New York University Skip to Content Skip to Search Skip to Navigation Skip to Sub Navigation

POLICY

Payment Card Industry Data Security Standard

Click Here for PDF Version

The University is committed to safeguarding personal and account information conveyed in processing debit and credit card payments. Also, the privilege of accepting payment cards from the leading card brands depends upon compliance with specified security standards. To comply with these standards, it is the policy of the University that security standards relating to payment card transactions be specified and applied. 

Purpose of this Policy

The University is committed to safeguarding personal and account information conveyed in processing debit and credit card payments. Also, the privilege of accepting payment cards from the leading card brands depends upon compliance with specified security standards. To comply with these standards, it is the policy of the University that security standards relating to payment card transactions be specified and applied.

Scope of this Policy

This policy applies to the NYU schools and units that have access to cardholder data and to the people, processes and technology that handle cardholder data at or on behalf of NYU: any NYU school, unit,employee (full-time, part-time and temporary), student, volunteer, contractor, consultant, vendor, or other person or entity that processes, transmits, or stores cardholder data in a physical or electronic format for NYU or using NYU resources or that has access to the NYU cardholder data environment. All technical and operational system components, including software, computers and wired or wireless electronic devices, involved in processing cardholder data, whether owned or leased by NYU, are subject to PCI DSS and this policy.

Procedures for Implementation

Background

The Payment Card Industry Security Standards Council, which was founded by American Express, Discover, JCB International, MasterCard and Visa, has established stringent security requirements to safeguard credit or debit payment cardholder data called the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS applies pursuant to contract to all entities that store, process or transmit cardholder data, including information printed on a card or stored on its magnetic stripe or chip and personal identification numbers entered by the cardholder. Compliance is enforced by the Council’s founding members. In addition to PCI DSS, each payment card brand has defined its own specific requirements for compliance, validation and enforcement.

The University is required by contract to safeguard cardholder data, whether printed, stored or transmitted. Therefore, every NYU school/unit that accepts payment cards must be PCI DSS compliant. In addition, any affiliated or unaffiliated party involved with accepting or processing credit/debit card payments for goods or services on the University’s behalf must be PCI DSS compliant and provide validation of its compliance to NYU. NYU is obligated to identify such parties’ responsibilities for securing cardholder data and monitor such parties’ PCI DSS compliance.

This policy defines the framework to allow NYU to ensure that all cardholder data it receives is processed in compliance with the current PCI DSS and related security standards. All NYU
schools/units accepting payment cards must comply with the security requirements involved with being a payment card merchant.  All NYU schools/units that process payment card transactions also must comply with NYU’s defined methodologies and acceptable technology. Complete cardholder data may not be transmitted, processed, or stored on any University-owned or University-controlled devices.

The Office of the Bursar oversees NYU’s method for accepting and processing payment card
transactions as well as distribution of policies, procedures, and other guidance required under PCI DSS and ongoing maintenance of a the PCI DSS compliance program. All schools/units wishing to process payment card transactions are advised to visit the ePayment website at http://www.nyu.edu/epayments for complete instructions and a template for the Business Plan required to be submitted for approval.

The University Bursar will review a school/unit’s completed Business Plan and, upon approval, will establish a specialized Merchant Account Number for the school/unit. The school/unit then becomes responsible for achieving and maintaining compliance with PCI DSS and this policy.

The Policy Specifications set out in Section IV below are mandated to help meet PCI DSS. A glossary of certain terms used in this policy is provided in Appendix A.

I. General Requirements – Schools/Units Accepting Payment Cards

A. A school/unit desiring to accept payment cards must obtain advance approval from the University Bursar which will issue a specialized Merchant Account Number upon approval.

B. Using the procedural templates available at the ePayment web site
(http://www.nyu.edu/epayments), a school/unit must prepare and maintain documented security procedures that clearly define information security responsibilities for all people within the school/unit who handle or will have access to cardholder data.

C. Cardholder data is considered “Restricted” data under NYU’s Data and Computer Security Policy (http://www.nyu.edu/its/policies) and the Data Classification at NYU table (http://www.nyu.edu/its/policies/data-classification.html) with high institutional risk from disclosure.

D. University Bursar approval is required before implementing software and installing equipment that processes, transmits, or stores cardholder data.

E. When processing payment card transactions, a school/unit must use only approved technologies. See Appendix B.

F. A schools/unit with a Merchant Account Number must maintain and secure an inventory of payment card processing devices and implement a system to track removal or substitution of these devices.

G. Appropriate facility entry controls must be used to limit and monitor physical access to systems in the cardholder data environment.

H. A school/unit processing payment card transactions must annually complete a Self Assessment Questionnaire (SAQ). The SAQ is a PCI-mandated attestation intended to allow each school/unit to demonstrate their compliance with the PCI DSS.

II. General Requirements – Employees with Access to Cardholder Data

A. Access to system components and cardholder data must be limited to only those individuals whose job requires such access. Schools/units must ensure that:

i. Each employee is given access to as little cardholder data as necessary to perform his or her job.
ii. Employees are instructed not to share cardholder information with other employees unless deemed necessary by a supervisor.
iii. All employees who are involved with the acceptance of payment cards must be trained on this policy and the applicable school/unit’s procedures relevant to payment card processing.

