Payment Card Industry Data Security Standard
- Purpose of this Policy
- Scope of this Policy
- Policy Specifications
- Appendix A: PCI DSS Definitions
- Appendix B: NYU Approved Payment Card Processing Technologies & Current Vendors
- Appendix C: Device Inspection Checklist
- Appendix D: Roles and Responsibilities
- Appendix E: Other Applicable Law
The University is committed to safeguarding personal and account information conveyed in processing debit and credit card payments. Also, the privilege of accepting payment cards from the leading card brands depend upon compliance with specified security standards. To comply with these standards, it is the policy of the University that security standards relating to payment card transactions be specified and applied using the Payment Card Industry (PCI) Data Security Standard (DSS) sponsored by the PCI Security Standards Council (SSC).
Any questions on the PCI DSS Policy should be directed to the PCI team at firstname.lastname@example.org.
Purpose of this Policytop
The purpose of this policy is to establish a framework for processing payment cards, to safeguard against the exposure and possible theft of cardholder data transacted through NYU, and to comply with the current PCI DSS requirements. This policy does not address New York State laws or the laws of other states or jurisdictions that may apply to payment card transactions.
Scope of this Policytop
This policy applies to the NYU schools and business units that have access to cardholder data and to the people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data at or on behalf of NYU: any NYU school, business unit, employee (full-time, part-time and temporary), student, volunteer, contractor, consultant, vendor, or other person or entity that processes, transmits, or stores cardholder data in a physical or electronic format for NYU or using NYU resources or that has access to the NYU cardholder data environment. All technical and operational system components, including software, computers and wired or wireless electronic devices, involved in processing cardholder data, whether owned or leased by NYU, are subject to PCI DSS and this policy.
The PCI SCC, which was founded by American Express, Discover, JCB International, MasterCard and Visa, has established stringent security requirements, called the PCI DSS, to safeguard credit or debit payment cardholder data. PCI DSS applies pursuant to contract to all entities that store, process or transmit cardholder data, including information printed on a card or stored on its magnetic stripe or chip and personal identification numbers entered by the cardholder. Compliance is enforced by the Council’s founding members. In addition to PCI DSS, each payment card brand has defined its own specific requirements for compliance, validation and enforcement.
The University is required by contract to safeguard cardholder data, whether printed, stored or transmitted. Therefore, every NYU school/business unit that accepts payment cards must be PCI DSS compliant. In addition, any affiliated or unaffiliated party involved with accepting or processing credit/debit card payments for goods or services on the University’s behalf must be PCI DSS compliant and provide validation of its compliance to NYU. NYU is obligated to identify such parties’ responsibilities for securing cardholder data and monitor such parties’ PCI DSS compliance.
This policy defines the framework to allow NYU to ensure that all cardholder data or sensitive authentication data that is stored, processed, or transmitted is in compliance with the current PCI DSS and related security standards. All NYU schools/business units accepting payment cards must comply with the security requirements involved with being a payment card merchant on an annual basis.
All NYU schools/business units that store, process, or transmit cardholder data or sensitive authentication data also must comply with NYU’s defined methodologies and acceptable technology. Cardholder data may not be processed, transmitted, or stored on any University-owned or University-controlled devices unencrypted and readable to an unauthorized party.
The Office of the Bursar oversees NYU’s method for accepting, approving and processing payment card transactions as well as distributing of policies, procedures, and other guidance required under PCI DSS and ongoing maintenance of the PCI DSS compliance program. All schools/business units wishing to process payment card transactions are advised to visit the NYU Finance Link.
The completed Merchant Onboarding Form submitted by the school/business unit will be reviewed by the University PCI Compliance officer. Upon approval, a merchant account will be established with the university’s acquiring bank for card commerce and distributed as required. The school/business unit retains responsibility for enforcing and maintaining compliance with PCI DSS and this policy within their card environment.
The Policy specifications set out below are mandated to help meet PCI DSS. A glossary of certain terms used in this policy is provided in Appendix A.
