dc merchant services policy - dartmouth college · purchasing new systems or software applications...
TRANSCRIPT
![Page 1: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/1.jpg)
Office of the Controller
P a g e 1|10
7 Lebanon Street, Suite 302 Hanover, New Hampshire 03755
603-646-3011
Merchant Services and PCI Compliance Policy http://www.dartmouth.edu/~control/policies/PolicyOwner:Controller’sOfficeAdministeringDepartmentsservingontheMerchantServicesCommittee:Controller’sOffice,InformationSecurity,InstitutionalAccounting,RiskManagement,andTreasuryLastRevision:June6,2018PolicySections:
1. Overview2. DartmouthCollegeMerchantServicesPolicy3. DartmouthCollegeProcedures4. PaymentCardIndustryDataSecurityStandard(PCIDSS)5. DartmouthCollegePCIDSSConfidentiality/Non-DisclosureStatement
1. Overview
DartmouthCollegeMerchantServicesMissionDartmouthCollegehasestablishedaChartertomonitorregulatorystatutesandcontractualobligationsspecifictothePaymentCardIndustryDataSecurityStandard,(PCIDSS),merchantservices,andelectroniccommerce(e-Commerce).ThepurposeoftheDartmouthCollegeMerchantServicesPolicyistomaximizesecurityofourcustomers’carddata,Dartmouth’sreputation,andavoidanyfinancialcostsassociatedwithabreachofcardinformationaswellasoutlineBestPracticesinallaspectssurroundinghandlingofcardholderdata.DartmouthComplianceandEthicsHotlineFaculty,staff,orstudentsmayreportPCIcomplianceproblemsthroughstandardmanagementchannels,beginningwiththeirimmediatesupervisor.Alternatively,inquiriesorreportsmaybeaddressedtotheEthicsPoint:http://www.dartmouth.edu/~rmiRiskandInternalControlsServicesprovidesindependentrisk-basedaudit,consulting,andoperationalservicestoprotectandenhanceorganizationalvalueinsupportofthemissionofDartmouthCollege.EntitiesAffectedByThisPolicy–WhoShouldReadThisPolicy?AnyonethatconductsDartmouthCollegebusinessandisaffiliatedwiththeacceptanceofpaymentcardsasaformofpayment.
![Page 2: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/2.jpg)
Office of the Controller
2|P a g e
2. DartmouthCollegeMerchantServicesPolicyDartmouthCollegeMerchantServicesPolicyDartmouthCollegesignedintoacontractualagreementwithChasePaymentechastheirprimarycreditcardprocessor.Bydoingso,DartmouthhasanobligationtothisMerchantServiceProvider,therefore,individualsseekinganyotheralternativeresourcesforpaymentcardacceptanceandprocessingisnotpermissibleunderourcontractualagreementwithChase.Anydepartmentthatchoosestoacceptpaymentcardsasaformofpayment,mustfirstseektheapprovalfromtheController’sOffice.TheController’sOfficewillreviewallMerchantAccountRequestsforacceptanceofcardsandwillmakedeterminationofapprovalbasedonprovidedinformationfromtheMerchantAccountRequestForm.PCITrainingismandatedforanyindividualthatisconductingDartmouthCollegebusinessandisaffiliatedinanyaspectofprocessingcreditcards.Thisincludesbutnotlimitedto,acceptanceofcredit/debit/storedvaluecards,reconciliationofcardrevenueandexpense,andtheuseofreportingtoolsreflectingcreditcarddata.Foron-linecreditcardacceptance,DartmouthCollegehasapprovedthefollowingPCIcompliantPaymentApplicationGateways;JPMorganChase,Authorize.Net,andPayPal.Ifyouchooseanyotheroptionotherthanwhatislistedabove,youmusthavetheapprovalfromtheController’sOffice.Forterminalcreditcardacceptance,DartmouthCollegehasapprovedthefollowingequipment;VerifonesVX520,VX680,MagTekeDynamo,EMVMobileReader(ChaseMobileCheckout),Ingenoco,Micros9700andiTerminalIPP320x3.MembersofthestaffatDartmouthCollegethathaveanyassociationwiththeacceptanceofpaymentcardsmustsignthePCIDSSConfidentiality/Non-DisclosureStatement.SignedstatementsshouldremainwiththeofficeinwhichtheindividualisconductingDartmouthbusiness.ThePCIDSSConfidentiality/Non-DisclosureStatementislocatedonPage10.ASelf-AssessmentQuestionnaire(SAQ)isavalidationtoolthatmustbecompletedbyeachmerchantaccountholderbeforeamerchantaccountwillbesetup,andannuallythereafterinordertodemonstratecompliancewiththePCIDSS.Ifyouhaveanexistingmerchantaccount,andyourbusinessoperationswillbechangingsignificantly,youwouldneedtocompleteanewSAQ.EverybusinessareaneedstoreflectanaccurateSAQonfilewiththeController’sOfficeatalltimes.
