Payment Card Industry (PCI) Compliance Policy

The University at Buffalo (UB, university) is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored. All members of the university community must adhere to these standards to protect our customers and maintain the ability to process payments using payment cards.

The university prohibits the retention of complete payment card primary account numbers (PAN) or sensitive authentication data in any university system, database, network, computer, tablet, cell phone, or paper file. Storing truncated numbers, in approved formats (first six digits or last four digits) is permissible.

The Credit Card Handling Chart details the acceptable use of payment card data and security requirements. The PCI DSS requirements do not supersede local, state, and federal laws or regulations.

The university is required to comply with all relevant standards. However, not all of the PCI DSS requirements are relevant to UB. Certain university policies reduce the compliance scope, including prohibiting electronic storage of payment card information, restricting transmission through fax and email, and utilizing third-party vendors for web-based payment card processing rather than university networks. 

The PCI DSS is a mandated set of requirements agreed upon by the major credit card companies. The security requirements apply to all transactions surrounding the payment card industry and the merchants or organizations that accept these cards as a form of payment.

The university must comply with the PCI DSS in order to accept card payments and avoid penalties. This policy and additional supporting policies:

• Provide the requirements for processing, transmission, storage, and disposal of cardholder data transactions
• Reduce the institutional risk associated with the administration of payment cards
• Promote proper internal control
• Promote compliance with the PCI DSS

This policy applies to those involved with payment card handling including faculty, staff, students, third-party vendors, individuals, systems, networks, and other parties with a relationship to the university including auxiliary service corporations, alumni associations, student associations and governments, Research Foundation (RF), UB Foundation (UBF) and any unit using third-party software to process payment card transactions. This includes transmission, storage, and processing of payment card data, in any form (electronic or paper) on behalf of UB.

Cardholder

Individual who owns and benefits from the use of a membership card, particularly a payment card.

Cardholder Data (CHD)

Elements of payment card information that must be protected, including primary account number (PAN), cardholder name, expiration date, and the service code.

Cardholder Name

The name of the individual to whom the card is issued.

Expiration Date

The date on which a card expires and is no longer valid. The expiration date is embossed, encoded, or printed on the card.

Service Code

Permits where the card is used and for what.

Disposal

CHD must be disposed of in a certain manner that renders all data un-recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices in accordance with the Record Retention and Disposition Policy. The approved PCI DSS disposal methods include cross-cut shredding, incineration, and approved shredding and disposal service.

Merchant

A department or unit (including a group of departments or a subset of a department) approved to accept payment cards and assigned a merchant identification number.

Payment Card Industry Data Security Standards (PCI DSS)

The security requirements defined by the Payment Card Industry Data Security Standards Council and the major credit card brands including Visa, MasterCard, Discover, American Express, and JCB.

PCI Compliance Committee

Group composed of representatives from Financial Management, Information Security Office, Office of the Vice President and Chief Information Officer, Internal Audit, and UB merchants.

Primary Account Number (PAN)

Number code of 14 or 16 digits embossed on a bank or credit card and encoded in the card's magnetic strip. PAN identifies the issuer of the card and the account, and includes a check digit as an authentication device.

Self-Assessment Questionnaire (SAQ)

Validation tools to assist merchants and service providers report the results of their PCI DSS self-assessment.

Sensitive Authentication Data

Additional elements of payment card information required to be protected but never stored. These include magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, and PIN or PIN block.

CAV2, CVC2, CID, or CVV2 data

The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card-not-present transactions.

Magnetic Stripe (i.e., track) data

Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization.

PIN or PIN block

Personal identification number entered by the cardholder during a card-present transaction, or encrypted PIN block present within the transaction message.

• Safeguard cardholder data.
• Report occurrences of possible incidents and data breaches to your supervisor or the UB Information Security Officer.
• Review and comply with the following university policies:
  • UBIT Password
  • Protection of University Data

• Monitor the university’s compliance with PCI DSS requirements.
• Act as a steering committee for PCI DSS.
• Support PCI DSS compliance efforts.
• Review the required annual SAQ self-assessment.

• Maintain security standards required by PCI DSS.
• Keep current with PCI DSS regulations and make changes to systems and processes, as appropriate.
• Consult on technical PCI DSS issues.
• Assist with mandatory annual training sessions.

• Maintain an inventory of all UB schools and departments that process payment card transactions using an approved merchant account, UB Marketplace, or other compliant methods.
• Provide and monitor annual training that meets the PCI DSS requirements.
• Coordinate completion of the annual self-assessment documents (SAQs).
• Collect departmental PCI procedures as part of the annual SAQs.
• Evaluate compliance with PCI as part of scheduled cash handling reviews; this is a shared responsibility with Financial Management.

• Keep current with PCI DSS regulations and make changes to processes, as appropriate.
• Maintain the inventory of all State devices (i.e., analog, cellular, Bluefin), merchant ids, and terminal ids along with activation status.
• Evaluate compliance with PCI as part of scheduled cash handling reviews; this is a shared responsibility with Policy, Compliance and Internal Control.

• Review and comply with the following university policies:
  • Credit/Debit Card Merchant Requirements
  • Safeguarding Cash and Cash Equivalents
• Complete the required annual PCI self-assessment (SAQ).
• Complete the annual PCI training through Financial Management.
• Require appropriate staff to complete the annual PCI training through Financial Management.
• Maintain departmental Standard Operating Procedures (SPO) for PCI compliance and verify staff has an understanding of the procedures and their responsibilities.

• Follow the established cash receipts procedures for the appropriate funding source.
• Follow the Payment Card Processing Options and use PCI Compliant Devices for all card transactions.
• Complete the Payment Card Authorization Form when appropriate.
  
• Complete the annual PCI training through Financial Management.
• Review and comply with the following university policies:
  • Credit/Debit Card Merchant Requirements
  • Safeguarding Cash and Cash Equivalents

• Provide confirmation of compliance.