Any questions on the NYU PCI Policy should be directed to the PCI Team at email@example.com.
I. General Requirements – Schools/Units Accepting Payment Cards
A. A school/business unit desiring to accept payment cards must obtain advance approval from the University Bursar, who will issue a specialized Merchant Account Number/ID.
B. Using the procedural templates available at the NYU FinanceLink , a school/business unit must prepare and maintain documented security procedures that clearly define information security responsibilities for all individuals within the school/business unit who handle or will have access to cardholder data. All individuals are required to complete Security Awareness Education training annually (see Section II: General Requirements – Individuals with Access to Cardholder Data).
C. All schools/business units approved to accept payment cards are responsible to review and maintaining their respective list to ensure that it is current and accurate on the NYU Box. This file contains the following information:
- Merchant Procedures - eCommerce
- Merchant Procedures – POS (Point of Sale)
- Security Awareness Education List
- Device Inventory
- Device Sign-out Log
- NYU PCI Policy
- Related Policies
Contact the PCI Team at firstname.lastname@example.org if access is needed to this folder.
D. Cardholder data is considered “Restricted” data under NYU’s Data and System Security Policy and the Electronic Data and System Risk Classification Policy is defined as high institutional risk.
E. University Bursar approval is required before implementing software and installing equipment that processes, transmits, or stores cardholder data.
F. When processing payment card transactions, a school/business unit must use only vendors and technologies that have been reviewed and approved by the PCI Team. See Appendix B for list of compliant technologies and current PCI vendors.
G. All schools/business units with a Merchant Account Number/ID must maintain and secure an inventory of payment card processing devices and implement a process to track removal, relocation, decommissioned or substitution of devices. All devices and serial #s for devices must be recorded on device inventory.
H. Appropriate facility entry controls must be used to limit and monitor physical access to systems in the cardholder data environment.
I. A school/business unit storing, processing, or transmitting cardholder data or sensitive authentication data must annually complete a Self-Assessment Questionnaire (SAQ). The SAQ is a PCI-mandated attestation intended to allow each school/business unit to demonstrate their compliance with the PCI DSS.
II. General Requirements – Individuals with Access to Cardholder Data
A. Access to system components and cardholder data must be limited to only authorized / approved individuals whose job requires such access. Schools/business units must ensure that:
- Individuals are given a unique ID to access cardholder data necessary to perform his/her job.
- Individuals are instructed not to share cardholder information with others unless deemed necessary by a supervisor.
- All individuals who are involved with the acceptance of payment cards must be trained on this policy and the applicable school/business units’ procedures relevant to payment card processing prior to the PCI cardholder data environment.
- Approved access to system components and cardholder data requires a unique ID and access to authenticate users. Approved accounts administered (including add, modified and deleted) are processed and monitored. Inactive accounts are removed or disabled within 90 days.
B. Individuals, including full or part time employees, temporary employees, contractors or consultants, who may be exposed to cardholder data, webmasters developing eCommerce sites, and merchant managers responsible for merchant ID and location, must complete NYU Security Awareness Education (SAE) training annually.
C. To comply with NYU SAE training, all schools/business units must:
- Create and maintain a list of all individual whose NYU jobs have access, handle, process or store cardholder data or access to the NYU cardholder data environment.
- Send requests to the PCI Team at email@example.com to onboard personnel who need to take SAE training; or to remove personnel who no longer require SAE training.
- Ensure personnel comply with NYU’s SAE training upon hire or engagement and at least annually hereafter.
D. This policy must be disseminated to all relevant persons and entities who must acknowledge at least annually that they have read this policy and the applicable school/business units’ procedures.
E. Individuals who do not complete SAE training within the established timeline may compromise a school/business unit’s ability to process credit card payments.
F. NYU’s security policies to maintain secure systems, applications and cardholder data is documented and disseminated to all payment processing parties (including vendors, third-parties). NYU’s security monitoring and testing is documented and its practice / use is known to all affected parties.