![Page 3: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/3.jpg)
Office of the Controller
3|P a g e
DepartmentmembersservingontheMerchantServicesCommitteemayconductaninternalauditofamerchantholder’sbusinessoperation,toensurecomplianceandregulatorypoliciesandproceduresareinaccordancewithpolicies.Anybusinessoperationfoundnotincompliance,risklosingtheirprivilegeforacceptanceofcreditcardpayments.MerchantAccountHolder’sResponsibilitiesYoushouldNOTdothefollowing:
1. Donottransmitcardholder’screditcarddatabye-mail,faxorotherelectronicmeans
2. Donotstorecreditcarddataforrepeatcustomersonpaperinanunsecuredarea
3. DonotstorePINorCVV2/CVC2/CIDnumberorthefullcreditcardnumber4. Donotelectronicallystoreanycreditcarddataonanycomputerfiles,servers,
laptops,PCs,mobilephones,tabletsoranyotherelectronicdevices5. DonotshareuserIDsand/orpasswordsforsystemsaccess6. Neveracquireordiscloseanycardholder’sdatawithoutthecardholder’s
consent
YoushouldDOthefollowing:1. Storeallphysicaldocumentscontainingcreditcarddatainalockeddrawer,
lockedfilecabinet,orlockedofficewithoutthefullcreditcardnumber2. Maintainstrictcontrolovertheinternalandexternaldistributionthatcontains
creditcarddata3. Changevendorsuppliedordefaultpasswords4. Ensurethatyourdepartment,computersystemsandoperationsareinfull
compliancewiththeDartmouthInformationSecurityCommittee(DISC)policy:1https://tech.dartmouth.edu/itc/services-support/help-yourself/knowledge-base/dartmouth-information-security-policy
5. Properlydisposeofanymediacontainingcreditcarddata6. Ifyoureceiveanunencryptedemailfromacustomerwithcreditcarddatanotify
thecustomerthattheyshouldnolongersendthisinformationviaemailanddeleteemailimmediately
ResponsibilitiesforExecutiveOfficers,FiscalOfficers,andManagementOfficers1. ComplywithPaymentCardIndustryDataSecurityStandard(PCIDSS)and
DartmouthInformationSecurityCommittee(DISC)
![Page 4: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/4.jpg)
Office of the Controller
4|P a g e
2. ObtainapprovalbyProcurementServicespriortoenteringintoanycontract,purchase,oracquisitionforsoftwareorsystemapplications
3. ObtainapprovalfromtheController’sOfficeforneworreplacementofequipment,wirelessdevicesandInternetGatewayProviders
4. Establishprocedurestorestrictphysicalaccesstodataorsystemsthathousecardholderdata
5. CommunicatetheDartmouthCollegeMerchantServicesPolicytoallemployees6. Restrictaccesstocreditcarddatabybusinessneed-to-knowbasis7. Establishappropriatesegregationofdutiesbetweenpersonnelhandlingcredit
cardprocessing,refundsandreconciliations8. AssignauniqueIDandpasswordtoeachpersonwithcomputeraccesstocredit
carddata9. Donotallowcreditcarddatatobesentbyemail,faxorotherelectronicmeans10. DonotallowthestorageofPINorCVV2/CVC2/CIDnumberson
Laptops,PCs,mobilephones,tabletsorotherelectronicdevices11. DonotallowoutsideconsultantstostorecreditcarddataontheirownPC
equipment12. DonotallowemployeestoshareuserIDsforsystemsaccess13. Neverallowthedisclosureofcardholder’sdatawithoutthecardholder’sconsent
3. DartmouthCollegeProceduresDartmouthCollegeMerchantServicesProceduresThestepsoutlinedbelowmustbefollowedforamerchantaccounttobeconsideredforcreditcardacceptance.1.RequestingaMerchantAccountRequestForm**Note**Ifyourintentionsforcreditcardacceptanceisforbothon-lineandterminalacceptance,youwillneedtocompleteaseparateMerchantAccountRequestFormforeachprocessingtype.DepartmentsinterestedinacceptingpaymentsforgoodsandservicesviaacreditcardmustfirstobtainaMerchantAccountRequestFormlocatedattheURLprovidedbelowhttp://www.dartmouth.edu/~control/docs/accounting/dc_merchant_account_request_form.docorbysendingane-mailrequesttoInstitutional.Accounting@Dartmouth.EDU.Thisformmustbecompletedthoroughlyandaccuratelyfordeterminationintheapprovalprocess.Oncetheformhasbeencompleted,ascannedcopyshouldbesentto
