About PCI Compliance
University departments and third-party services acting on behalf of the university must follow the requirements outlined in the UNLV Payment Card Merchant Policy when accepting and processing credit card payments. This policy is in accordance with guidelines outlined in the Payment Card Industry Data Security Standard.
Adhering to this policy protects our customers’ payment card information, the university’s reputation, and reduces the financial costs associated with a breach of payment card information.
Who Should Know This Information
Anyone responsible for managing, accepting, processing, or reconciling university payment card transactions that bear the logos (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services and all employees involved with handling cardholder data including program managers and systems managers.
To Whom This Information Applies
All merchants involved in payment card processing via a payment card terminal and online. Online transactions include links on UNLV websites redirecting customers to another website, as well as the use of Point-of-Sale software, or a third-party vendor to transmit, process, or store cardholder data.
A payment card merchant is a department or any other entity at the university that stores, processes, transmits, or affects the security of cardholder data (CHD).
These standards are enforced by the card associations and adherence is required in order for a merchant to accept card payments.
Responsibilities
PCI compliance is overseen by the Controller’s Office. Their responsibilities include:
- Administering the process of obtaining new merchant accounts
- Communicating the policy and PCI DSS to merchants
- Advising merchants wanting to accept payment cards as to their compliant options
- Processing First Notice Rule Set to automate the accounting in the financial system
- Coordinating periodic reviews of existing merchants to include verification of procedures and computer scans as appropriate
- Coordinating annual completion of merchant Self Assessment Questionnaire (SAQ) and submission of university SAQ to the bank
- Comply with the Payment Card Industry (PCI) Data Security Standards.
- Receive approval from the Controller’s Office on new merchants or new purchases before entering into any contract, purchase, acquisition, or replacement of equipment, software, Internet provider, or wireless device that processes payment card transactions.
- Maintain a department information security policy. Departments utilizing payment card merchant accounts must establish policies and procedures for physically and electronically safeguarding cardholder data. (PCI DSS)
- Prevent unauthorized access to cardholder data and secure the data. Establish procedures to prevent access to cardholder data in all forms. (PCI DSS)
- Communicate the policy to staff and obtain signatures. Supervisors including deans, fiscal officers, and systems managers must communicate this policy to their staff and maintain the Responsibilities of Payment Card Handlers and Processors (Page 7, Appendix A) for all personnel involved in payment card transactions. (PCI DSS)
- Restrict access based on a business need-to-know. Access to physical or electronic cardholder data must be restricted to individuals whose job requires access. (PCI DSS)
- Assign a unique ID to each person with computer access. A unique ID must be assigned to each person with access to computers that are used to process payment card information. Usernames and passwords should not be shared. (PCI DSS)
- Transmitting cardholder data by email, chat, or fax is prohibited. Never send unprotected Primary Account Number (PAN) by end-user messaging technologies (for example, email, instant messaging, chat, etc.) (PCI DSS)
- Electronically storing the CVV/CVV2 validation code, or PIN number is prohibited. Do not store the customer’s three or four-digit CVV or CVV2 validation code, or PIN, (personal identification number). (PCI DSS)
- Segregation of duties. Establish appropriate segregation of duties between personnel processing transactions, issuing refunds to custody of assets, record keeping, and those assigned to the reconciliation function.
- Mask the payment card number. Terminals and computers must mask everything but the first 6 digits and the last 4 digits of the primary account number (PAN). (PCI DSS)
Reporting a Security Incident
Immediately report a payment card security incident to the department supervisor and the PCI Compliance Team if known or suspected payment card information has been exposed, stolen, or misused.
Notification to the department supervisor should be in writing. Follow these steps to submit a report:
- Include a department name and contact number
- Do not disclose any cardholder data, three or four-digit validation codes, or PIN numbers in the written report
- Include the following information in the report:
- Explanation of security incident
- Names of people involved
- Where, when, and why the incident happened
Notification to the Compliance Team should go through the following data breach form. Additional information on the policy can be found through the Office of Information Technology website at Breach of Information Notification Policy.
Fraud Prevention Procedures
- Do not disclose or acquire any cardholder data without the cardholder’s consent.
- Keep all cardholder data secure and confidential.
- Limit access to cardholder data only to those employees who require access to do their job.
- Cardholder data cannot be stored in any fashion on UNLV computers, networks, or related media.
- Wireless networks cannot be used in the cardholder data environment.
- Cardholder data must never be transmitted via email and departments are prohibited from soliciting cardholder data via email.
- Cardholder data that is inadvertently received by email should be deleted immediately and should not be used for processing payments.
- Payment card authorization forms must not contain references to an email address.
- Payment card authorization forms must not contain a FAX number that refers to an unsecured FAX machine.
- Payment card authorization forms must clearly show the following warning, “Please do not email this authorization form. Email is not a secure way of transmitting your card information.”
- All documentation containing cardholder data must be destroyed in a manner that will render them unreadable (crosscut shredding or third party shred bin) after their useful life (180 days) has expired. All other departmental deposit and accounting records must be maintained for a period of seven (7) years.
- A report of activity (by day and in total) is to be generated each month. This report should include your merchant name and number, the daily totals by batch, sales distribution, and the total for the month.