III. STORAGE of Sensitive Authentication Data and Cardholder Data
A. Storage of any cardholder data or sensitive authentication data must be an encrypted resource or storage location.
B. Payment systems that involve receiving sensitive authentication data must have processes in place to delete such data after authentication and verify that it is unrecoverable.
C. All systems that store sensitive authentication data after authorization must adhere to the following requirements:
- The complete payment card number is not to be stored under any circumstances.
- The card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions, and the personal identification number (PIN), or the encrypted PIN block is not to be stored under any circumstances.
D. The Primary Account Number (PAN) must be masked when displayed (the first six and last four digits are the maximum number of digits permitted to be displayed). This must be done through the following means:
- Truncation by the POS system.
- If using a paper imprinter slip for card-present transactions and retention of the slip is necessary, the imprint slip should be photocopied after all digits of the PAN except the last four are masked. Merchant then can retain the photocopied version, but must cross shred the original copy.
- 3. If paper forms are used for card-not-present transactions (e.g., telephone and mail order) and retention of a section of the form is necessary, then the cardholder data section of the payment form must be removed and cross shredded so that there is reasonable assurance that the paper form cannot be read or reconstructed. If the paper form is photocopied and retained all of the PAN should be masked except for the last four digits. Merchants must cross shred the original copy.
- The truncated PAN is unreadable on portable digital media, backup media and in audit logs.
E. All paper and electronic media that contain cardholder data must be physically secured. Cardholder data that must be stored for business or legal reasons must be stored according to the NYU Policy on Retention and Destruction of Records and the Retention Periods for General Categories of Retainable Records (http://www.nyu.edu/content/dam/nyu/compliance/documents/Retention_Schedule.pdf).
F. All cardholder data must be kept in a locked filing cabinet in a secure area or a safe that is accessible only by employees whose jobs require that they have access to cardholder data. The filing cabinet or safe containing the cardholder data must be locked both during and after business hours.
G. All electronically stored data must be an encrypted medium.
IV. Protection of Devices Against Tampering
A. Any schools/business units with access to credit card processing equipment including POS swipe devices, credit and debit card readers, terminals, or computers must record device and serial # on the “Device Inventory” tab of department’s Dept PCI Management file maintained on NYU Box. Contact the PCI team at firstname.lastname@example.org if access is needed to this folder.
B. Schools/business units must have protective controls to protect a device against tampering to prevent against the unauthorized capture and use of payment cardholder data for fraudulent purposes.
C. Protective action against tampering includes:
- Periodic inspection of devices – See Appendix C for a “Device Inspection Checklist”
- Ensuring only authorized staff have access to credit card processing devices.
D. Any devices that are signed out by staff for an event must comply with the following procedures:
- Record employee and device being signed out in department’s device log.
- Have employee complete device sign-out sheet and provide employee with copy of NYU PCI Compliance Policy.
- Upon return of device, Merchant Manager should inspect device per the “Device Inspection Checklist” provided in Appendix C.
E. The identity of any third party persons claiming to be repair or maintenance personnel must be verified prior to granting them access to modify or troubleshoot devices. Do not install, replace or return devices without verification.
F. Be aware of suspicious behavior around devices (for example, attempts by persons to unplug or open devices).
G. Report suspicious behavior and indications of device tampering or replacement of devices to the PCI team at email@example.com.
H. The NYU PCI Compliance Team reserves the right to conduct periodic announced and unannounced device inspections as part of the University’s compliance requirements.
I. At least annually, all public-facing web applications that process or transmit card holder data are scanned to prevent and detect new threats and vulnerabilities on an ongoing basis and are protected against known attacks.
J. Also, various internal and external scans are performed on annual and on-demand as needed to monitor the card processing environment.
V. TRANSMISSION of Sensitive Authentication Data and Cardholder Data
A. Transactions processed are settled daily. NYU has implemented security protocols and cryptography to safeguard sensitive cardholder data to and through public networks with the use of trusted certificates. All approved vendors must configure all devices to the industry best practice of strong encryption for authentication and transmission.
