This policy provides requirements and guidance for all credit card processing activities for the Georgia Institute of Technology.
At this inital publication of this policy the following sources were consulted and provided the basis for this program: ISO 17799, Visa CISP, MasterCard SDP.
REVIEW Comment: This policy will be considered effective July 31 st , 2003 based on the provisional approval of the Associate Vice President of Financial Services and the Associate Vice President of the Office of Information Technology. Final approval of this policy will be by the President of the Georgia Institute of Technology based on a review by the Information Security Policy Committee.
The approval process for all credit card processing activities:
The Associate Vice President of Financial Services or delegate must approve all credit card processing activities at the Georgia Institute of Technology prior to entering into any contracts or purchasing equipment. This requirement applies regardless of the transaction method used (e.g. online processing at Georgia Tech, outsourced to a third party, or swipe terminals).
All technology implementation associated with the credit card processing must be in accordance with the Credit Card Processing Procedures and approved by the Associate Vice President of Information Technology prior to entering into any contracts or purchasing equipment .
All credit card numbers must be handled in accordance with the Data Access Policy requirements for category 4 data. Please contact OIT Information Security for assistance with interpretation and implementation. However, instances of P-card numbers or corporate cards where 4 or fewer numbers are functionally present may be handled as category 3 data. Any conflicts between the requirements of the Data Access Policy and the Credit Card Processing Procedures will be resolved in favor of the Credit Card Processing Procedures .
Units approved for credit card processing activities must maintain the following standards:
Provide appropriate training to all employees handling systems with credit card numbers including both personnel within the unit handling the credit card transactions and appropriate personnel in the Office of Information Technology
Create, maintain and test annually business continuity/disaster recovery plans and system compromise response plans.
All outsourcing agreements must meet the standards set forth in the Credit Card Processing Procedures.
All servers storing or processing credit card numbers will be housed with the Office of Information Technology. All servers and POS Terminals will be administered in accordance with the requirements of the Credit Card Processing Procedures.
Credit card numbers will be retained for a maximum of 90 days. The only exception is transactions for future events, which may be retained up to 180 days from the transaction date. All media used for credit card numbers must be destroyed when retired from this use. All hardcopy must be shredded by at least a cross-cut shredder prior to disposal.
Access to credit card numbers must be restricted to the minimum number of people possible. No employee may have access to credit card numbers until he or she has attended the Credit Card Processing Policy Training and has tendered written acknowledgement of receipt of a copy of this policy, the Credit Card Processing Procedures and other appropriate policies (e.g., CNUP, Data Access Policy, Service Certification Process and Procedure, and unit level security policy). After completion of these requirements, the unit head may issue, in writing, authorization for the employee's access. No employee will have access to credit card numbers without such written authorization.
Each unit responsible for credit card processing must complete audits quarterly on all systems storing or processing credit card numbers to ensure compliance with this policy and the associated procedures. The Office of Information Technology will participate in these audits. Annual audits must be performed by Office of Information Technology Information Security to confirm the results of the quarterly audits.
All computers handling, processing, or storing credit card numbers must be registered in accordance with the revised Computer and Network Usage Policy.
All academic units, administrative units, organizations, and employees of the Georgia Institute of Technology or that use systems or networks supported Georgia Institute of Technology must abide by this policy.
This policy specifically addresses all credit card processing by the Georgia Institute of Technology. All POS terminals handling credit card numbers (in full or truncated) and all servers receiving, storing, or transmitting credit card numbers (in full or truncated) are subject to this policy. An exemption is provided for P-card numbers provided the credit card number are functionally truncated to four digits or less.
The computer hosting the application that the general end-user or the point-of-sale (POS) terminal connects
Category III Data Sensitive
This information is considered private and should be guarded from disclosure.However, public disclosure of this information due to a system compromise generally does not result in financial fraud or violation of State and/or Federal law. Examples include intellectual property information, private directory listings, and contract negotiations.
