchants

Review

CCSP will review this policy and related procedures annually.  This policy and related procedures will be updated when the card processing environment changes. 

Exceptions

Exceptions to this policy or related procedures must be approved by the Information Governance Committee.