B. Encrypted PAN’s are secure with encryption and unreadable during transmission of sensitive cardholder data. Unencrypted PANs must never be sent by end-user messaging technologies (e.g., e-mail or instant messaging).
C. All schools/business units must maintain strict control over the internal or external distribution of any kind of media that contain cardholder data. All material moved from a designated secure area must be marked confidential, documented on a media removal tracking log, and transported by a document service such as Fed Ex or the U.S. Post Office with a tracking number.
D. No material containing cardholder data may leave the schools/business units that accepted it for processing.
E. Implemented trusted encryption keys / certificates include access and monitoring processes to verify that devices are configured and transmitting securely. Devices that do not support the schools/business unit’s encryption are not utilized.
VI. DESTRUCTION of Sensitive Authentication Data and Cardholder Data
A. All physical cardholder data (e.g., paper documents) that is deemed not essential must be properly destroyed. All electronic storage data also must be properly destroyed if there is no business or legal reason for which it should be kept.
B. Proper means of destroying hard-copy material include physical destruction, such as shredding, incineration, or pulping hard copy materials, so that cardholder data cannot be reconstructed. Electronic cardholder data must be rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion.
C. If storage of cardholder data is necessary for business or legal purposes, portable media used to store cardholder data, including hard-copy material, must be stored in a locked cabinet. All electronic cardholder data must be encrypted and password protected.
VII. Disposition of Devices
A. Disposal of credit card processing devices must comply with the following procedures:
- Contact the PCI Team at firstname.lastname@example.org to inform the need to dispose a credit card processing device.
- A PCI Team member will arrange for pick-up of device in order to comply with proper disposal procedures.
- Once PCI Team member picks up the device, it is the school/business unit’s responsibility to update the department’s device inventory list timely.
- Devices should never be placed in the trash and/or disposed of without notification to the PCI Team.
B. Any credit card processing devices that are inactive or not utilized for more than two years may be requested by the NYU PCI Team for return and disposal.
VIII. Processing Using External Service Providers
A. When cardholder data is shared with external service providers, procedures to manage these providers must be developed and maintained by the applicable school/business unit utilizing their services. These procedures must include:
- Creating and maintaining a complete list of service providers who can access any POS system or any cardholder data, including companies or individuals who are not employees of NYU.
- Coordinating with the University’s Office of Purchasing Services & Contract Administration to obtain and maintain a written agreement with the service provider that includes the service provider’s acknowledgement of their responsibility for the security of cardholder data that it processes, transmits or stores. The procedure for engaging service providers must include proper due diligence prior to engagement.
- Obtaining and monitoring each service provider’s PCI DSS compliance status at least annually by requesting a copy of its annual Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC)/ Attestation of Compliance (AoC).
B. The process for engaging service providers must include proper due diligence prior to the engagement. Merchants should liaise with the University’s Office of Purchasing Services & Contract Administration to contract work only with PCI DSS compliant service providers and check the references of such providers. Contracts with external service providers must incorporate NYU’s third- party service requirements language.
IX. Incident Management
A. Anyone who learns of an actual or potential cardholder data security breach must immediately inform the school/business unit Merchant Manager, the NYU PCI Team at email@example.com and Office of Information Security (OIS) at firstname.lastname@example.org for security response detection, prevention and restoration. See also Section XI for Related Policies and Legal Consideration.
B. NYU will respond to and investigate any reported incident to cardholder data that may have been accessed or compromised during the processing, transmission or storage without authorization. Indications that such an investigation may be necessary include, but are not limited to, the following:
- A computer or device involved in credit card processing is compromised. You may observe a virus or other malware installed on the system or that unauthorized configuration changes have been made that cannot be adequately explained.
- Vulnerability is discovered that could be used to gain unauthorized access to cardholder data.
- An external report is received that indicates that NYU may be a source of fraudulent transactions, or that cardholder data from NYU has been accessed without authorization.
- Paper, tapes, usb-keys, laptops, or other media containing cardholder data have been lost or cannot be accounted for.
- Cardholder data has been discussed in public or overheard without authorization.