![Page 5: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/5.jpg)
Office of the Controller
5|P a g e
Institutional.Accounting@Dartmouth.EDUormailedtoInstitutionalAccounting,Hinman6015.Therequestorwillbenotifiedofthestatusoftheirrequestafterthereviewprocess.Pleaseallow3-5businessdaysfortheapprovalapplicationprocess.2.Self-AssessmentQuestionnaire(SAQ)TheSAQisavalidationtoolthatmustbecompletedbyeachmerchantaccountholderbeforeamerchantaccountwillbesetup,andannuallythereafterinordertodemonstratecompliancewiththePCIDSS.Ifyouhaveanexistingmerchantaccount,andyourbusinessoperationswillbechangingsignificantly,youwouldneedtocompleteanewSAQ.EverybusinessareaneedstoreflectanaccurateSAQonfilewiththeController’sOfficeatalltimes.Themerchantaccountholderorsupervisor/managerthatisrequestingtheestablishmentofanewmerchantaccount,willalsoneedtocompleteaninitialSelf-AssessmentQuestionnaire(SAQ)basedonthescopeoftheirbusinessoperation.TheappropriateSAQforyourbusinesstypewillbesenttotherequestorforcompletionuponreceiptoftheMerchantAccountRequestForm,andwillbeassistedinthecompletionandthesubmissionoftheSAQ.
3.PurchasingnewsystemsorsoftwareapplicationsThispolicypertainstoexistingmerchantaccountswherethebusinessoperationwillbechangingsignificantly, and for anynewmerchant account thatmay require anew systemor softwareapplicationforprocessingcreditcarddata.YoumustsubmitvendorcontractstoProcurementServicesfortheirreview/approval.Whereapplicable,somecontractsmayalsorequirefurtherreview/approvalfromtheofficesofRiskandInternalControls,andInformationSecurityaroundcomplianceandsecurityconcerns.Oncethecontracthasbeenapproved,asignedcopyofthedocumentshouldbescannedtoInstitutional.Accounting@Dartmouth.Edu.4.ApprovedMerchantAccountRequestOncethemerchantaccountrequestformhasbeenapproved,InstitutionalAccountingwillcompleteamerchantaccountapplicationwithChasePaymentechandoneforAmericanExpresswhereapplicable.Pleaseallow10businessdaysforthisprocesstobecompleted.Oncethemerchantaccount(s)havebeenassignedbythebanks,youwillbenotifiedbyInstitutionalAccounting.AllindividualslistedontheMerchantAccountRequestformthatrequirePaymentCardIndustry(PCI)training,willbesetupbyInstitutionalAccountingandnotifiedbye-mailoftheirtraining.Ifthoseindividualsdonottaketherequiredtraining,theyshouldnothandlecreditcardfunctions.Onereminderwillbesenttotheindividualaftertheinitiale-mailnotificationhasbeensent.Iftraininghasn’toccurredwithintenbusinessdaysofthefinalreminder,the
![Page 6: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/6.jpg)
Office of the Controller
6|P a g e
recommendationwouldbesuspensionoftasksaffiliatedwithanycreditcardfunctionsuntilfurthercompliant.5.ReconciliationofMerchantAccountsReconciliation–ItishighlyrecommendedthatareconciliationbetweentheSoftwareand/orPaymentApplicationGatewayandDartmouth’sGeneralLedgerbecompletedatleastonceamonthforcreditcardsettlementaccountability.Anydiscrepanciesshouldbefollowedupinareasonabletimeframe.Chargeback-Thebankwillnotifyamerchantholderofadisputedcharge.Themerchantholderisresponsibletoprovidethebankwithproofthatthetransactionwasauthorizedbythecustomer.Caseinformationisavailablefortwoyearsanddocumentinformationisavailableforsixmonthsfromthelastcasestatuschangedate.Ifyouneedassistancewiththechargebackprocess,theChasePaymentechChargebackManagementGuideisavailable,pleasecontactInstitutional.Accounting@Dartmouth.Edu.Refund-Whenanitemorserviceispurchasedusingacreditcard,andarefundisnecessary,therefundmustbecreditedtothesamecreditcardaccountfromwhichthepurchasewasoriginallymade.Inaddition,undernocircumstancesisitpermissibletoissueacashrefund.OnlineReporting-IfyouencounteranyreportingissuesorneedassistancewiththeChasePaymentechResourceOnlinemodule,[email protected].
