It is required that all Western Oregon University entities processing credit card data or eCommerce data take measures to safeguard sensitive customer information including credit card numbers. Failure to comply with Payment Card Industry Data Security Standards (PCI DSS) may result in financial loss, fines, suspension of credit card processing privileges, and/or damage to the reputation of the university.

This policy governs all credit card and eCommerce processing activities at Western Oregon University. 

Payment Card Industry Data Security Standards (PCI DSS)

https://www.pcisecuritystandards.org

ORS 351.070

https://www.oregonlegislature.gov/bills_laws/lawsstatutes/2013ors351.html

POLICY STATEMENT

1. The Director of Business Services is responsible for oversight of university debit/credit card security, the distribution of security policies and procedures, monitoring of system access and alerts, and incident response.

2. The Director of Business Services shall approve all credit card and eCommerce activities at Western Oregon University, including: card present or point of sale transactions, transactions conducted over the phone, by fax, and/or on the internet.

3. University departments with approved credit card processing activities must maintain the following standards.

PROCEDURES

a) Protect Customer Information

• WOU entities will not load any credit card processing applications on the University network and will limit the amount of credit card information stored, processed, or transmitted on the network to only those transactions that are needed to operate effectively. Do not create an electronic file containing full credit card numbers (database, spreadsheet, word processor, image, etc.)

• Avoid the retention of paper records containing complete credit card numbers. If, for business reasons, you must store full card numbers then do so for no longer than 36 months before securely disposing of them (confidential recycle, cross-cut shred, pulp, or incinerate).   Mark these records as ‘Confidential’.

• Records containing partial card numbers should be retained for no longer than seven years.

• Strictly limit access to paper records containing credit card and bank account numbers based on job function. Where practical, limit access to full time professional staff.

• Access to electronic records must be authorized in writing by the employee’s manager. 

• System terminals must be programmed to mask card numbers on both merchant and customer copies of receipts.  

• Physically secure paper records containing full credit card numbers in locked cabinets or offices with adequate key control.

• Inventory paper records containing full or partial credit card numbers every six months to identify loss or theft of items. 

• Do not send or receive complete credit card numbers using email or campus mail.

b) Properly Account

• Adhere to appropriate accounting standards as established by Western Oregon University Business Services.

• Uniquely serialize and fully journalize all transactions to provide a conclusive audit trail.

• Routinely reconcile all goods and services provided and received with the accounting records.

c) Employee Training

• Designate a unit information security officer or single point of contact.

• Train all employees involved in processing card transactions to protect card data and ask them to review this policy annually and when business processes change.

d) Annual Risk Assessment

• All university units processing credit cards will participate in an annual PCI risk assessment.

e) Third Party Vendors

• The Business Office will assist university departments in processing credit card and electronic payments online using fully hosted payment processing services that are approved by the Office of the State Treasurer (OST).  These services are Payment Card Industry (PCI) compliant, NACHA compliant, and cost effective. 

• In accordance with OST Cash Management Policy 02 18 14.PO, all third party vendors must be approved in advance by OST.  To obtain approval vendors must complete the OST 3rd Party Vendor Prequalification Form.

• Oregon law requires that state funds be deposited directly into a recognized Oregon depository within 24 hours.  For this reason the use of PayPal or similar services that do not deposit proceeds directly into an OST merchant account are prohibited.

f) In the event of a breach in card data security take the following steps:

The unit shall immediately contain and limit the exposure of cardholder data, alert the Director of Business Services, and conduct a thorough investigation of the suspected loss or theft of account information.

• Do not access or alter compromised systems (e.g., do not log on or change passwords; do not log in as ROOT or Administrator). 

• Do not turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the cable). 

• Preserve logs and electronic evidence. 

• Log all actions taken. 

• If using a wireless network, change SSID on the AP and other machines that may be using this connection (with the exception of any systems believed to be compromised). 

• Be on high alert and monitor all systems with cardholder data.

• Provide Business Office with a report containing; account information at risk and the source and timeframe of the compromise.

The Business Office will alert all necessary parties immediately as listed below: 

NOTE: If an incident occurs during normal business hours (8:00AM to 5:00PM), notify the Office of the State Treasurer (OST) by using the number listed below.  OST will then notify U.S. Bank, and coordinate all communication.  If the incident occurs outside of normal business hours, contact U.S. Bank directly by using the phone number listed below. 

• Internal Information Security Group and Incident Response Team.  Director of Computing Services, VP Finance and Administration, Director of Business Services, and Director of Human Resources.

• Office of the State Treasurer (OST); (503) 378-4000.  Notify the receptionist that you have experienced a merchant card breach, and ask to speak with the Merchant Bank Liaison on the Banking Team or a member of the Relationship Management Services team. 

• U.S. Bank; 1(800) 725-1243.  Identify that you are a “National Account” with the State of Oregon, and provide them with your Merchant ID (MID) #. Notify U.S. Bank customer service representative that you have experienced a merchant card breach, and ask that the incident be reported to the Risk Department.

Complete an Incident Report as soon as possible.  This must be completed within three business days, and provided to the Office of the State Treasurer. OST will forward it to U.S. Bank/NOVA.  Visa and U.S. Bank/NOVA will determine and notify the agency and OST if an independent forensic investigation, compliance questionnaire, and vulnerability scan are required.  

N/A