B. Relevant personnel must complete NYU Security Awareness Education (SAE) training. All schools/units must:

i. Create and maintain a list of employees whose jobs expose them to cardholder data.
ii. Send requests to the University Bursar to onboard personnel who need to take SAE training.
iii. Ensure personnel attend NYU’s SAE training upon hire or engagement and at least annually thereafter. 

C. This policy must be disseminated to all relevant persons and entities who must acknowledge at least annually that they have read this policy and the applicable school/unit’s procedures.

III. Storage of Sensitive Authentication Data and Cardholder Data

A. Payment systems that involve receiving sensitive authentication data must have processes in place to delete such data after authentication and verify that it is unrecoverable.

B. All systems that store sensitive authentication data after authorization must adhere to the following requirements:

i. The complete payment card number is not to be stored under any circumstances.
ii. The card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions, and the personal identification number (PIN), or the encrypted PIN block is not to be stored under any circumstances.

C. The Primary Account Number (PAN) must be masked when displayed (the first six and last four digits are the maximum number of digits permitted to be displayed). This must done through the following means:

i. Truncation by the POS system.
ii. If using a paper imprinter slip for card-present transactions and retention of the slip is necessary, the imprint slip should be photocopied after all digits of the PAN except the last four are masked. Merchant then can retain the photocopied version, but must cross shred the original copy.
iii. If paper forms are used for card-not-present transactions (e.g., telephone and mail order) and retention of a section of the form is necessary, then the cardholder data section of the payment form must be removed and cross shredded. The form can be photocopied and retained after all digits of the PAN except the last four are masked. Merchants must cross shred the original copy.

D. All paper and electronic media that contain cardholder data must be physically secured. Cardholder data that must be stored for business or legal reasons must be stored according to the NYU Policy on Retention and Destruction of Records (http://www.nyu.edu/about/policies-guidelinescompliance/policies-and-guidelines/retention-and-destruction-of-records.html) and the Retention Periods for General Categories of Retainable Records (http://www.nyu.edu/content/dam/nyu/compliance/documents/Retention_Schedule.pdf). Cardholder data storage should be kept to a minimum and retention time should be limited to that which is required for a business, legal, and/or regulatory purpose.

E. All cardholder data must be kept in a locked filing cabinet in a secure area or a safe that is accessible only by employees whose jobs require that they have access to cardholder data. The filing cabinet or safe containing the cardholder data must be locked both during and after business hours.

IV. TRANSMISSION of Sensitive Authentication Data and Cardholder Data

A. Transactions processed using a standalone dial-out POS terminal must be settled daily.

B. Unencrypted PANs must never be sent by end-user messaging technologies (e.g., e-mail or instant messaging).

C. Each school/unit must maintain strict control over the internal or external distribution of any kind of media that contain cardholder data. All material moved from a designated secure area must be marked confidential, documented on a media removal tracking log, and transported by a document service such as Fed Ex or the U.S. Post Office with a tracking number.

D. No material containing cardholder data may leave the premises of the school/unit that accepted it for processing.

V. DESTRUCTION of Sensitive Authentication Data and Cardholder Data

A. All physical cardholder data (e.g., paper documents) that is deemed not essential must be properly destroyed. All electronic storage data also must be properly destroyed if there is no business or legal reason for which it should be kept. Proper means of destroying hard-copy material include physical destruction, such as shredding, incineration, or pulping hard copy materials, so that cardholder data cannot be reconstructed. Electronic cardholder data must be rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion.

B. If storage of cardholder data is necessary for business or legal purposes, portable media used to store cardholder data, including hard-copy material, must be stored in a locked cabinet. All electronic cardholder data must be encrypted and password protected.

VI. Processing Using External Service Providers

A. When cardholder data is shared with external service providers, procedures to manage these providers must be developed and maintained by the applicable school/unit utilizing their services. These procedures must include:

i. Creating and maintaining a complete list of service providers who can access any POS system or any cardholder data, including companies or individuals who are not employees of NYU.
ii. Coordinating with the University’s Office of Purchasing Services & Contract Administration to obtain and maintain a written agreement with the service provider that includes the service provider’s acknowledgement that it is responsible for the security of cardholder data that it stores, processes, or transmits.
iii. Obtaining and monitoring each service provider’s PCI DSS compliance status by requesting a copy of its annual Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC).

B. The process for engaging service providers must include proper due diligence prior to engagement. Merchants should liaise with the University’s Office of Purchasing Services & Contract Administration to contract work only with PCI DSS compliant service providers and check the references of such providers. Contracts with external service providers must incorporate NYU’s third party service requirements language.

VII. Incident Management

A. Anyone who learns of an actual or potential cardholder data security breach must immediately inform the school/unit Merchant Account Manager and the University Bursar.