6.ClosingaMerchantAccountWhenamerchantaccountisnolongerneeded,themerchantholderwillneedtocontactInstitutional.Accounting@Dartmouth.Edu andprovidethemerchantaccount(s)thatneedtobeclosed.Priortorequestingaclosure,youshouldalwaysallowampletimeforanyrefunds,chargebacksorfeesthatmayneedtoprocessagainstthemerchantaccount.Ifyouwereusingapaymentgatewayprovider,and/orsoftwareapplicationit’stheresponsibilityofthemerchantaccountholdertocanceltheaccountthatwasestablishedforusewiththemerchantaccount(s).Thisshouldoccurwhenthemerchantaccounthasbeenrequestedtobeclosed,otherwise,youmaypotentiallybesubjecttomonthlyfees.
![Page 7: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/7.jpg)
Office of the Controller
7|P a g e
7.ReturnofcreditcardequipmentItistheresponsibilityofthemerchantaccountholdertoensurethatallleasedorrentedequipmentfromChasePaymentech,oranyotherprovider,bereturnedwhenthemerchantaccounthasbeenrequestedtobeclosed.IftheequipmentisownedbyChasePaymentech,contactInstitutional.Accounting@Dartmouth.Eduandyouwillbeprovidedwithacontactinworkingoutthereturndetails.IftheequipmentisDartmouthCollegepropertyandrequiresdisposal,pleasecontactMaterials.Management@Dartmouth.EDUforassistancewiththisremoval.8.RetentionPeriodofcreditcardinformationPCIDSSrecommendskeepingtoaminimumthecreditcardinformationthatisretained.Localpolicyshouldmakeitapracticenottoretainsensitivecardholderdata.Limityourstorageamountandretentiontimetothatwhichisrequiredforlegalorregulatorypurposes.Electronic/Paper-Dartmouth’spolicyisnocreditcarddatashouldbestoredonlaptops,I-padsPC’soranyothertechnicaldevice.Paperdocumentscontainingcreditcarddatashouldbesecuredinalockedofficeandstoredinacabinet.Inanopenofficeenvironmentpaperdocumentsshouldbestoredinlockedcabinetsandnotbeleftinanunsecuredofficeatanytime.Dartmouth’spolicyiskeepingtransactionalreconciliationsforsevenyears,whetherstoredelectronicallyoronpaperforinternal/externalauditpurposes.Youshouldneverstoreacardholder’sentireaccountnumber.Intheeventthecardholder’snumberneedstobewrittendownforkeyinginlater,thedocumentneedstobeshreddedimmediatelyafterwards.
4. PaymentCardIndustryDataSecurityStandardPaymentCardIndustryDataSecurityStandard(PCIDSS)TheOfficialPCIDSSURL-http://www.pcisecuritystandards.orgPCIDSSwasestablishedbythecreditcardindustryinresponsetoanincreaseinidentitytheftandcreditcardfraud.Everymerchantwhohandlescreditcarddataisresponsibleforsafeguardingthatinformationandcanbeheldliableforsecuritycompromises.Thisstandardhas12requirements,includingcontrolsforhandlingcreditcarddata,computerandinternetsecurityandanannualself-assessmentquestionnaire.ThePCIDSSisamultifacetedsecuritystandardthatincludesrequirementsforsecuritymanagement,policies,procedures,networkarchitecture,softwaredesignandothercriticalprotectivemeasures.Thiscomprehensivestandardisintendedtohelporganizationsproactivelyprotectcustomeraccountdata.ThePCIstandardiscomprisedof12requirementsandaresummarizedbelow.