- Any reports, events or vulnerabilities with a service provider or other third- parties involved.
C. If a cardholder data security breach involving electronic resources is suspected, the IT Security Information Breach Notification Policy and Plan, which is available on a 24/7 basis to respond to security events / incidents, as well as the procedure of the affected credit card company/companies, must be followed.
- You must notify the relevant school/business unit Merchant Manager immediately to report the suspected breach.
- The school/business unit Merchant Manager is required to report the suspected breach to NYU IT Global Office of Information Security (email@example.com) and the PCI Team at firstname.lastname@example.org.
D. In the event a cardholder data breach involving non-electronic resources (for example, paper documents) is suspected, you must notify the relevant school/business unit Merchant Manager immediately to report the suspected breach. The school/business unit Merchant Manager is required to notify the University Bursar.
E. If you suspect credit card fraud, please follow the procedures outlined in the NYU Identity Theft Prevention Program.
X. Enforcement of On-Going Compliance
A. Periodic reviews of processing payment cards’ safeguards against exposure by the University Bursar, and payment card handling procedures are subject to audit by NYU Internal Audit, the Office of Compliance and Risk Management, and NYU’s external auditors. In addition, NYU IT Global Office of Information Security must periodically conducts assessments of security controls to safeguard technology implementations, including but not limited to periodic network- vulnerabilities scans.
B. NYU’s annual risk assessment program identifies critical assets, threats and vulnerabilities and analysis of risk including the Gramm-Leach-Bliley Act (GLBA.)
C. Various system and component logs are periodically reviewed based on NYU’s policies and risk management strategy. NYU IT reviews logs and security events for critical system components (to identify anomalies or suspicious activity on a daily basis).
D. NYU’s PCI in scope device audit log retention policies require logs retention for at least one year, with a minimum of three months immediately available for analysis of anomalies or suspicious activity.
E. NYU schools/business units with Merchant Account Numbers that do not comply with this policy and approved protection for the processing, transmission and storage procedures subject to PCI DSS and this policy may lose the privilege to serve as a payment card merchant.
F. Individuals in violation of this policy are subject to the full range of sanctions.
XI. Related Policies and Legal Considerations
The following University IT policies (www.nyu.edu/it/policies) address topics that are related to this policy:
- Policy on Responsible Use of NYU Computers and Data
- Data and System Security Policy
- Electronic Data and System Risk Classification Policy
- Management of NYU Network Infrastructure Resource Policy
- IT Security Information Breach Notification Policy and Plan
- New York University GLBA Information Security Program
- NYU IT NYU-NET Operational Principles
Many states and countries have laws that apply to payment card transactions with which schools/business units accepting payment cards for goods or services must comply. Current applicable New York State law is summarized in Appendix E. For further information regarding applicable law, schools/business units accepting payment cards should contact the Office of General Counsel.
- Appendix A: PCI DSS Definitions
- Appendix B: NYU PCI Vendors & Payment Card Processing Technologies
- Appendix C: Device Inspection Checklist
- Appendix D: NYU PCI Team: Roles and Responsibilities
Appendix A: PCI DSS Definitionstop
- Cardholder Data: At a minimum, cardholder data consists of the full PAN. Cardholder data also may appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See the definition of “Sensitive Authentication Data” for additional data elements that constitute account data and may be transmitted or processed (but not stored) as part of a payment transaction. As generally used in this policy, cardholder data refers to all of the information specified above.
- Cardholder Data Environment: The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.
- Payment Card: Any payment card, including debit cards, which is issued by one of the leading payment card brands or associations.
- Merchant: Any person or entity (such as a school/business unit) that accepts payment cards bearing the logos of any of the five founding members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
- Payment Application Data Security Standard (PA DSS): Requirements and security assessment procedures that apply to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement where these payment applications are sold, distributed, or licensed to third parties. This standard includes what a payment application must support to facilitate an entity’s PCI DSS compliance.
- Payment Card Industry Data Security Standard (PCI DSS): A comprehensive set of requirements established by the PCI SSC for enhancing payment account data security. It is a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical safeguard measures.