B. NYU will respond to and investigate any incident in which there is a risk that cardholder data has been accessed without authorization. Indications that such an investigation may be necessary include, but are not limited to, the following:

i. A computer or device involved in credit card processing is compromised. You may observe a virus or other malware installed on the system or that unauthorized configuration changes have been made that cannot be adequately explained.
ii. Vulnerability is discovered that could be used to gain unauthorized access to cardholder data.
iii. An external report is received that indicates that NYU may be a source of fraudulent transactions, or that cardholder data from NYU has been accessed without authorization.
iv. Paper, tapes, usb-keys, laptops, or other media containing cardholder data have been lost or cannot be accounted for.
v. Cardholder data has been discussed in public or overheard without authorization.
vi. Any of the above occurs with a service provider or other third party involved in payment card processing for NYU.

C. If a cardholder data security breach involving electronic resources is suspected, the NYU ITSecurity Information Breach Notification Procedure (http://www.nyu.edu/its/policies/sec_breach.html) must be followed. You must notify the relevant school/unit Merchant Account Manager immediately to report the suspected breach. The school/unit Merchant Account Manager is required to report the suspected breach to ITS Technology Security Services (security@nyu.edu) and the University Bursar.

D. In the event a cardholder data breach involving non-electronic resources (for example, paper documents) is suspected, you must notify the relevant school/unit Merchant Account Manager immediately to report the suspected breach. The school/unit Merchant Account Manager is required to notify the University Bursar.

E. If you suspect credit card fraud, please follow the procedures outlined in the NYU Identity Theft Prevention Program (http://www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/identity-theft-prevention-program.html).

VIII. Enforcement of On-Going Compliance

A. Periodic reviews of safeguarding and storing of payment card information are conducted by the University Bursar, and payment card handling procedures are subject to audit by NYU Internal Audit, the Office of Compliance and Risk Management, and external auditors. In addition, NYU ITS Technology Security Services periodically conducts assessments of security controls put in place to safeguard technology implementations, including but not limited to periodic networkbased vulnerability scans.

B. NYU schools/units with Merchant Account Numbers that do not comply with this policy and approved protection, storage, and processing procedures may lose the privilege to serve as a payment card merchant and to accept payment card payments.

C. Individuals in violation of this policy are subject to the full range of sanctions.

IX. Related Policies and Legal Considerations

The following University policies address topics that are related to this policy:

-Policy on Responsible Use of NYU Computers and Data

-University Data Management Policy

-Data and Computer Security Policy

-Reference for Data and System Classification

-Data and System Security Measures

Many states and countries have laws that apply to payment card transactions with which
schools/units accepting payment cards for goods or services must comply. Current applicable NewYork State law is summarized in Appendix D. For further information regarding applicable law, schools/units accepting payment cards should contact the Office of General Counsel.

X. Appendices

Appendix A: PCI DSS Definitions                                                                             Appendix B: NYU Approved PaymentCard Processing Technologies
Appendix C: Roles and Responsibilities
Appendix D: Other Applicable Law

 

 

Notes
  1. Dates of official enactment and amendments:
  2. History: blank
  3. Cross References: blank

About This Policy

Effective Date: April 11, 2012
Supersedes: N/A
Issuing Authority: Executive Vice President for Finance and Information Technology
Responsible Officer: Executive Vice President for Finance and Information Technology; Office of the Bursar

1.     Cardholder Data:  At a minimum, cardholder data consists of the full Primary Account Number (PAN).  Cardholder data also may appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.  See the definition of “Sensitive Authentication Data” for additional data elements that constitute account data and may be transmitted or processed (but not stored) as part of a payment transaction.  As generally used in this policy, cardholder data refers to all of the information specified above.

2.     Cardholder Data Environment:  The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.

3.     Payment Card:  Any payment card, including debit cards, which is issued by one of the leading payment card brands or associations.

4.     Merchant:  Any person or entity (such as a school/unit) that accepts payment cards bearing the logos of any of the five founding members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. 

5.     Payment Application Data Security Standard (PA DSS):  Requirements and security assessment procedures that apply to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement  where these payment applications are sold, distributed, or licensed to third parties.  This standard includes what a payment application must support to facilitate an entity’s PCI DSS compliance.

6.     Payment Card Industry Data Security Standard (PCI DSS):  A comprehensive set of requirements established by the PCI SSC for enhancing payment account data security.  It is a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical safeguard measures.

7.     PCI Security Standards Council (PCI SSC):  The organization founded by American Express, Discover, MasterCard, JCB and Visa that defines credentials and qualifications for assessors and vendors, as well as maintaining the PCI DSS.

8.     Point of Sale (POS):  Hardware and/or software used to process payment card transactions at merchant locations.

9.     Primary Account Number (PAN):  The composite number code of 14 or 16 digits embossed on a bank or payment card and encoded in the card's magnetic strip.  The PAN identifies the issuer of the card and the account including part of the account number, and contains a check digit that verifies the authenticity of the embossed account number.

10.   Report on Compliance (ROC):  Report containing details documenting an entity’s compliance status with the PCI DSS.

11.   Self Assessment Questionnaire (SAQ):  Tool used by any entity to validate its own compliance with the PCI DSS.

12.   Sensitive Authentication Data:  Security-related information including, but not limited to, card validation codes/values (e.g., three-digit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data), full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.  Sensitive authentication data must not be stored after authorization.

NYU Footer