- Reconcile daily activity to merchant statements at least monthly to ensure credit is received for all processed transactions. Verify amount to finance deposit postings. Documentation that a reconciliation was done should be retained by the department.
- All business accepting payment cards will be required to complete an annual self-assessment questionnaire (SAQ).
- Each department that processes payment card transactions must have written procedures specific to that organization. The procedures must include, but are not limited to, the following:
- Segregation of duties
- Reconciliation procedures – daily and monthly
- Physical security
- Disposal
- Instructions for processing transactions through all accepted payment channels
- Departmental procedures should be reviewed, signed, and dated by the department head or business manager on an annual basis and submitted to the Controller’s Office along with other required PCI compliance documentation.
- Verify the signature of the cardholder at the time of the transaction.
- Obtain the signature of the cardholder on the receipt and provide the duplicate copy to the cardholder.
- Be sure only the last four digits of the card number are printed on the receipt.
- Store the departmental copy of the receipt safely until it is needed for end-of-day balancing.
- Keep all receipts for each day together. Compare them to daily totals and then group them with the daily batch settlement tape for storage/reference purposes.
- Record the batch total and batch number for each day in the monthly summary report.
- If the terminal is not functioning properly, use the One-Time Credit Card Authorization Form.
- Type the merchant name and phone number in the header prior to utilizing the form.
- Make sure all fields are filled out in legible handwriting.
- Provide the bottom portion as the cardholder’s receipt.
- Hand-enter the transaction when the terminal is running again.
- Destroy the middle section that has cardholder information immediately after processing in a manner that will render it unreadable (crosscut shredding or third-party shred bin).
- Keep the original copy of the top section with merchant record.
- Log and inspect the terminal or card swipe mechanism to ensure it has not been tampered with and is working properly:
- Daily for publicly accessible readers or devices used infrequently.
- Weekly for supervised readers that may have exposure to public or non-PCI staff.
- Monthly for those located in a secure office.
- Terminal or card swipe mechanism must be stored securely overnight.
- Maintain a payment listing for balancing and accounting purposes. This listing should not contain the cardholder data – the last four digits of the card number may be listed.
- Fax machines must be secure analog standalone machines and should be located in a nonpublic area where access is limited to accountable, dependable, and trustworthy staff.
- Documents with the card number and other cardholder data should be processed promptly and then safely stored if needed for balancing the day’s transactions. Cardholder’s three (3) or four (4) digit validation code must be destroyed immediately after processing in a manner that will render them unreadable (crosscut shredding or third party shredding).
- Documents with the card number and other cardholder data should be destroyed after balancing the day’s transactions or after the transaction is submitted.
- Keep all receipts for each day together. Compare them to daily totals and then group them with the daily batch settlement tape for storage/reference purposes.
- Record the batch total and batch number for each day in the monthly summary report.
- All payment card transactions must be processed by a PCI DSS compliant third-party provider (such as Authorize.net)
- The account must be opened by the Controller’s Office
- Approved by Purchasing
- Approved by “NSHE contracted PCI approved vendor”
- No cardholder data can be stored on UNLV servers or networks.
- Review and comply with UNLV’s “Computer Security Policy” and “Password Policy” available on the IT website.
- Periodic network vulnerability scans will be conducted and the department is responsible for timely remedy of deficiencies.
- Documented verification that systems and technology used to meet all required PCI DSS security protocols should be kept on file in the department.
- Verification can be obtained by contacting pci@unlv.edu.
- Changes to electronic processing systems (departmental software, website, etc.) must be communicated to the Controller's Office and confirmed to maintain compliance with PCI DSS before changes are made.
A chargeback occurs when the customer or the customer’s bank challenges all or part of a payment card transaction. An adjustment may be applied to your account. A chargeback is a reduction of your revenue.
The department will submit the requested documentation showing the validity of the purchase. You should not issue a credit after you have received notification of a dispute because the customer’s bank may have applied a conditional credit to the customer’s account. You may not be able to recover a credit after a chargeback has been received if you issue a credit in these circumstances; in fact, you may be responsible for the credit and chargeback.
Chargeback forms from the bank should be maintained in the department and a note made in the customer’s file of the chargeback and the circumstances. Departments should periodically review their chargebacks to see if there are internal policies that need to be changed so that fewer transactions are disputed.
A First Notice Rule Set is a function done in the financial system that contains an ad hoc bank transaction template with the department’s accounting information linking to a conditional rule that searches the bank account specified in the conditions.
When the conditions are met (i.e. searching the bank addenda for the merchant account number), an ad hoc bank transaction is created. Workday finds bank statement items that don't have an accounting entry reconciled. With the First Notice Rule Set, a department’s accounting and banking are automatically reconciled within the financial system.
First Notice Rule Sets do not substitute or eliminate the business unit's need to perform their reconciliation process and to ensure all transactions have been received.
Questions and Submitting the Self-Assessment Questionnaire (SAQ)
If you have any questions, need help submitting your annual self-assessment questionnaire (SAQ), or need additional information, please contact pci@unlv.edu.
Information provided here does not replace or supersede requirements in any PCI SSC Standard.