Category IV Data Highly Sensitive
Any disclosure of this information, intentional or otherwise, may contribute to financial fraud and/or violate State and/or Federal law. Examples include Social Security numbers, credit card numbers, financial institution account numbers, and employee and student health records.
Cardholder Information Security Program (CISP)
The formal data protection program mandated by Visa
Card Verification Value 2 (CVV2)
An additional verification code used in transaction processing
Credit Card Number
Any part or all of the unique number identifying the account for a financial transaction
The computer storing the sales and/or credit card numbers>/p>
Any internet-enabled financial transaction application, whether a buying application or selling application
Any employee (as defined by the Employee Handbook ) faculty, student employee, or contractor employed by a third party and providing services to the Georgia Institute of Technology
Scrambling data in a recoverable format
A network device or host-based software implementation designed to restrict network access to a computer
Scrambling data in an unrecoverable but verifiable format
Intrusion Detection System (IDs)
A network monitoring device for recognition of attempts to compromise monitored systems
The International Standards Organization document defining computer security standards. The credit card vendors may have based their policies on this standard.
Point-of-Sale (POS) computer terminals either running as standalone systems or connecting to a server either at the Georgia Institute of Technology or remotely off site
Purchase Cards (P-Cards)
Credit cards obtained by Georgia Tech through a customer agreement with a bank for procurement purposes.
Site Data Protection Program (SDP)
The formal data protection program mandated by MasterCard
POS credit card terminals
Authentication requiring two different methods confirming identity typically based on something the user has (e.g. a card, a key, a fingerprint) and something the user knows (e.g. a password)
The design, development, implementation and management of the ÔøΩfront-endÔøΩ of the eCommerce application
These procedures are required in direct support of the Georgia Institute of Technology Credit Card Processing Policy and were included in the original approval of the policy. This document sets forth the technical details and procedural requirements for implementing credit card processing at the Georgia Institute of Technology or outsourcing that processing to a third party. The procedures' scope, revisions, exceptions, and compliance are noted in the Credit Card Processing Policy.
The procedures are separated into the following general areas of interest:
Computer system security requirements
All computers handling credit card numbers must have the following in place:
Connectivity security requirements
All computers handling credit card numbers must have the following provisions in place for network and modem connectivity:
Credit card number storage requirements
Credit card numbers must be protected by encryption, hashing, or truncation. No complete credit card numbers will be stored on computers owned by the Georgia Institute of Technology in an unprotected manner. Standard encryption algorithms must use at least 128bit key. Minimum key lengths will be increased as computing processing power improves. Minimum key lengths for new encryption technologies must be provided with these guidelines prior to implementation. Keys must be in a single accessible location with back-ups. Keys must be changed every 90 days and old keys must be deleted/destroyed after an additional 30 days.
The following additional requirements apply to computers storing credit card numbers and network connectivity beyond those noted in "Computer System Requirements" and "Connectivity Security Requirements":
Physical security requirements
All servers storing credit card numbers must have the following provisions in place:
Any unit may select to outsource their credit card transaction processing. This option transfers the risk to the outsourced service. Approval for credit card transaction processing must follow the standard approval process. Contracts must address these elements:
Review process of credit card transaction processing request
Upon approval, this policy shall be published on the Georgia Tech Office of Information Technology website under policies, and will be the Business Office web site. The following offices and individuals shall be notified via email and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document:
Revisions and Exceptions
This policy may be revised only by signature by the President of the Georgia Institute of Technology.
The Associate Vice President of Financial Services and the Associate Vice President of Information Technology may grant exceptions to this policy or revise the Credit Card Processing Procedures document by mutual agreement. Either the Associate Vice President of Financial Services or the Associate Vice President of Information Technology may grant exceptions to the Credit Card Processing Procedures.
Failure to comply with this policy and the associated required procedures by employees will be deemed a violation of Institute policy and subject to personnel action up to and including termination as noted in the Employee Handbook and/or the Faculty Handbook. Technology that does not comply with this policy and the associated required procedures is subject to disconnection of network services or confiscation of equipment pending review and approval of processes, procedures, and/or equipment.