- PCI Security Standards Council (PCI SSC): The organization founded by American Express, Discover, MasterCard, JCB and Visa that defines credentials and qualifications for assessors and vendors, as well as maintaining the PCI DSS.
- Point of Sale (POS): Hardware and/or software used to process payment card transactions at merchant locations.
- Primary Account Number (PAN): The composite number code of 14 or 16 digits embossed on a bank or payment card and encoded in the card's magnetic strip. The PAN identifies the issuer of the card and the account including part of the account number, and contains a check digit that verifies the authenticity of the embossed account number.
- Report on Compliance (ROC): Report containing details documenting an entity’s compliance status with the PCI DSS.
- Self-Assessment Questionnaire (SAQ): Tool used by any entity to validate its own compliance with the PCI DSS.
- Sensitive Authentication Data: Security-related information including, but not limited to, card validation codes/values (e.g., three-digit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data), full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. Sensitive authentication data must not be stored after authorization.
Appendix B: NYU Approved Payment Card Processing Technologies & Current Vendorstop
I. eCommerce Portal
The NYU eCommerce Portal is the preferred service for accepting online electronic payments at NYU.
The NYU eCommerce Portal is NYU's electronic payment processing system that leverages Cybersource PSP, which is NYU’s preferred eCommerce solution. It is a transaction-based system that accepts ePayment transactions for both one-time and recurring payments. This service may be implemented to receive payment for items such as online gift donations, conference registration, and specific fees related to a university event, or other products and services.
Note: The eCommerce Portal service provides only electronic payment processing. Additional functionality, such as event enrollment or inventory sales, is not specifically provided by this service.
Alternative technologies for accepting online electronic payments must be approved by the University Bursar.
II. Standalone Point of Sale (POS) terminals
Standalone POS terminals will be used to process card-present, phone order, mail order, and faxed credit card payments. These terminals, which have a built in key pad and magnetic card reader, encrypt cardholder data at the point of swipe or entry and can be configured to communicate via an IP network, a plain old telephone service (POTS) line, or a cellular wireless connection. To obtain the approved device list, please contact FSM.
III. List of Current Vendors
Below is a list of current NYU vendors who may possess, process, store, transmit cardholder data, or have the ability to impact the security of cardholder data.
Merchants looking to contract with a vendor that is not listed below must contact the PCI Team at email@example.com to request a PCI vendor review prior to contract or purchase order issuance.
To obtain the current vendor list, please contact firstname.lastname@example.org.
Appendix C: Device Inspection Checklisttop
Upon receipt of a credit processing device, record the device make, model, date of receipt, serial #, and device location (address of the site or facility) on your department’s Device Inventory log which can be found on NYU Box. Contact email@example.com if you need access or have questions on maintaining the Device Inventory log. When the payment processing device is connected and active, conduct periodic device inspections. At the minimum, inspections should occur monthly, or for devices that are signed out by a staff for an event, device inspection should be performed upon return of all devices. When inspecting a device, check for the following:
- Check the serial # on sticker and NYU asset ID on label ensure it matches the serial # and asset ID recorded in your device inventory log. If your device has a method of displaying the serial number for the device, check that the serial # on the back of device matches the serial # electronically displayed for the device.
- Run your finger along the serial # label to confirm there is no tampering.
- Terminals often have security stickers placed over screw holes to indicate potential tampering of a device. Check the stickers and labels to confirm the integrity of the label.
- Inspect the device for any additions you may not recognize, looking for small skimming devices or key loggers could be attached to a device.
- Inspect the wires and connections to the device for anything unfamiliar.
- Check for any unfamiliar devices around the work area. Smartphones should not be utilized near any credit card devices to prevent from potential capturing of credit card data.
- Inspect the surrounding area for the device, looking for possible cameras that may have been added (these can often be very small and easy to hide).
The NYU PCI Team reserves the right to conduct periodic, announced and unannounced inspection of devices as part of the University's compliance requirements.