![Page 8: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/8.jpg)
Office of the Controller
8|P a g e
BuildandMaintainaSecureNetwork
Requirement1:InstallandmaintainafirewallconfigurationtoprotectcardholderdataRequirement2:Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters
ProtectCardholderData
Requirement3:ProtectstoredcardholderdataRequirement4:Encrypttransmissionofcardholderdataacrossopen,publicnetworks
MaintainaVulnerabilityManagementProgram
Requirement5:Useandregularlyupdateanti-virussoftwareRequirement6:Developandmaintainsecuresystemsandapplications
ImplementStrongAccessControlMeasures
Requirement7:Restrictaccesstocardholderdatabybusinessneed-to-knowRequirement8:AssignauniqueIDtoeachpersonwithcomputeraccessRequirement9:Restrictphysicalaccesstocardholderdata
RegularlyMonitorandTestNetworks
Requirement10:TrackandmonitorallaccesstonetworkresourcesandcardholderdataRequirement11:Regularlytestsecuritysystemsandprocesses
MaintainanInformationSecurityPolicy
Requirement12:Maintainapolicythataddressesinformationsecurityforallpersonnel
PCIDSSGlossary–mostcommonlyusedApplication Includesallpurchasedandcustomsoftwareprogramsorgroupsof
programsdesignedforendusers,includingbothinternalandexternal(web)applications
Backup Duplicatecopyofdatamadeforarchivingpurposesorforprotecting
againstdamageorloss
![Page 9: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/9.jpg)
Office of the Controller
9|P a g e
Cardholder Customertowhomacreditisissuedorindividualauthorizedtousethe
cardCardholderdata FullmagneticstripeorthePANplusanyofthefollowing:
*Cardholdername*Expirationdate*ServiceCode
Chargeback Processwhenthecardholdercontactsthecreditcardcompanyorthe
issuingbankregardinganinconsistencyintheircreditcardstatement.Theissuingbankwillcreditbacktothecardholderforthedisputedtransactionthenchargeafeetothemerchant
DataEntryProcessor Anindividualwhoisresponsibleforcreditcarddataentryforday-to-day
operationsEncryption Processofconvertinginformationintoanunintelligibleformexceptto
holdersofaspecificcryptographickey.Useofencryptionprotectsinformationbetweentheencryptionprocessandthedecryptionprocess(theinverseofencryption)againstunauthorizeddisclosure
Merchant Aunitthatacceptscreditcardsasamethodofpaymentforgoods,
services,information,orgiftsMerchantAccount Anaccountestablishedforaunitbyabanktocreditsaleamountsand
debitprocessingfeesSAQ Self-AssessmentQuestionnaireisavalidationtoolformerchantsand
serviceprovidersthatarenotrequiredtoundergoanon-sitedatasecurityassessmentperthePCIDSSSecurityAssessmentProcedures,whichmayberequiredbyyouracquirer(bank)orpaymentbrand
SensitiveData SensitiveDatainclude,theaccountnumber,magneticstripedata,
CVV2/CVC2andexpirationdateServiceCode Three-orfour-digitnumberonthemagneticstripethatspecifies
acceptancerequirementsandlimitationsforamagneticstripereadtransaction
![Page 10: dc merchant services policy - Dartmouth College · Purchasing new systems or software applications This policy pertains to existing merchant accounts where the business operation](https://reader034.vdocuments.us/reader034/viewer/2022050210/5f5cabcaa8ac620f894fa7c8/html5/thumbnails/10.jpg)
Office of the Controller
10|P a g e
5. DartmouthCollegePCIDSSConfidentiality/Non-DisclosureStatementDartmouthCollegePaymentCardIndustryDataSecurityStandardConfidentiality/Non-DisclosureStatement**NOTE**Allcompletedformsremainonfilewithmember’smanagerAsamemberoftheDartmouthCollegeCommunity,IacknowledgethatinthecourseofmyemploymentImayhaveaccesstopersonal,proprietary,transaction-specific,and/orotherwiseconfidentialdataconcerningfaculty,staff,students,alumniand/orotherpersonsthroughtheprocessingofcreditcardtransactions.Asanindividualwithresponsibilitiesforprocessing,storingand/ortransmittingcreditcarddata,Imayhavedirectaccesstosensitiveandconfidentialinformationinpaperorelectronicformat.ToprotecttheintegrityandthesecurityofthesystemsandprocessesaswellasthepersonalandproprietarydataofthosetowhomDartmouthprovidesservice,andtopreserveandmaximizetheeffectivenessofDartmouthresources,Iagreetothefollowing:
• Iwillmaintaintheconfidentialityofmypasswordandwillnotdiscloseittoanyone.
• IwillutilizecreditcarddataforDartmouthCollegebusinesspurposesonly.
• IwillupholdDartmouthCollege’sCodeofEthicalBusinessConduct,availableatEthicsPoint:http://www.dartmouth.edu/~rmiandIagreetoabidebyit.
• IhavebeenprovidedaccesstoDartmouthCollege’sMerchantServicesPolicyregardingtheproperstoring,protection,anddisposalofsuchconfidentialdataandIwillensurethatanysuchdataisshreddedorotherwisedisposedofasperapprovedofficepolicywhennolongerneeded.
• Ihaveread,understand,andagreetoabidebyDartmouthCollegeMerchantServicesPolicy.
Theuseofsensitivecreditcarddataforpersonalpurposesisillegalandisgroundsfortermination.Theabuseofsystemsaccessorunauthorizeddisclosureordistributionofanycustomer’screditcarddatamayresultinprosecution.Name(Print)_______________________________Signature/Date______________________________Department________________________________Phone#___________________________________