Position Modification Procedure

Position Modification Procedure

Identification of Positions with Privileged Access

In fulfillment of Payment Card Industry Data Security Standard requirements, positions with access to multiple instances of cardholder data are identified using the Registry of Positions with Privileged Access . Each merchant account owner must keep their registry up-to-date. Each merchant will provide their registry to the CCSP annually, on request. The CCSP will then compile a master registry for use by the Office of Human Resources (HR) in tracking changes to positions with Privileged Access

Modification of Positions with Privileged Access

Privileged Access will be provided only to employees with a functional need for such access, in accordance with the University's Data Access Policy. When a position with Privileged Access is created or discontinued and when Privileged Access is added to or withdrawn from an existing position:

  1. The merchant will include the level of access in the Position Description.
  2. The merchant will notify HR of the change.
  3. The merchant will indicate the access level of the position on HR forms where requested.

Hiring

When filling a position with Privileged Access, merchants will notify the CCSP using the Merchant Contact Information Form prior to the employee starting.

External Candidates

A criminal background check will be run for all external applicants to positions with Privileged Access. Candidates whose backgrounds contain a financial infraction within the last seven years are deemed ineligible for the position now and in the future. Depending upon the totality of background information, the candidate may be ineligible for other employment for at least six months.

Internal Transfers

Except where a criminal background check occurred within the preceding twelve month period, a criminal background check will be run for all internal applicants to positions with Privileged Access. Candidates whose backgrounds contain a financial infraction within the last seven years are deemed ineligible for the position now and in the future.

Separation

Upon separation of an employee with Privileged Access:

  1. Merchants will notify the CCSP using the Merchant Contact Information Form.
  2. The merchant will revoke access to cardholder information, immediately upon separation.

Credit Checks

HR will use discretion to conduct a credit check only if conviction information on background check suggests possible financial misdeeds that a credit check might shed further light on.

Applicability

This procedure applies to Notre Dame employees who supervise or hold positions with Privileged Access. Privileged Access refers to the ability to access multiple instances of cardholder data at one time. Examples of positions with Privileged Access include Database Administrators of payment application databases where cardholder data are stored, staff with access to multiple paper forms containing cardholder information, and terminal operators with the ability to run batch reports containing cardholder information. An example of a position with non-privileged access to cardholder data is a cashier, handling one transaction at a time.