Purpose

The purpose of this policy is to define the guidelines for accepting and processing credit cards and storing personal cardholder data. The policy will help ensure cardholder data supplied to the College is secure and protected. The College is complying with credit card company requirements and the PCI-DSS.

All users of the Point-of-Purchase (POP) credit card terminal need to be aware of the hazards involved in the processing of credit cards. This will help understand the common risks associated with credit card terminals.

Faculty/Staff should visit: www.trustkeeper.net/sa/02/index.html

Students should visit: www.trustkeeper.net/sa/01/index.html

Definitions

PCI-DSS: The PCI-DSS is the result of collaboration between the major credit card brands to develop a single approach to safeguarding sensitive data. The PCI-DSS defines a series of requirements for handling, transmitting and storing sensitive data. A copy of the Standard can be obtained on the Visa website or from Credit Card Operations.

Cardholder data: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, Card Validation Code (CVC 2), Card Verification Value (CVV2), Cardmember ID or Card Identification Number (CID). Typically, these are the three- or four-digit values printed on the front or back of a payment card.

Scope

Due to their role in accepting, processing, or otherwise handling credit card information, this policy applies to all College faculty, staff and students. The cardholder information is primarily in physical format. While transactions may occur over the phone, no electronic (i.e. internet) processing is available at this time.

Policy

All transactions the College processes must meet the standards outlined in the policy.

A.     Credit card numbers should not be transmitted to unauthorized individuals, stored on a personal computer, or kept in an e-mail account. Also, credit card numbers are not to be written down and kept on the person nor are they to be stored in unauthorized locations at the College. Electronic lists of customer's credit card numbers should not be retained. Due to the credit card processing structure of the College, credit card information is only accepted by telephone or in person. At this time, there is no electronic processing of credit cards.

B.     Physical cardholder data must be locked in a secure area. Access should be limited to individuals that require the use of the data. Access should also be restricted on a "need to know" basis.

C.     Only essential information should be stored. Do not store the Card Validation Code (also known as the Security Digits, V Code, or CID). Do not store a user's PIN or the full data from a card's magnetic strip.

D.     Credit card information should only be retained for the time needed to process, or if retained for reconciliation, for as long as one-year maximum if necessary.

E.      Credit card information, if it does not need to be retained, should be destroyed. Information should be destroyed by shredding (cross-cut) immediately after processing, or immediately after they no longer need to be retained.

F.      Credit card receipts may only show up to the last five digits of the credit card number. If receipts show more than five digits, the receipt must be shredded or retained in a secure area.

G.     All departments must comply with the PCI-DSS. For more details, please visit:

         www.pcisecuritystandards.org/security_standards/pci_dss.shtml

H.     Exceptions may be granted by the chief financial aid director.

Procedures

The College has only one POP terminal on campus. It is located at the front desk in the reception area. Due to the nature of the College, students are allowed to use the terminal for completing customer transactions from the salon floor. Students are NOT permitted to process tuition-related payments. The director of education, owners, and chief financial aid director are authorized to handle such transactions. Student's are also NOT permitted to retain credit card information via paper or electronically.

Faculty and staff are also allowed to use the credit card machine for daily reporting (i.e. batch down, drawer close out, etc.), maintenance, or instructive (e.g. demonstrate how the terminal works to a student) purposes. A list of authorized employees and student attendance rosters are kept to track authorized users in any given day.

PLEASE NOTE: It is not permissible to obtain, send, or otherwise transmit credit card information by e-mail or any other internet-based application (i.e. Facebook, MySpace, IRC, AIM, message boards, etc). There are no exceptions to this rule.

Incident Response Plan

All suspicious credit card activity pertaining to the College should be reported immediately by phone (419.425.1485 ext. 22). In the event credit card fraud occurs, the College will contact the credit card servicer (Elavon) and report the suspicious transaction. At that time, the College will inquire for more information on other parties to contact specific to the cardholder. The College will also contact the local police department to notify the authorities of the crime.  If no fraudulent transactions have occurred, the College will review the PCI-DSS policy and amend any sections to strengthen it for the future.

Reporting and Monitoring Responsibilities

The chief financial aid director will perform the regular review and the revision of the College's security policy for any future considerations, and the completion of the annual self-assessment questionnaire.

Sanctions

If the requirements of the policy are not followed, suspension of physical payment options will result. Fines may also be imposed by the affected credit card company. Minimum fines from VISA for violation of the PCI-DSS begin at $50,000. The College may be required to report violations to the appropriate authorities.

Plagiarism