Payment Card Industry Data Security Standards Compliance and Payment Card Transactions

Financial Affairs, Office of the Controller   |   Approved February 10, 2021

Purpose

Establish procedures for securing cardholder data in accordance with Payment Card Industry Data Security Standards (PCI DSS).

Applicability

Operational Units accepting credit or debit cards for payments made to University of Maryland, Baltimore (UMB) for goods or services provided.

Instructions

TABLE OF CONTENTS

I. Scope

II. General Guidelines

III. Procedures

IV. Compliance Statement

V. Responsibilities

VI. Definitions and Terms

VII. Exceptions

Instructions

I. Scope

This Procedure applies to Operational Units that accept credit and/or debit cards (“payment cards”) for payments to UMB. Individuals with responsibilities, authority, and stewardship over payment card transactions are required to comply with applicable federal, state, University System of Maryland (USM), and UMB regulations, policies, and procedures. This Procedure establishes requirements and procedures for the security and protection of Cardholder Data (CHD). 

II. General Guidelines

A. Operational Units are required to establish internal procedures that thoroughly describe the entire transaction process and include, at a minimum, the following elements:

1. Segregation of duties

2. Deposits

3. Cash register procedures (if applicable)

4. Reconciliation procedures

5. Physical security

6. Data retention

7. Information disposal

8. Incident response

B. Each Operational Unit must list in its internal procedures whether payment cards will be accepted:

1. In person

2. By telephone

3. By mail

4. Online

C. Payment cards cannot be accepted via email, fax, instant messenger, or similar messaging technologies that are not identified above under Section II.B. If a payment is received via an unsecured method, such as email, the recipient should delete the payment information and reply to the sender. In the response the recipient should tell the sender that payments cannot be accepted by [     ] (insert method) and list the acceptable methods for payment.

D. Operational Units have discretion to limit the types of payment listed in Section II.B above, but are not allowed to add additional types to the list.

E. Each Operational Unit must have a designated UMB Employee who will have primary authority and responsibility for payment card transaction processing within that Operational Unit. The appropriate Dean or Vice President office will maintain the list of primary UMB Employees with this designation (“PCI Coordinator”). The PCI Coordinator cannot be an Authorized Affiliate Employee.

The PCI Coordinator is responsible for ensuring:

1. Compliance with PCI DSS.

2. Only appropriate individuals have access to payment card transactions or CHD. 

3. Individuals with duties related to payment card transactions, including refunds and chargebacks, successfully complete the mandatory annual training provided in the Learning Management System (LMS).

F. Payments can only be processed by UMB Employees or Authorized Affiliate Employees.  All payment processors must be authorized by the Operational Unit and must attend and successfully complete required PCI Training. 

G. Payments that are not processed online must be processed via Bank Equipment.  Payments must not be processed using any other equipment.

H. A payment should be processed within one business day of receiving the payment and the CHD should be destroyed by the close of business, but no later than 24 hours after processing the payment.   The preferred method for destruction is cross-cut shredding.  Alternatives may be used as long as the CHD is unreadable and destroyed.  Examples include punching holes through the card number, expiration date, and security code for CHD that is documented on a form.  Writing over the CHD with a black marker is NOT an acceptable method for destroying CHD.

I. Operational Units may only use the services of payment card processing vendors which have been approved by the Office of the Controller (OOTC) and Strategic Sourcing and Acquisition Services (SSAS) to process payment card transactions regardless of whether the transaction is point of sale (POS), mail/telephone order, or internet-based. A payment card processing vendor is a third party vendor, application, or gateway, used to accept payments on behalf of UMB (e.g. TouchNet). See the  Procedure on Establishing and Accounting for Payment Card Accounts.

J. Operational Units may only use contractors that have been approved by SSAS to process payment card transactions regardless of whether the transaction is point of sale (POS), mail/telephone order, or internet-based. A contractor is an external entity engaged in business with UMB and usually uses UMB resources, such as the network or equipment. Examples include, but are not limited to, Parking, Bookstore, and Campus Dining Services. Operational Units using contractors that process payment cards must contact the PCI Compliance Committee (PCC) for assistance in obtaining the necessary attestation of PCI compliance from the contractor.

