Payment Card Security
Credit card processing at the College shall comply with the Payment Card Industry Data Security Standards (PCIDSS). The following security requirements have been established by the payment card industry and adopted by the College to ensure compliance with the payment card industry. These requirements apply to all employees, systems and networks involved with credit card processing, including transmission, storage or electronic and paper processing of credit card numbers.
I. Authorized Employees
Credit card processing for official college business is restricted to authorized college employees only. No other College employees are authorized to process such information for any reason. College employees who process credit card information or who have access to this information will complete regular data security training.
II. Procedures
- Each College employee who processes credit card information must strictly adhere to the following:
- Access to credit card information is restricted to authorized personnel.
- System and desktop passwords must be regularly changed.
- Accounts should be immediately terminated or disabled for employees who leave employment with the College.
- Credit card information should not be stored in any format.
- Credit card information, including the card number, cardholder name, CVV code, and expiration date should not be retained for any reason.
- Employees may not send or process credit card data in any insecure manner including transmitting such data via email, courier, or instant messaging. Credit card information may not be left exposed to anyone.
- The College’s Information Technology Department shall maintain additional procedures to ensure compliance with PCIDSS including:
- Configuration of card processing procedures, including segmentation of local area networks and protection through deployment of firewalls.
- Logging control procedures.
- Wireless use procedures.
- Encryption procedures.
