Financial Affairs Policies

VIII-99.08(A)

UMB Payment Card Policy: Payment Card Industry Data Security Standards

Financial Affairs   |   Approved February 10, 2021

Responsible VP/AVP

Dawn M. Rhodes, DBA, MBA

Revision History

Approved February 10, 2021.

Policy Statement

Scope:
This Policy applies to all types of transactions for which payment by credit card or debit card is accepted.

Purpose:

  1. To prevent financial loss to individuals who use credit or debit cards (“payment cards”) to make payments to UMB.
  2. To prevent disclosure of Cardholder Data (CHD) including sensitive information (e.g. identification numbers such as driver’s license, passport, etc.).
  3. To reduce the risks associated with the administration of payment cards by Operational Units.
  4. To ensure proper internal controls and compliance with Payment Card Industry Data Security Standards (PCI DSS).
  5. To establish requirements and guidelines to protect personal information.
  6. To comply with federal and state laws related to securing personal information.

Policy Statement:

  1. The PCI DSS is a mandated set of security requirements agreed upon by major credit card companies. These requirements apply to all payment card transactions and to the merchants/organizations that accept these cards as forms of payment.
  2. In order to accept payment cards, University of Maryland, Baltimore (UMB) must prove and maintain compliance with PCI DSS.
  3. Requirements for processing, transmitting, storage, and disposal of CHD transactions are prescribed in the Administration and Finance (A&F) Procedure on Payment Card Industry Data Security Standards Compliance and Payment Card Transactions.
  4. Operational Units are required to comply with PCI DSS whenever payment cards are an allowable source for payment; whether the transaction is accepted or denied; and whether the transaction is electronic (e.g. online) or manual (e.g. by phone or in person).
  5. Failure to protect personal information may result in financial loss to an Operational Unit, suspension of an Operational Unit’s payment card processing privileges, or disciplinary action against employees.
  6. Payment card types and processing equipment must be approved by the UMB University Controller (or designee). Requirements for establishing merchant accounts and obtaining processing equipment are described in the A&F Procedure on PCI DSS Compliance and Payment Card Transactions and the A&F Procedure on Establishing and Accounting for Payment Card Accounts.
  7. Operational Units are required to establish internal controls and procedures to secure personal information. Operational Unit procedures should include at a minimum:
    1. Limit the data collected to only that which is necessary to complete the transaction.
    2. Securely delete data after it is no longer needed.
    3. Limit data access to employees who require the information for completing job duties.
    4. Periodically review roles to ensure data access is limited to only employees who require data access to complete their job duties.
    5. Periodically inspect processing equipment.
  8. CHD and sensitive information must be disposed of in a certain manner that renders all data unrecoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices. Refer to A&F Procedure on PCI DSS Compliance and Payment Card Transactions and UMB Policy X-99.08(A) on Disposal of Media Containing Data for additional information.
  9. Operational Units are prohibited from submitting online payments on behalf of customers.
  10. Operational Units are prohibited from communicating or accepting CHD via email, fax, chat, instant messenger, or other messaging technologies.
  11. Operational Units are prohibited from saving, storing, or retaining Sensitive Authentication Data.
  12. Operational Units are prohibited from using payment methods that have not been authorized by UMB (e.g., PayPal, Square Technologies).
  13. Employees who fail to comply with UMB Policies and Procedures may be subject to disciplinary action and/or criminal action.
  14. An Authorized Affiliate Employee who does not follow UMB Policies and Procedures will lose the privilege of being an Authorized Affiliate Employee, will have UMB fiscal authority terminated, and may be subject to criminal action.

Applies to:

  1. All UMB Employees. UMB Employees include all types and classes of employees, such as officers, faculty, staff, students, post-doctoral fellows, regular employees, and contingent I and II employees.
  2. Authorized Affiliate Employees, individuals, organizations, third-party vendors, systems, and networks involved with payment card handling. Payment card handling includes the transmission, storage, and/or processing of payment card data in any form (e.g. electronic, paper) on behalf of UMB.

Definitions:

Authorized Affiliate Employee – A person employed by an entity that has a relationship with UMB authorized by the Board of Regents or by law, e.g., faculty practice plan organizations, University of Maryland Baltimore Foundation (UMBF) and other affiliated foundations, recognized incorporated alumni associations, recognized affiliated business entities, University of Maryland Medical System/University of Maryland Medical Center, and other University System of Maryland institutions. An Authorized Affiliate Employee is responsible for the administration and reporting of UMB resources.

Cardholder Data (CHD) - Those elements of payment card information that are required to be protected. These elements include Primary Account Number (PAN), Cardholder Name, Expiration Date, Service Code, and Sensitive Authentication Data. The Service Code permits where the card is used and the purpose of its use.

Operational Unit - Schools, divisions, departments, etc.

PCI DSS – Payment Card Industry Data Security Standards are a set of policies and procedures developed by major credit card companies to protect cardholder personal information. All organizations that accept credit or debit cards are required to comply with PCI DSS.

Sensitive Authentication Data - Additional elements of payment card information that are also required to be protected but never stored. These include Magnetic Stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data and PIN/PIN block.

Exceptions:

Exceptions to this Policy must be approved in writing by the Chief Business and Finance Officer (CBFO). Requests may be submitted to the University Controller using the Policy or Procedure Exception Form available on the Office of the Controller (OOTC) website. Requests must be signed by the Dean/Vice President (or designee).

Responsibilities:

OOTC is responsible for establishing procedures to promote compliance with this Policy.

All personnel involved in accepting, processing, transmitting, or storing CHD are responsible for complying with the A&F Procedure on Payment Card Industry Data Security Standards Compliance and Payment Card Transactions in conjunction with related financial and technology policies and procedures.

 

Related Policies
Related Procedures
Fill out my online form.