Back to Top
Skip to Content
Home :: Policies :: Payment Card Industry

Payment Card Industry

Responsible Department
Comptroller
Effective Date
06/28/2018
  1. .

    Policy Purpose

    The purpose of this policy is to prevent loss or disclosure of sensitive customer information including payment card data. Failure to protect customer information may result in financial loss for customers, suspension of credit card processing privileges, and fines imposed on and damage to the reputation of the University of North Georgia (the “University”).

  2. .

    Definitions

    1. Cardholder
      Someone who owns and benefits from the use of a membership card, particularly a credit card.

    2. Cardholder Data (CHD)
      Those elements of credit card information that are required to be protected. These elements include Primary Account Number (PAN), Cardholder name, Expiration date and the Service Code.

    3. Disposal
      CHD must be disposed of in a certain manner that renders all data un-recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, USB storage devices,(Before disposal or repurposing, computer drives should be sanitized in accordance with the (Institution’s) Electronic Data Disposal Policy). The approved disposal methods are:  Cross-cut shredding, Incineration, Approved shredding or disposal service.

    4. MasterCard Site Data Protection Program (SDP)
      The SDP, with the PCI DSS as its foundation, details the data security and compliance validation requirements in place to protect stored and transmitted MasterCard payment account data.

    5. Payment Card Industry Data Security Standards (PCI DSS)
      The mandated security requirements defined by the Payment Card Industry   Security Standards Council and the 5 major Credit Card Brands: Visa, MasterCard, American Express, Discover, JCB. These security requirements apply to all transactions surrounding the payment card industry and the merchants/ organizations that accept these cards as forms of payment.

    6. Primary Account Number (PAN)
      Number code of 14 or 16 digits embossed on a bank or credit card and encoded in the card's magnetic strip. PAN identifies the issuer of the card and the account, and includes a check digit as an authentication device.

    7. Service Code
      The service code that permits where the card is used and for what.

    8. Visa Cardholder Information Security Program (CISP)
      Visa Inc. instituted the Cardholder Information Security Program (CISP) in June 2001.  CISP is intended to protect Visa cardholder data - wherever it resides - ensuring that members, merchants, and service providers maintain the highest information security standard. In 2004, the CISP requirements were incorporated into the Payment Card Industry Data Security Standard (PCI DSS).
  3. .

    Policy Statement

    1. It is the policy of the University to allow acceptance of payment cards as a form of payment for goods and services upon written approval from the Associate Vice President of Financial Services or designee.  The University requires all departments that accept payment cards to do so in compliance with the PCI DSS, this policy, University payment card procedures, and all other supporting documents.

      1. All entities of the University that receive or expect to receive payments electronically must comply with the guidelines and procedures issued by the Associate Vice President of Financial Services.  All entities who wish to take payments via payment cards must be approved. Once approved, the request should be forwarded to the Associate Vice President of Financial Services for final approval and implementation.

      2. Entities must accept only payment cards authorized by the Associate Vice President of Financial Services and agree to operate in accordance with the contract(s) the University holds with its service provider(s) and the card brands. This is to ensure that all transactions are in compliance with the PCI DSS, Federal Regulations, NACHA rules, service provider contracts, and the University policies regarding security and privacy that pertain to electronic transactions.

      3. Entities must keep Cardholder Data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all CHD storage:

        1. Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
        2. Data that is not absolutely necessary in order to conduct business will not be retained in any format.  All data will be treated as confidential.
        3. Specific retention requirements for cardholder data.
        4. Processes for secure deletion of data when no longer needed.
        5. A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
        6. Physical access to data records is restricted to staff with a need to know.

    2. In order to accept credit card payments, University of North Georgia must prove and maintain compliance with the Payment Card Industry Data Security Standards.  The University of North Georgia’s Payment Card Policy and additional supporting documents provide the requirements for processing, transmission, storage, and disposal of cardholder data transactions.  This is done in order to reduce the institutional risk associated with the administration of credit card payments by individual departments and to ensure proper internal control and compliance with the Payment Card Industry Data Security Standard (PCI DSS), which includes the Visa Cardholder Information Security Program and the MasterCard Site Data Protection Program.
  4. .

    Support Information

    1. Scope/Applicability

      The University of North Georgia Payment Cards Policy applies to all faculty, staff, students, organizations, third-party vendors, individuals, systems, and networks involved with payment card handling. This includes transmission, storage, and/or processing of payment card data, in any form (electronic or paper), on behalf of the University.

    2. Authority

      The University policies fall within a greater hierarchy of laws, statutes, and regulations. The Associate Vice President of Financial Services is responsible for managing and administering this Policy, which is currently in effect for all University students, employees, affiliates and computer & network systems that store, process or transmit cardholder data.  The Associate Vice President of Financial Services will partner with Information Security to determine appropriate technical compliance strategies and to develop supporting materials to assist units with compliance.

    3. Further details about the Payment Card Industry Security Standards Council can be found at https://www.pcisecuritystandards.org.
  5. .

    Procedures

    Any related operating procedures must comply with and should reference this policy.

UNG follows Section 508 Standards and WCAG 2.0 for web accessibility. If you require the content on this web page in another format, please contact the ADA Coordinator.


Back to Top