The NYU PCI Team (firstname.lastname@example.org) may request any devices inactive for more than two years for return and disposal.
Appendix D: Roles and Responsibilitiestop
The PDF Appendix D: Roles and Responsibilities contains recommended roles and responsibilities for compliance activities within NYU PCI Compliance Program. The tasks, which have been broken down by their frequency, are standard activities that would be required of any merchant who processes payment cards.
Appendix E: Other Applicable Lawtop
New York State Law
Schools/units accepting payment cards for goods and services in New York must apply with New York state law. In summary, current New York State law mandates that:
A. A merchant in a sales transaction is prohibited from imposing a surcharge on a purchaser who elects to use a credit card in lieu of payment by cash, check, or similar means.
B. A merchant who accepts credit cards and who imposes minimum purchase amounts for use of a credit card or excludes card payments for discounted items must conspicuously post such limitations or conditions and include them in all advertisements that otherwise mention that credit cards are accepted.
C. A merchant must use paper forms for payment card transactions which do not produce carbon copies or render a separate piece of paper that readily identifies the cardholder by name or number, except as necessary to allow the merchant to complete the transaction. A merchant is prohibited (i) from writing or requiring a cardholder to write any personal identification information (such as an address or phone number) on such form or any attachment to it that is not required to complete the sales transaction (such as a shipping address) and (ii) from printing the expiration date of the card or more than the last five digits of the card number on any receipt provide to the cardholder.
See the following sections of New York General Business Law for further information.
- New York General Business Law §518. Credit card surcharge prohibited.
- New York General Business Law §519. Disclosure by commercial establishments honoring credit.
- New York General Business Law §520-a. Certain credit and debit card transaction forms required.
Schools/units accepting payment cards in or from other jurisdictions should contact the Office of General Counsel regarding applicable law.
About This Policy
Effective Date Supersedes Policy dated April 11, 2012 Issuing Authority Executive Vice President for Finance and Information Technology Responsible Officer Executive Vice President for Finance and Information Technology; Office of the Bursar
1. Cardholder Data: At a minimum, cardholder data consists of the full PAN. Cardholder data also may appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See the definition of “Sensitive Authentication Data” for additional data elements that constitute account data and may be transmitted or processed (but not stored) as part of a payment transaction. As generally used in this policy, cardholder data refers to all of the information specified above.
2. Cardholder Data Environment: The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.
3. Payment Card: Any payment card, including debit cards, which is issued by one of the leading payment card brands or associations.
4. Merchant: Any person or entity (such as a school/unit) that accepts payment cards bearing the logos of any of the five founding members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
6. Payment Application Data Security Standard (PA DSS): Requirements and security assessment procedures that apply to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement where these payment applications are sold, distributed, or licensed to third parties. This standard includes what a payment application must support to facilitate an entity’s PCI DSS compliance.
7. Payment Card Industry Data Security Standard (PCI DSS): A comprehensive set of requirements established by the PCI SSC for enhancing payment account data security. It is a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical safeguard measures.
8. PCI Security Standards Council (PCI SSC): The organization founded by American Express, Discover, MasterCard, JCB and Visa that defines credentials and qualifications for assessors and vendors, as well as maintaining the PCI DSS.
9. Point of Sale (POS): Hardware and/or software used to process payment card transactions at merchant locations.
10. Primary Account Number (PAN): The composite number code of 14 or 16 digits embossed on a bank or payment card and encoded in the card's magnetic strip. The PAN identifies the issuer of the card and the account including part of the account number, and contains a check digit that verifies the authenticity of the embossed account number.
11. Report on Compliance (ROC): Report containing details documenting an entity’s compliance status with the PCI DSS.
12. Self-Assessment Questionnaire (SAQ): Tool used by any entity to validate its own compliance with the PCI DSS.
13. Sensitive Authentication Data: Security-related information including, but not limited to, card validation codes/values (e.g., three-digit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data), full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. Sensitive authentication data must not be stored after authorization.
The following University policies address topics that are related to this policy: