Payment Card Industry-Data Security Standards (PCI-DSS) Compliance

Purpose

The purpose of this policy is to establish information security standards for Payment Card Industry – Data Security Standards (PCI-DSS) compliance relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

Definitions

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

1. Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.

2. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

3. Data: Element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.

4. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

5. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

6. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.

7. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.

8. Merchant Department: A University department that is approved to accept credit cards as a form of payment. It is also referenced as the Merchant in this policy.

9. Payment Card: For purposes of PCI DSS, payment cards include any credit, debit or prepaid cards used in financial transactions that bear the logo of the five major card associations (Visa, MasterCard, American Express, Discover and JCB International). In this policy, the term credit card may be used in lieu of Payment Card.

10. Payment Card Industry (PCI): Includes Payment Card brands, issuing and acquiring banks, independent sales organizations, service providers and merchants who accept Payment Cards.

11. PCI Security Standards Council (SSC): A council comprised of the five major card associations including, Visa, MasterCard, American Express, Discover and JCB International. The council is responsible for the development, management, education, and awareness of the PCI DSS.

12. Payment Card Industry – Data Security Standards (PCI-DSS): A set of twelve technical and operational requirements set by the PCI SSC to protect cardholder data and reduce credit card fraud. These standards apply to all entities that store, process, or transmit cardholder data. The Merchant Department is required to meet the applicable requirements for their payment processing method/merchant environment.

13. User: A University community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control University Data.

Information Technology PCI-DSS Compliance

All Users must adhere to the requirements of the Information Technology PCI-DSS Compliance Policy to ensure safe-handling of sensitive information related to credit card transactions that are supported by any University Information Technology Resources.

UMGC must comply with the complete PCI DSS requirements which can be referenced at the PCI SSC website.

1. A firewall must be configured and maintained to protect cardholder data.

2. Information System Stewards should not use vendor-supplied defaults for system passwords and other security parameters.

3. Cardholder data must be protected. Card holder data is defined as:

   1. Primary Account Number (PAN)

   2. Card Validation Code (CVV, CVV2, and CVC2)

   3. Credit Card Personal Identification Number (PIN)

   4. Any form of magnetic stripe data from the card (Track 1, Track 2).

4. Cardholder data must be protected when stored or in transit over public (or untrusted) networks.

5. Transmission of cardholder data across open, public networks must be encrypted.

6. All Information Technology Resources must be protected against malware and anti-virus software, or programs must be regularly updated. System components within the cardholder data network must be part of an active vulnerability maintenance program.

7. Information System Stewards should develop and maintain secure systems and applications.

8. Cardholder data must be restricted on a need-to-know basis.

9. Information System Stewards should identify and authenticate access to system components. A unique identification (ID) should be assigned to each person with access to critical systems or software.

10. Information System Stewards should identify and restrict physical access to cardholder data.

11. Information System Stewards should track and monitor all access to network resources and cardholder data.

12. Information System Stewards should regularly test security systems and processes.

13. Information System Stewards should maintain a policy that addresses information security for all personnel. Consistent policies and procedures are required to be practiced and followed at all times.

Exceptions

Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested, a compensating control or safeguard should be documented and approved.

Enforcement

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

Related Policies

1. UMGC Policy X-1.02 Data Classification

2. UMGC Policy X-1.04 Information Security

3. UMGC Policy X-1.07 Audit and Accountability

4. UMGC Policy X-1.08 IT Resource Configuration Management

5. UMGC Policy X-1.10 Identity and Access Management

6. UMGC Policy X-1.12 Acceptable Use

7. UMGC Policy X-1.14 Media Protection

8. UMGC Policy X-1.16 Security Assessment of Information Systems and Technology Resources

9. UMGC Policy X-1.21 System and Communication Protection

10. UMGC Policy X-1.22 System and Information Integrity

Effective Date

This policy is effective as of the date set forth above.