|
Policy No: 2041
Responsible Office: Treasury Management
Last Review Date: 05/14/2026
Next Required Review: 05/14/2027
|
Policy No: 2041
Responsible Office: Treasury Management
Last Review Date: 05/14/2026
Next Required Review: 05/14/2027
Payment Card Industry (PCI) General Merchant Policy
1. Purpose
During the normal course of business, many departments and organizations within the University, including its hospitals and other affiliates of the University, process payment card transactions subject to the Payment Card Industry Data Security Standard (PCI DSS). Mishandling cardholder data associated with payment card transactions may result in the loss of customer data, leading to possible reputational damage or financial loss for the University. USA adheres to the highest standards related to the security of cardholder data and must follow the guidelines set by the PCI DSS. This policy will be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment (PCI DSS Req 12.1.2).
2. Applicability
Compliance with this policy is mandatory for all USA faculty, staff, students, merchants, departments, organizations, third-party vendors, individuals, systems, and networks involved in accepting, processing, transmitting, storing, disposing, or have access to cardholder data.
3. Definitions
For purposes of this Policy and the USA Payment Card Industry (PCI) General Merchant Procedures, the following terms and definitions apply:
杏吧原创: University of South Alabama and all affiliated organizations including USA Health University Hospital, USA Children’s and Women’s Hospital, USA Health Care Authority, and all USA clinics.
Cardholder: Someone who owns and benefits from the use of a membership card, particularly a credit card.
Cardholder Data (CHD): any personally identifiable information (PII) associated with a person who has a credit or debit card. Cardholder data includes the primary account number (PAN) along with any of the following data types: cardholder name, expiration date or service code. The term cardholder data is interchangeable with payment card data throughout this policy. Under PCI DSS v4.0.1, this falls under the broader category of Account Data, which includes both cardholder data and Sensitive Authentication Data (SAD)
Cardholder Data Environment (CDE): is a computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. A CDE also includes any component that directory connect to or supports this network.
Disposal: CHD must be disposed of in a manner that renders all data un-recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices. The approved disposal methods are: Cross-cut shredding, incineration, or approved shredding or disposal services.
Sensitive Authentication Data (SAD): Security-related information (including but not limited to CVC2/CVV2, PINs, and full track data) used to authenticate cardholders. SAD must never be stored.
Merchant or Department: a USA department or operating unit that has applied for and been approved to accept credit/debit card payments for goods and/or services. A merchant is assigned a specific merchant account, which is used to process all credit/debit card transactions via a USA-approved payment card processor.
Payment Card: refers to both credit and debit cards. Payment card processing is defined as using any application or device to process a credit/debit card transaction as payment for goods and/or services from a USA merchant.
Payment Card Industry Data Security Standard (PCI DSS): a mandated set of requirements agreed upon by the PCI Security Standards Council (PCI SSC): VISA, MasterCard, Discover, American Express and JCB. These security requirements apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment. Current Standard: PCI DSS v4.0.1
Self-Assessment Questionnaire (SAQ): a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the PCI DSS. This must be completed annually by the Treasury Management Department.
4. Policy Guidelines
The University of South Alabama (USA) is required by the credit card associations to be compliant with the PCI DSS and is committed to providing a secure environment to protect cardholders and USA against both loss and fraud. This policy outlines USA’s commitment to securely process, store, transmit and dispose of cardholder data by complying with the PCI DSS. The PCI General Merchant Operating Procedures will provide further guidance on properly processing, storing, and transmitting payment cards while fulfilling the University’s responsibility to comply with the PCI DSS. Additional Cardholder Data Environment Policies are referenced in section 7.1 below.
Adherence to this policy will help ensure that cardholder data is protected and kept secure from unauthorized access. A copy of this policy must be read and signed annually by all individuals involved in the payment card process. Signed copies of this policy will be maintained by the respective departments and the Treasury Management Department.
4.1 Authority to Maintain Procedures
The Executive Director of Treasury Management and the Manager of Merchant Services & PCI Compliance are authorized to develop, enforce, and update the USA PCI General Merchant Procedures to ensure continued compliance with evolving PCI DSS standards.These Procedures serve as the binding operational requirements for this Policy. Revisions to the Procedures document, including updates required by new PCI DSS versions or changes in risk analysis, do not require re-authorization of this Policy, provided the changes remain consistent with the University’s overall governance and risk tolerance.
