Carnegie Mellon University

Payment Card Acceptance Policy

POLICY TITLE: Payment Card Acceptance Policy
POLICY OWNER AND RESPONSIBLE OFFICE: Treasurer's Office
CONTACT INFORMATION pci-dss@lists.andrew.cmu.edu
DATE OF ISSUANCE: This policy was approved by the President on March 1, 2022.
DATE OF LAST REVIEW: N/A
ENTITIES AFFECTED BY THIS POLICY: All academic or administrative departments, divisions and other business units of the university accepting card payments for or on behalf of the university and/or supporting that activity.
WHO NEEDS TO KNOW ABOUT THIS POLICY: Faculty, staff, student employees and third-party service providers/contractors of the university involved in accepting card payments for or on behalf of the university and/or supporting that activity.
DEFINITIONS: Refer to Section IV.
FORMS/INSTRUCTIONS: Templates are available at www.cmu.edu/finance/pcidss.
RELEVANT DOCUMENTS: PCI Security Standards Council Document Library

I. Policy Statement

All Cardholder Data and the Cardholder Data Environment shall be protected in accordance with the Payment Card Industry Data Security Standards (PCI-DSS) and the policies, guidelines and procedures published by the Treasurer’s Office with support from the Information Security Office (ISO).

II. Policy Goals

This Policy aims to:

  • Maintain security and ensure that Cardholder Data is never stored electronically in the university’s Cardholder Data Environment.
  • Enable submission of the university’s consolidated report on compliance to the Merchant Acquiring Bank.
  • Reduce PCI scope to limit risk and administrative burden at Carnegie Mellon University, as well as to manage costs associated with PCI-DSS compliance and reporting program.

III. Applicability

This Policy applies to all faculty, staff, student employees and third-party service providers/contractors of the university who store, process or transmit Cardholder Data for or on behalf of the university. This Policy also applies to faculty, staff, student employees and third-party service providers/contractors that provide support services for the storage, processing or transmission of Cardholder Data for or on behalf of the university or otherwise affecting the security of such Cardholder Data.
Individuals authorized to access Cardholder Data shall adhere to roles and responsibilities, as defined by the Treasurer’s Office with support from ISO.

IV. Definitions

  • Card Payment — Any payment method that utilizes physical cards (e.g., credit, debit, gift) or virtual cards (e.g., Apple Pay, Google Pay).
  • Cardholder Data — A 16 (or 15) digit credit card or debit card number (i.e., a primary account number or PAN). Cardholder data may consist of various other data elements, including the following, when used in combination with a 16 (or 15)-digit card number:
    • Cardholder name
    • Service code
    • Expiration date
    • Card Verification Data (CVD), which includes but is not limited to Card Validation Code 2(CVC2), Card Verification Value 2 (CVV2), Card Authentication Value (CAV2) or Card Identification Number (CID) value
    • Personal Identification Number (PIN) or PIN block
    • Full contents of a card’s magnetic stripe or equivalent chip
  • Cardholder Data Environment — The people, processes and technology that store, process or transmit cardholder data, including any connected system components.
  • Information Security Office (ISO) — Collaborates with the campus community to protect the university from and respond to threats to electronic information resources and computing and networking infrastructure.
  • Merchant — Any university administrative or academic department that stores, processes or transmits cardholder data for and on behalf of the university. This includes departments that outsource storage, processing or transmission of cardholder data to a third-party service provider/contractor.
  • Merchant Acquiring Bank — A financial institution that maintains the university’s bank account and is contracted to process credit and debit card transactions.
  • Payment Card Industry Data Security Standards (PCI-DSS) — Information security standard for organizations that handle branded credit cards from the major card schemes that is mandated by the card brands but administered by the Payment Card Industry Security Standards Council to increase controls around cardholder data to reduce card fraud.
  • PCI Scope — Any system, business unit or process that must comply with PCI-DSS, as determined by the PCI Security Council.
  • Qualified Security Assessor (QSA) — A person certified by the PCI Security Standards Council to audit merchants for PCI-DSS compliance.
  • Third-party Service Provider/Contractor — An individual, entity or other organization contracted to perform work for or provide services to the university as a nonemployee and involving the storage, processing, transmission or otherwise affecting the security of Cardholder Data.

V. Policy Administration

Ownership and Oversight

The Treasurer’s Office, with support from ISO, is responsible for oversight of card acceptance practices. This includes continually enhancing the university-wide PCI-DSS compliance program, as well as documenting and disseminating policies, guidelines and procedures in support of PCI-DSS compliance and card processing security. ISO provides guidance on the technical security and PCI compliance of the existing card environment and proposed changes to it, manages the university’s Qualified Security Assessor (QSA) assessment procedures and maintains templates, trainings and programs that support merchant-level PCI-compliant submissions annually. The Treasurer’s Office, with support from ISO, prepares and submits the university’s consolidated report on compliance to the Merchant Acquiring Bank.

Merchant Responsibilities

Merchants within the university who choose to accept payment cards must adhere to PCI-DSS standards and the policies, guidelines and procedures published by the Treasurer’s Office with support from ISO, and have the following responsibilities:

  • Understand and abide by payment card and PCI policies, guidelines and procedures.
  • Designate a responsible internal person or team responsible for the effective implementation of this Policy in the assigned areas of responsibility.
  • Implement local procedures in accordance with this Policy and build security standards into day-to-day practices, including monitoring and securing any devices and systems that process payment cards and never sending Cardholder Data via email or instant messaging.
  • Complete annual compliance reporting activities in accordance with university-established time frames.
  • Designate employees or contractors to complete training within university-established time frames at least annually.
  • Prior to acquiring a new solution or entering into a contract with a third-party service provider/contractor for storing, transmitting or processing Cardholder Data for or on behalf of the university or otherwise affecting the security of such Cardholder Data, obtain approval from the Treasurer’s Office and ISO.
  • Manage ongoing compliance and reporting requirements of third-party service providers/contractors storing, transmitting or processing Cardholder Data for or on behalf of the university or otherwise affecting the security of such Cardholder Data.
  • Report actual or suspected breaches of Cardholder Data to ISO immediately. Beyond disconnecting a relevant system from the network, take no additional action related to an actual or suspected breach without consulting ISO.

Failure to adhere to this Policy may result in, among other things, loss of ability to accept card payments.

Fees and Costs

Each Merchant is generally responsible for the costs incurred by the university to process its credit or debit card transactions, plus setup fees, for any new merchant account.

Each department is responsible for any hardware, software, setup and/or maintenance costs to maintain their processing environment in compliance with PCI-DSS.

VI. Exceptions

Exceptions to this Policy must be approved by Treasurer’s Office with support from ISO in consultation with other university departments as necessary (and any such approval may be limited or precluded by applicable law or by contractual limitations).