K. At the direction of the PCC, Operational Units must complete an annual PCI compliance survey and PCI Self-Assessment Questionnaire (SAQ). These are required under PCI DSS.

L. Operational Unit procedures and controls may be reviewed by Management Advisory Services (MAS) and the PCC.   

M. Questions?

Contact DL-CITSPCICompliance@umaryland.edu.

III. Procedures

A. Establish a Payment Card Account (“Merchant Account”)

A Merchant Account must be established in accordance with the Procedure on Establishing and Accounting for Payment Card Accounts.

B. Determine the Method for Processing Payments

There are two methods for processing payments:  Payment Terminal/Cellular Device and Online.

1. Payment Terminal/Cellular Device

a. Operational Unit personnel entering payments must use Bank Equipment and be authorized by the unit PCI Coordinator to enter payments. See Section II.E.

b. A Cellular Device is a mobile unit for processing payments at locations where the Payment Terminal is not available. The Cellular Device is available from the Merchant Bank.

c. A tamper sticker must be affixed to the equipment. Tamper stickers may be obtained from OOTC-Student Financial Services (SFS). Email studentaccountmgmt@umaryland.edu  to request tamper stickers.

2. Online

a. Operational Unit personnel are prohibited from submitting online payments on behalf of customers.

b. Customers must initiate and submit their own online payments.

C. Determine the CHD Retrieval Method

1. Card Present Transactions

A Card Present Transaction is a transaction that includes the physical payment card. The physical card must be presented at the time of the payment and the payment data is entered by swiping, inserting, or tapping the card.

a. Operational Unit procedures must describe the process for accepting payments in person. The preferred method is for the cardholder to initiate the payment using the Bank Equipment.

b. If the cardholder is unable to enter the card directly into the Bank Equipment, an individual who has been authorized by the Operational Unit may process payment card transactions directly into the Bank Equipment on behalf of the cardholder. Refer to Section II.E for information on authorized individuals and required training.

c. Recording payment card numbers on forms, spreadsheets, or other media should be limited to circumstances where the need to do so is unavoidable. Any media containing payment card numbers must be properly secured in a locked office, cabinet, or other area that is only accessible by authorized personnel.  Any media containing payment card numbers must be destroyed by the close of business, but no later than 24 hours after the payment is processed in accordance with UMB Policy X-99.08(A)on Disposal of Media Containing Data and the accompanying UMB Procedure on Disposal of Media Containing Data.  See Section II.H for requirements on cardholder data destruction.

d. Report Suspected Card Fraud

If it is suspected that a card is fraudulent, the Operational Unit should report it according to the Security Breach steps defined in Section III.E of this Procedure.

e. Retain the signed merchant copy of the receipt generated by the Bank Equipment and return the other copy to the cardholder.

f. Place the merchant copy of the receipt in a secured location (e.g. safe, locked drawer) until the End of Day Batch Process has been run.

2. Card Not Present Transactions

A Card Not Present Transaction occurs when the physical card is not presented at the time of the payment.  Examples include payments made by telephone or mail.

a. Telephone Payments

(i) All telephone payments should be entered directly into the Bank Equipment during the call if possible. Do not accept payment information via a voicemail/phone message.  

(ii) If payment data must be written down, it should be logged on the Telephone/Mail Payment Card Processing Tracking Form (see Financial Services Forms) and entered directly into the Bank Equipment immediately after the call has concluded. The portion of the form containing the payment card information must be destroyed by the close of business, but no later than 24 hours after the transaction has been processed in an approved PCI manner. See Section II.H for requirements on cardholder data destruction.

b. Mailed Payments

(i) Mail should be opened and processed on a daily basis whenever possible. Payment requests must be entered on the Telephone/Mail Payment Card Processing Tracking Form (see Financial Services Forms).

(ii) Bundle together all payment requests and attach a cover sheet with the date, count of requests, and initials of the person opening the mail. 

(iii) Hand over the bundle to the person responsible for entering the payment(s). Payments should be entered within one business day.

(iv) Enter the payment directly into the Bank Equipment and print out two copies of the receipt.

