USU Merchant Responsibilities
Utah State University has gone to great lengths to achieve and maintain PCI Compliance. Utah State University must comply with PCI DSS in order to be approved and continue to accept payment cards. Maintaining compliance is no easy task for a rapidly growing, complex, decentralized organization like USU. Each merchant account brings additional responsibilities on Utah State University's staff for safeguarding sensitive data. Compliance documentation is also complicated with the various methods and systems in which USU accepts and processes payments. Therefore, achieving and maintaining compliance requires a joint effort between multiple departments across campuses.
Compliance is a challenge, but it is one that we are meeting and will continue to meet. USU Merchants play a vital role with the responsibility to be actively adhering to university policies, the PCI DSS requirements, and ensuring ongoing compliance for their merchant account.
- Establish a PCI Merchant team to structure and maintain PCI compliance as it relates to this merchant account. PCI Merchant team members are: Business Director/Manager, System Operation Admin, System Admin, Business Services Manager, and IT Support personnel (supporting hardware). The PCI Merchant team will work closely with the PCI Compliance Officer to maintain compliance.
- Establish appropriate business procedures for storing, transmitting and processing credit card data in your area(s) via electronic systems and/or paper forms.
- Determine the appropriate access based on "need-to-know" and define procedures for authorizing, maintaining and decommissioning user accounts.
- Educate employees, volunteers, and support staff on PCI DSS and define their roles and responsibilities.
- Ensure that all individuals involved in the credit card flow of your merchant account participates annually in PCI Credit Card Security Training.
- Forecast data cycle plans, budgets, and technology upgrades so hardware and software are kept in compliance with PCI DSS's changing life cycle.
- Be an active Data Steward as defined in the University's Information Security Policy #558.
- Keep merchant profile, system profile, procedures, system validation certificates, and all other required information up-to-date in Merchant Portal.
- Seek opportunities to reduce PCI risk and scope for your merchant account.
PCI DSS Compliance Requirements/Guidelines
- It is against University Policy to store credit card numbers on any computer, server, or database outside an approved credit card vault. This includes Excel spreadsheets.
- Treat payment card receipts like you would cash.
- Keep payment card data secure and confidential.
- Restrict access to card data to “those who need to know".
- Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.).
- Cardholder data must be transmitted securely (i.e. encrypted).
- Email is not an approved way to transmit credit card numbers.
- Fax transmittal of cardholder data is not permissible at USU.
- Customers are the only individuals authorized to write down credit card information on an approved payment form. Employees do not write down credit card numbers.
- In-person and over-the-phone payments must be processed directly in an approved PCI device at the time of transaction.
- “Sanitize” account numbers on paper documents by cutting off credit card information and cross shredding.
- Technology changes that affect payment card systems are required to be approved by the Information Security Office prior to being implemented.
- Any new systems/software that process payment cards are required to be approved by the Information Security Office prior to being purchased.
- Computer systems that process payment cards must be on the PCI vlan. Register your PCI Hardware by filling out the PCI Hardware Registration form.
- Use and regularly update anti-virus software.
- Do not use vendor-supplied defaults for systems passwords and other security parameters.
- Assign a unique ID to each person with computer access.
- Report all suspected or known security breaches to the Information Security Office and the IT Security Team.
- Employees and non-employees exposed to the card payment flow process are required to participate in annual PCI Credit Card Security Training.
Attestation for Merchant Accounts
Merchants will maintain the necessary documents, system profile, business procedures, etc. as part of their compliance attestations. USU conducts ongoing merchant assessments in accordance to the Merchant Compliance Procedures.