5. Procedures
5.1 Merchants
All merchants accepting payments cards on behalf of USA must be authorized by the Treasury Management Department. See USA PCI General Merchant Procedures for more details.
5.2 Cardholder Data Protection
Access to payment card data and system components will be limited to those employees whose jobs require such access. See USA PCI General Merchant Procedures for more details.
5.3 Hardware, Software, and Technology
Changes to hardware, software, or other payment card systems that process payment card transactions must be approved by the Department of Information Security and the Treasury Management Department before implementation. In addition, each merchant shall maintain a list of all software, technologies, and any equipment/devices. See USA PCI General Merchant Procedures for more details. Access to systems in the CDE must be authenticated using Multi-Factor Authentication (MFA) in accordance with PCI DSS standards.
Risk-Based Approach: The University employs a Targeted Risk Analysis (TRA) methodology to determine the appropriate frequency of periodic security controls (such as device inspections and log reviews) in accordance with PCI DSS v4.0.1 Req 12.3.1. The Executive Director of Treasury Management or Manager of Merchant Services and PCI Compliance is authorized to define these frequencies based on the environment's risk profile.
5.4 Third Party Vendors and Service Providers
Third parties must be contractually required to adhere to the PCI DSS requirements. Contracts with third-party vendors and service providers must define each party’s roles and responsibilities with respect to the PCI DSS. Any agreements with third parties must be approved by the Treasury Management Department, Office of Information Security, and a University Contract Officer. See USA PCI General Merchant Procedures for more details. Department managers must maintain an up-to-date Responsibility Matrix defining which PCI requirements are managed by USA and which are managed by the vendor.
5.5 Security Incident and Identification
Employees must be aware of their responsibilities in detecting security incidents. All employees have a responsibility to assist in the incident response within their departments. See USA PCI General Merchant Procedures for more details.
5.6 Reporting and Responding to an Incident
To report a suspected or confirmed breach, vulnerability, or security incident involving cardholder data, individuals must immediately contact the Treasury Management Department at pci@southalabama.edu and the Office of Information Security at infosec@southalabama.edu. The Treasury Management Department will contact the necessary parties and, if necessary, law enforcement. See USA PCI General Merchant Procedures for more details.
5.7 Security Awareness
Employees with access to cardholder data or involved in any way with processing, storing, or transmitting cardholder data must acknowledge that they have read and understand the USA Payment Card Industry (PCI) General Merchant Policy on an annual basis. See USA PCI General Merchant Procedures for more details.
5.8 Phishing and Social Engineering Training
Security awareness training must be completed annually and include specific modules regarding phishing and social engineering threats, as required by PCI DSS v4.0.1.
5.9 Policy Acknowledgement and Execution
All Merchant Department Responsible Persons (MDRPs) and individuals who have access to cardholder data (PCI Users) are required to acknowledge this policy annually.
MDRPs must ensure that all PCI Users within their department read this policy and sign the PCI User Acknowledgement & Acceptable Use Agreement (located in the USA PCI General Merchant Procedures). Signed agreements must be maintained by the department and made available to Treasury Management or Internal Audit upon request.
6. Enforcement
Non-compliance with the PCI DSS can mean that a merchant is vulnerable to breach. For this reason, banks and credit card institutions can apply additional monthly fees to non-compliant merchant accounts or even revoke their ability to accept payment cards.
Failure to meet the requirements outlined in this policy and its related procedures may result in suspension of the physical and, if appropriate, electronic payment capability with payment cards for affected departments/units. Additionally, if appropriate, any fines and assessments imposed by the affected payment card company will be the responsibility of the impacted departments/units. Employees in violation of this policy are subject to sanctions, including loss of computer or network access privileges, disciplinary action, up to and including termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state or federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.
Clinical Environment Restriction: Cardholder Data (CHD) is classified as Restricted Data. To ensure compliance with both HIPAA and PCI DSS, CHD must never be entered, stored, or noted in the Electronic Health Record (EHR) system or patient medical files. If CHD is found in patient records, it must be immediately redacted in coordination with Compliance and Information Security.
7. Related Documents
7.1 Related Regulations and/or Policies
Cardholder Data Environment Policies:
7.2 Other Related Documents and/or Procedures
杏吧原创 PCI General Merchant Procedures:
/departments/csc/informationsecurity/resources/34-usa-payment-card-industry-general-merchant-procedures.pdf
7.3 References
Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org
7.4 Responsible Offices:
• Treasury Management Department, pci@southalabama.edu
• Office of Information Security, infosec@southalabama.edu