(v) The portion of the form containing the payment card information must be destroyed by the close of business, but no later than 24 hours after the transaction has been processed. See Section II.H for requirements on cardholder data destruction.

(vi) Return a copy of the receipt to the customer via the approved Operational Unit method (e.g. mail, fax, email). Ensure that all CHD has been rendered unreadable.

(vii) Place the merchant copy of the receipt in a secured location (e.g. safe, locked drawer) until the End of Day Batch Process has been run.

D. Operational Unit Processes

1. End of Day Batch Process

a. Document the steps that are followed to settle all transactions at the end of the day. Include names of individuals responsible for the daily batch process.

b. Close out and settle the payment card terminals or web-based applications daily.

c. Staple the sales/batch report in front of the sales receipts and store in a secure location (e.g. locked safe or drawer).

2. Reconciliation Process

a. Each Operational Unit must establish and document reconciliation procedures. The reconciliation procedures must include information on how the unit will remedy unreconciled items.

b. Differences must be investigated immediately. Any unresolved differences must immediately be reported in writing to the Operational Unit head, University Controller, and Management Advisory Services (MAS).

c. Reconciliations must be performed by an individual who is not directly involved in processing transactions.

d. Reconciliations must be documented.

e. Reconciliations must be reviewed, signed and dated by the preparer and the department administrator (or designee). 

f. The three reconciliations listed in this section are required. These reconciliations must be performed at least once per calendar month. Operational Units may decide to reconcile more frequently as needed.

(i) Sales must be reconciled with payments processed. This ensures that payments have been processed for all sales. Compare the sales report with the batch report.

(ii) The batch report must be reconciled with the amount funded. This ensures that the payments processed have been funded by the merchant bank.  Compare the batch report with the merchant bank activity.

(iii) The merchant bank activity must be reconciled to the general ledger activity in the UMB financial system. This ensures that the transactions are posted in the UMB financial system. Compare the merchant bank activity statement with the UMB financial system general ledger report.

(iv) Examples of reconciliations are available here.

(v) Store reconciliations in a secure location.

(vi) Contact MAS if assistance is needed in establishing reconciliation procedures.

3. Payment Terminal and Cellular Device Inspections

a. Bank Equipment that is used in a shared area (e.g. cashier’s window, shared office space) must be visually inspected daily. If possible, Bank Equipment should be stored in a locked area when not in use or after hours.

b. Bank Equipment that is maintained in a locked area (e.g. administrator’s office) requiring authorized access via key, ID card, etc. must be visually inspected weekly (minimum). 

c. Visual inspection requires checking the equipment to determine if it has been tampered with or exchanged (i.e. verify stickers have not been removed and re-affixed, same model, same serial number, etc.).

(i) Log date, initials, and inspection results into the Swipe Terminal Inventory Sheet (see Financial Services Forms).

(ii) If tampering is suspected:

- Discontinue using the terminal.

- Contact the merchant bank to acquire a new terminal.

- Report any tampering as a Security Breach per the steps defined below in Section III.E.

4. Refunds and Chargebacks

a. Issuing refunds and resolving chargebacks are the responsibility of the owner Operational Unit. The owner Operational Unit is typically the unit that receives the funding (e.g. Parking and Transportation Services is the owner Operational Unit for parking fines, garage access, etc.). The owner Operational Unit for all transactions on student accounts is OOTC-SSFS.

b. Refunds and chargebacks should be processed by an Operational Unit manager or designee. Note that any individual processing transactions that include CHD must be trained and approved by the Operational Unit PCI Coordinator.

5. Document Retention

a. The following information may be retained in the Operational Unit files:

(i) A portion of the payment card number. Typically, the last four digits are stored and any remaining digits are replaced with letters or symbols.

(ii) Cardholder’s name

(iii) Payment card expiration date

b. The following information must never be retained:

(i) Full payment card number

(ii) Payment card security code

c. Be sure to log any movement of the files until they are destroyed in accordance with UMB Policy X-99.07(A) Data Retention – Archival Policy.

