PCI Documentation
This document was reviewed and updated as needed on November 21, 2018
The department payment card policy is to accept payment card ( credit and debit card) transactions for the purchase of youth programs and activities. These transactions take place either in person or online. In person transactions use a swipe terminal located in our department office in Langton 125, Online transaction are only through individual's personal computers. Any payment card information received in person will not be used or stored for future transactions.
All card processing activities and related technologies must comply with the most recent version of the Payment Card Industry Data Security Standard (PCI DSS) in its entirety. No activity may be conducted nor any technology employed that might obstruct compliance with any portion of the PCI DSS.
This operational procedures document shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the environment. A list of service providers is kept at the merchant level and any changes will be provided to Business Affairs. Written agreements between each service providers will be maintained. IfTouchnet, the agreement will be maintained by Business Affairs.
ACCEPTING CREDIT OR DEBIT CARDS AS A FORM OF PAYMENT
Our department accepts payment for goods and services by cash, check, or credit/debit card. Gift cards are not allowed. Under no circumstances does KidSpirit ever store, process or transmit card holder data on OSU systems or premises. Below are the ways we accept credit/debit card payments, with an explanation of the steps required to accept payment.
In-Person:
The majority of all credit/debit card payments are received in-person. When credit card information is received in-person, the following process is followed:
1. Verify the credit card is signed. If the card is not signed, ask the customer for a photo ID and have them sign the card or write "see ID" in the signature field.
2. Enter the amount to be charged to the card into the machine.
3. Swipe the credit card. If the machine will not read the card, enter the number manually into the machine. Do not write down the number or any other identifying information.
4. Have customer sign the merchant copy receipt. Verify the signature matches the card.
5. Place the signed copy in the receipt slot of the drawer.
6. Give the customer copy and the credit card back to the customer.
If the credit card is declined, ask for an alternative form of payment. The customer will need to contact their credit card company for further information.
Online:
Our department accepts credit/debit card payments online. Customers are required to navigate to our department website http://kidspirit.oregonstate.edu/ using their personal computer. Once at our website, the customer is able to choose the item they want to purchase. Once this "shopping cart" has been finalized, the customer then enters their contact information and is automatically redirected to the https;//apps.ideal-logic.com/osukidspirithiring website for processing of their payment card. This payment page is fully outsourced to Ideallogic, a PCI DSS validated third-party service provider.
Email and Other End User Technologies:
Email and other end user technologies are NOT acceptable methods of transmitting credit card data. If an email were to be received, note the sender's email address and delete it immediately. In a separate email after taking customer information out of the correspondence, contact the customer and explain the proper ways in which they may complete their transaction. Also contact Central Network (CN) to delete the email.
All KidSpirit staff/volunteers complete the Oregon State University Criminal History Background Checks (renewed every two years) which includes handling money, working with sensitive information, and working with youth.
If a new employee has been identified as an employee involved in payment transaction process who may have access to confidential information related to payment cards, including payment card numbers, expiration dates and demographic cardholder information "Cardholder Information" and access is given to those whose jobs require such access, the department requires the following:
The new employee must have PCI DSS background check completed if they will have access to cardholder data or the cardholder data environment, or if they will have access to more than one card number at a time when facilitating a transaction. The background check includes: 1) Social Security number check, 2) criminal background check, and 3) national sex offender registry check. The PCI DSS background check is requested by contacting the Office of Human Resources
The new employee must review the Payment Card Industry Data Security Standards (PCI DSS), as well as the Oregon State University Policies and Standards concerning data privacy.
Once the new employee has completed the above step, they will need to review, complete and sign that they have done so.
The Payment Card Merchant Manager receives University provided PCI DSS training annually. Other employees with access to payment card information are also required to receive this training in addition to annual training from the Payment Card Merchant Manager.
Documentation of all PCI DSS training that has been provided, and to whom, is held by the Payment Card Merchant Manager.
Terminated employees' access to all swipe terminal(s) is removed immediately, as is that of any employees whose job duties have changed where they no longer require access. It is the responsibility of the Payment Card Merchant Manager to ensure that the user list on file with Business Affairs is current, and updated with all changes to the system access.
Merchant Managers must limit access to payment system to those employees who are directly involved in the processing of card payments. all system users must have a unique user IDs and passwords. Group IDs and shared passwords are strictly prohibited. It is the Merchant Managers responsibility to immediately terminate system user access of group IDs and shared passwords if so discovered.
Passwords must meet the PCI DSS minimum standards, such as length, numeric/alpha characters, which need to vary in order to provide better protection. If using Touch Net these standards are met and the configurations are managed centrally.
Usage of Swipe Terminal - The payment card swipe terminal will only be operated by the Merchant Card Manager and any other employee who has received department training.
Inspecting of Swipe Terminal - A list of machines used with information including serial numbers, jack number, additions, locations, etc, is maintained with changes/updates provided to Business Affairs. The swipe terminal will be visually inspected daily or upon use to look for tampering or substitution (unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings). If there are signs of tampering, or the serial number appears to be different, report this immediately to the Payment Card merchant Manager. Personnel are trained how to inspect devices for tampering and report suspicious behavior. Staff will verify the identity of any individuals claiming to be report or maintenance personnel, prior to giving them access to modify or troubleshoot the swipe terminal.
Storage of Swipe Terminal - The swipe terminal will be stored in a locked cabinet when not use. All paperwork regarding pending transactions will also be kept in a secure, locked cabinet or drawer until they have been processed. immediately after processing, such paperwork will be cross cut shredded. Cardholder data is never stored electronically and if it is then all media is physically secured, there is a strict control maintained over the internal or external distribution of any kind of media and over the storage and accessibility of media, and all media equipment is destroyed with the hardcopy cross-cut shredded and storage containers used for material be destroyed securely when it is no longer needed.
Merchant Manager is responsible for maintaining a written agreement with any non-TouchNet service provider that acknowledges that provider is responsible for the security of cardholder data that the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to any extent that could impact the security of the customer's cardholder data environment. If the Service Provider is Touch Net or Elavon Merchant Services, these agreements are managed centrally. Service provider's PCI DSS compliance status must be verified annually. If using OSU's approved service providers this process is managed centrally.
Phone number: 1-800-777-7240
To help things run faster, when prompted, enter the merchant number (2211562992), followed by the pound (#) key.
Option 3 of the first menu will take you to technical problems, and option 2 of the following menu will select "desktop or wireless terminals". From here, you can speak to a customer service representative about any issue pertaining to the credit card machine. They will ask for a name, and you can give your own. The email on file is kidspirit@oregonstate.edu, and the address is 125 Langton Hall, Corvallis, OR, 97331. From there you should be able to get any information you may need pertaining to the card machine.
All personnel are aware of the security plan and it will be updated annually by Business Affairs.
The incident response plan is maintained centrally and can be found in the Fiscal Operations (FIS) Manual 104: e-Commerce Policy. All security incidents involving payment card cardholder data must be immediately reported to the Business Affairs Office and handled centrally.
Failure to comply with cardholder data security policies and procedures may result in disciplinary action up to and including suspension, restriction or loss of privileges, termination, and potential civil and criminal fines and penalties.