|Responsible University Administrator:||Vice President for Finance and Administration|
|Responsible Officer:||Director of Student Financial Services|
|Current Revision Date:||N/A|
|Next Review Date:||07/01/17|
|End of Policy Date:||N/A|
|Payment Card Industry Data Security Standards (PCI DSS)||The security requirements defined by the Payment Card Industry Security Standards Council and the 5 major Payment card Brands: Visa, MasterCard, American Express, Discover, and JCB. These security requirements apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment. Further details about PCI can be found at the PCI Security Standards Council Web site (https://www.pcisecuritystandards.org)|
|Cardholder||Someone who owns and benefits from the use of a membership card, particularly a payment card.|
|Cardholder Data (CHD)||Those elements of payment card information that are required to be protected. These elements include Primary Account Number (PAN), Cardholder Name, Expiration Date and the Service Code.|
|Primary Account Number (PAN)||Number code of 14 or 16 digits embossed on a bank or payment card and encoded in the card's magnetic strip. PAN identifies the issuer of the card and the account, and includes a check digit as an authentication device.|
|Cardholder Name||The name of the Cardholder to whom the card has been issued.|
|Expiration Date||The date on which a card expires and is no longer valid. The expiration date is embossed, encoded or printed on the card.|
|Service Code||The service code that permits where the card is used and for what.|
|Sensitive Authentication Data||Additional elements of payment card information that are also required to be protected but never stored. These include Magnetic Stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data and PIN/PIN block.|
|Magnetic Stripe (i.e., track) data||Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization.|
|CAV2, CVC2, CID, or CVV2 data||The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card- not-present transactions.|
|PIN/PIN block||Personal Identification Number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.|
|Disposal||CHD must be disposed of in a certain manner that renders all data un-recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, USB storage devices,(Before disposal or repurposing, computer drives should be sanitized in accordance with the (Institution’s) Electronic Data Disposal Policy). The approved disposal methods are: Cross-cut shredding, Incineration, Approved shredding or disposal service|
|Department||Any department or unit (can be a group of departments or a subset of a department) which has been approved by the (institution) to accept payment cards and has been assigned a Merchant identification number.|
|Database||A structured electronic format for organizing and maintaining information that is accessible in various ways. Simple examples of databases are tables or spreadsheets.|
In order to accept credit and debit card payments, The University of Southern Mississippi must prove and maintain compliance with the Payment Card Industry Data Security Standards (PCI-DSS). The University of Southern Mississippi Payment Card Security Policy and additional supporting documents provide the required guidance for processing, transmission, storage and disposal of cardholder data. This is done in order to reduce the institutional risk associated with the handling of payment card data and to ensure proper internal control and compliance with the PCI-DSS.
It is the policy of The University of Southern Mississippi to allow acceptance of payment cards as a form of payment for goods and services upon written approval from the university Merchant Services/PCI Compliance Committee. The University of Southern Mississippi requires all departments that accept payment cards to do so only in compliance with the PCI DSS and in accordance with the procedures outlined in this policy document, The University of Southern Mississippi “Administration and Department Procedures” and other supporting documents.
The Director of Student Financial Services is responsible for review of this policy annually.
Annual Merchant Survey Renewal
Department Policy Template
Administration and Department Procedures
Information Security Incident Response Plan
Department Payment Card Responsibilities
Amendments: Month, Day, Year – summary of changes
New policy instituted in 2016.