10.20 PCI & ACH Compliance with

Incident Response for Electronic Commerce, Chancellor's Office Business Practices & Procedures

Purpose:

The Chancellor’s Office views electronic commerce (eCommerce) as a natural extension of the business processes already conducted. We encourage departments to utilize eCommerce to improve service to students, faculty, staff, and the public, and to reduce the cost of providing these services. For purposes of this policy, eCommerce includes all business transactions accomplished using an electronic medium.

It is important that Chancellor’s Office entities processing credit card, ACH transactions, or electronic check payments take measures to safeguard sensitive customer information including credit card and bank account numbers. Failure to comply with Payment Card Industry (PCI) and National Automated Clearing House Association (NACHA) rules may result in financial loss, fines, suspension of credit card processing privileges, and/or damage to the reputation of the Oregon University System.

This policy provides guidelines for all credit card, ACH, and eCommerce payment processing activities in the Chancellor’s Office.

Policy:

Authority

The Associate Vice Chancellor for Finance and Administration and Controller has authority for administering this policy and has delegated its implementation to the Director of Treasury Operations.

Responsibilities

The Associate Vice Chancellor for Finance and Administration and Controller is responsible for Chancellor’s Office debit/credit card and ACH security, the distribution of security policies and procedures, monitoring of system access and alerts, and incident response.

The Associate Vice Chancellor for Finance and Administration and Controller shall approve all eCommerce activities in the Chancellor’s Office, including card present or point of sale transactions, ACH transactions, transactions conducted over the phone, by fax, and/or on the internet.

Chancellor’s Office departments with approved credit card and ACH processing activities must maintain the following standards:

  1. Protect Customer Information
  • Do not store, process, or transmit credit card data on the university network. Instead, use Office of the State Treasurer (OST) approved, secure, and fully hosted third party payment processing services.
  • Do not create an electronic file containing full credit card or bank account numbers (database, spreadsheet, word processor, image, etc.)
  • Avoid the retention of paper records containing complete credit card or bank account numbers. If, for business reasons, you must store full card or ACH numbers, then do so for no longer than 36 months before securely disposing of them (confidential recycle, cross-cut shred, pulp, or incinerate). Mark these records as ‘Confidential’.
  • Records containing partial card or ACH numbers should be retained for no longer than seven years.
  • Strictly limit access to paper records containing credit card and bank account numbers based on job function. Where practical, limit access to full time professional staff.
  • Access to electronic records must be authorized in writing by the employee’s manager.
  • Hypercom terminals must be programmed to mask card numbers on both merchant and customer copies of receipts.
  • Physically secure paper records containing full credit card or bank account numbers in locked cabinets or offices with adequate key control.
  • Inventory paper records containing full or partial credit card or bank account numbers every six months to identify loss or theft of items.
  • Do not send or receive complete credit card or bank account numbers using email or campus mail.
  1. Properly Account
  • Adhere to appropriate accounting standards as established by the Associate Vice Chancellor for Finance and Administration and Controller.
  • Uniquely serialize and fully journalize all transactions to provide a conclusive audit trail.
  • Routinely reconcile all goods and services provided and received with the accounting records.
  1. Provide Employee Training
  • Designate a unit information security officer or single point of contact.
  • Train all employees involved in processing card and ACH transactions to protect card and ACH data, and ask them to review this policy annually and when business processes change.
  1. Perform an Annual Risk Assessment
  • All offices processing credit cards or ACH transactions will participate in an annual PCI and ACH risk assessment.

Third Party Vendors

In accordance with Oregon State Treasury (OST) Cash Management Policy 02 18 14.PO, all third party vendors must be approved in advance by OST.  To obtain approval vendors must complete the OST 3rd Party Vendor Prequalification Form (see Forms, below).

Oregon law requires that state funds be deposited directly into a recognized Oregon depository within 24 hours.  For this reason the use of PayPal or similar services that do not deposit proceeds directly into an OST merchant account are prohibited.

Procedures:

Breach of Security Actions

In the event of a breach in card or bank account data security, it is imperative that the unit act to immediately contain and limit the exposure of cardholder and bank data by performing the following steps:

  • Alert the Director of Treasury Operation, Controller’s Division (see Contact Information, below).
  • Conduct a thorough investigation of the suspected loss or theft of account information.
  • Do not access or alter compromised systems (e.g., do not log on or change passwords; do not log in as ROOT).
  • Do not turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the cable).
  • Preserve logs and electronic evidence.
  • Log all actions taken.
  • If using a wireless network, change the Service Set Identifier (SSID) on the Access Points (AP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
  • Be on high alert and monitor all systems with cardholder and ACH data.
  • Provide the Controller’s Division with a report containing account information at risk and the source and timeframe of the compromise. The Controller’s Division will alert all necessary parties immediately.
  • Complete an Incident Report as soon as possible but within three business days. (See Contact Information and Forms, below.)

Contact Information:

In the event of a breach of security, contact the following:

Timeline Contact Details
Incident occurs during normal business hours, between the hours of 8 AM and 5 PM Internal Information Security group and Incident Response Team, OUS Controller’s Division: Assoc. VC Finance and Administration and Controller, and Director Treasury Operations, 541-737-3636. Provide all details verbally in addition to preparing a written report for submission.
Incident occurs during normal business hours, between the hours of 8 AM and 5 PM Office of the State Treasurer (OST), 503-378-4000.  Notify the receptionist that you have experienced a merchant card or ACH breach, and ask to speak with the Merchant Bank Liaison on the Banking Team or a member of the Relationship Management  Services team will then notify U.S. Bank, and coordinate all communication.
Incident occurs outside of normal business hours U.S. Bank, 1-800-725-1243

Identify that you are a National Account” with the State of Oregon, and provide them with your Merchant ID (MID) #. Notify the U.S. Bank customer service representative that you have experienced a merchant card or ACH breach, and ask that the incident be reported to the Risk Department.
Within three business days

Office of the State Treasurer

350 Winter Street NE, Ste. 100 Salem, OR 97301-3896

 Complete an Incident Report and submit to the Office of the State Treasurer (see section .700, FORMS). OST will forward it to U.S. Bank/NOVA.  Visa and U.S. Bank/NOVA will determine and notify the agency and OST if an independent forensic investigation, compliance questionnaire, and vulnerability scan are required. 

Forms:

References:

Last Updated: 01/13/10