E. Suspected Security Breach or Fraud

In the event of a security breach/incident:

1. Immediately notify the Employee’s supervisor and the Operational Unit PCI Coordinator.

2. If fraud is suspected, but uncertain, contact MAS.

3. If the suspected activity involves computers (hacking, unauthorized access, etc.), also contact the Operational Unit’s IT support team and immediately notify the Center of Information Technology Services (CITS).

IV. Compliance Statement

A. Failure to protect personal information may result in financial loss to the unit and/or suspension of a unit’s payment card processing privileges.

B. Employees who fail to comply with UMB Policies and Procedures may be subject to disciplinary action and/or criminal action.

C. An Authorized Affiliate Employee who does not follow UMB Policies and Procedures will lose the privilege of being an Authorized Affiliate Employee, will have UMB fiscal authority terminated, and may be subject to criminal action.

V. Responsibilities

A. Operational Units

1. Establish internal procedures to ensure PCI DSS compliance.

2. Identify a PCI Coordinator and maintain an updated list of personnel with responsibilities related to payment card transactions.   

3. Limit access to CHD to individuals who need the information to process transactions.

4. Secure CHD and immediately dispose of CHD.

5. Ensure that individuals processing transactions, refunds, and chargebacks successfully complete CITS mandatory training.

6. Complete annual UMB PCI compliance survey and the PCI Self-Assessment Questionnaire (SAQ).

B. Office of the Controller – Student Financial Services

Review applications for Merchant Accounts and assist Operational Units if needed to obtain secure equipment.

C. PCI Committee

1. Oversee UMB PCI DSS compliance program.

2. Assist Operational Units with PCI compliance inquiries.

3. Periodically review Operational Units to ensure compliance with PCI policy and procedure.

4. Administer and collect the UMB PCI compliance surveys and the PCI Self-Assessment Questionnaires (SAQs).

VI. Definitions and Terms

Authorized Affiliate Employee – A person employed by an entity that has a relationship with UMB authorized by the Board of Regents or by law, e.g., faculty practice plan organizations, University of Maryland Baltimore Foundation (UMBF) and other affiliated foundations, recognized incorporated alumni associations, recognized affiliated business entities, University of Maryland Medical System/University of Maryland Medical Center, and other University System of Maryland institutions. An Authorized Affiliate Employee is responsible for the administration and reporting of UMB resources.

Bank Equipment – Payment terminals and cellular devices supplied by the Merchant Bank. 

Cardholder Data (CHD) - Those elements of payment card information that are required to be protected. Elements include Primary Account Number (PAN), Cardholder Name, Expiration Date, Service Code, and Sensitive Authentication Data. The Service Code permits where the card is used the purpose of use.

Cellular Device - A mobile device supplied by the Merchant Bank to securely transmit CHD.

Employee - Includes (but is not limited to) all types (regular, contingent I and contingent II) and classes (faculty, staff, students, post-doctoral fellows) of individuals who receive compensation from UMB.

Fraud – Fraud generally involves a willful or deliberate act, expression, omission or concealment with the intent of obtaining an unauthorized benefit, such as money or property, by deception or other unethical means. 

Operational Unit - Schools, divisions, departments, etc.

Payment Terminal – A device supplied by the merchant bank to securely transmit CHD.

PCI Compliance Committee (PCC) – A team of UMB Employees from A&F and CITS that oversees PCI compliance for UMB.  Contact:  DL-CITSPCICompliance@umaryland.edu

PCI DSS – Payment Card Industry Data Security Standards are a set of policies and procedures developed by major credit card companies to protect cardholder personal information. All organizations that accept credit or debit cards are required to comply with PCI DSS.

Security Breach - Any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms.

VII. Exceptions

Exceptions to this Procedure must be approved in writing by the University Controller (UC). All requests must be submitted to the UC using the Policy or Procedure Exception Request Form available on the OOTC website. The request must be signed/e-mailed by the Department Head or designee.

Exceptions to UMB Policy VIII-99.08(A):  Payment Card Industry Data Security Standards must be approved in writing by the Chief Business and Finance Officer (CBFO). Requests may be submitted to the University Controller using the Policy or Procedure Exception Form available on the OOTC website. Requests must be signed by the Dean/Vice President (or designee).