212 Bankcard Information Security Requirements
|SUBJECT:||BANKCARD INFORMATION SECURITY REQUIREMENTS|
|AUTHORIZING BODY:||VICE PRESIDENT FOR FINANCE & ADMINISTRATION|
|RESPONSIBLE OFFICE:||CONTROLLER'S OFFICE AND UNIVERSITY TECHNOLOGY SERVICES|
|DATE ISSUED:||JULY 2005|
|LAST UPDATE:||SEPTEMBER 2006|
RATIONALE: Oakland University (“University”) is subject to rules, regulations, and contractual provisions regarding the handling of Bankcards and Cardholder Information, as those terms are defined below. This Policy provides mandatory security measures and procedures for University Departments accepting Bankcards for payment (“Departments”).
POLICY: Departments must adhere to federal regulations and the following security measures and University procedures to maintain security of Bankcards and Cardholder Information. Failure to comply may subject the University to severe penalties.
SCOPE AND APPLICABILITY:
2. Network and Systems
Any computing or information technology device, server, desktop computer, or other system used to process, transmit or store Cardholder Information (“Bankcard System”) must be installed and verified by UTS. A Bankcard System must be protected by a firewall installed and maintained by UTS. UTS will perform a complete network and systems review for verification of Cardholder Information security prior to any Bankcard System being used to process, transmit or store Cardholder Information. Before implementing any changes to a Bankcard System, UTS must authorize, formally document, plan and log the changes.
All but the last four digits of the Bankcard account number must be masked or black-lined whenever any other Cardholder Information is displayed, regardless of whether such information appears on paper, fax, email, computer display, log files or otherwise. Bankcard account numbers must not be transmitted via email.
4. Application and Web Development
All software application and/or web development involving the storage, processing or handling of Cardholder Information, must be created following a defined software development life cycle and commonly accepted security guidelines, such as Open Web Application Security Project guidelines, and approved by UTS prior to launch, implementation, deployment or use.
Access to a Bankcard System must be protected by secure log-in and password, and must be restricted to those with a need to know. Departments that accept Bankcard payments electronically (including without limitation, via personal computer, Internet or voice response) must also follow OU AP&P #860 Information Security. Authorization for Departments to accept Bankcard payments must be obtained in advance of process creation from the Controller’s Office (Student Business Services) for point of sale processing, and from UTS for electronic processing.
When receipts, paper and other hard copies of Bankcard information or Cardholder Information are disposed of, they must be shredded using a cross cut/confetti shredder, or a bonded, secure data disposal service.
7. Security Incidents
Any release or exposure of Cardholder Information to an unauthorized third party, or unauthorized access to a Bankcard System must be reported to the Office of Risk Management. If a Bankcard System was involved in such exposure, release or unauthorized access, notification must also go to UTS. An emergency response plan will be implemented as necessary.
8. Cardholder Information Security Program
The University participates and complies with the standards set forth by the Visa U.S.A. Cardholder Information Security Program (“CISP”). CISP requires annual validation of the University’s operation within the compliance standards. Departments must facilitate the validation process by timely providing accurate information requested by UTS.
9. Any questions regarding compliance with this OU AP&P #212 Bankcard Information Security Requirements should be directed to the Controller’s Office, Student Business Services or University Technology Services.
RELATED POLICIES AND FORMS: