|
PCI Credit Card Compliance Policy
Due to the increased threat of identity theft, fraudulent credit card activity and other instances where cardholder information has been compromised, the credit card associations (Visa, MasterCard, etc.) have mandated compliance to Payment Card Industry (PCI) data security standards for any merchant or service provider that “transmits, stores, or processes” cardholder information. This compliance requires that each merchant be certified to be in compliance with PCI in order to accept credit cards. Each merchant will receive a compliance certificate once they have completed and passed the following requirements:
- The completion of an annual questionnaire provided on line by a certified vendor of MasterCard and Visa. This questionnaire provides a means for assessing an enterprise’s compliance to PCI standards.
- Remote network vulnerability monthly scans of all outward facing IP addresses on same subnet as computer dealing with credit cards (for e-commerce merchants or terminal merchants that use IP based instead of dial-up terminals
All UIS businesses that accept credit cards as payment for products and services must be compliant with all policies as outlined in the Harvard University Credit Card Merchant Handbook and are required to pass an audit of their internal systems and processes. Below are the UIS specific policies and procedures related to compliance with PCI standards.
Technology Services processes credit card transactions through a variety of credit card paths. Below is a description of each of these paths.
Prior to the implementation of the CounterPoint point-of-sale system and the Technology Services Web Form, UIS utilized credit card terminals to transact with customers with credit cards. UIS ceased using all credit card terminals in January 2007.
This process is used when the sales order transaction is initiated on the Technology Services Website. There is no credit card transaction entered into the CounterPoint POS System. CyberSource is not connected to CounterPoint. The Credit card number is entered manually through the CyberSource web based system by the web customer and is immediately processed by CyberSource. Once the credit card number is entered by the web customer and accepted there is no credit card information stored by Technology Services. CyberSource returns an authorization number only.
All Repairs services and Software Licensing credit card transactions are entered directly into Cybersource by customer service representatives.
Daily, the Technology Services Administrators reviews the physical invoices for all Cybersouce transactions. The Technology Services Administrators logs into to Cybersource and settles each invoice by matching the web order number, confirming invoice amount and proper authorization. Once this manual settlement process has occurred the customer’s credit card is then charged.
Every two days, the Technology Services Administrators runs reporting from both the CounterPoint billing system and Cybersource for any unsettled web orders. The Technology Services Administrator then cross checks both systems to determine product has been invoiced and the CyberSource transaction has been settled. Any transactions which require further follow up are then brought to the Technology Services Manager’s attention for assistance in resolution. Additionally, the cash accounting assistant, runs a daily invoice register from CounterPoint and confirms with the Cybersource settlement report that credit card transaction has been completed.
This process is used for Telesales and Over-the-Counter sales transactions through the CounterPoint POS System. CounterPoint Gateway processes the credit card number through Vital (credit card processor) for authorization. Encrypted credit card numbers may remain in the CounterPoint system for 1-3 days.
Web orders are entered by the customer into the web form resides on the Harvard credit card server. The Credit Card number is sent to CyberSource for authorization. CyberSource authorizes the transaction and returns an authorization number to the Harvard credit card server. No credit card numbers are transmitted from CyberSource or stored in CounterPoint.
Below are the verification procedures followed by Technology Services staff when accepting credit cards.
- Over-the-Counter orders: Customer must first provide a valid Harvard ID with a name matching credit card name
- Web Orders – Customer must log in using HUID/PIN Authentication with matching credit card name
- Telesales Orders – Customer’s Harvard ID is logged into order transaction with credit card name
The University archivist has advised UIS that paper documentation (e.g. copies of credit card purchases and daily credit card terminal summary tapes which may include credit card #s) that contain sales tax payment information must be retained for a minimum of four years as outlined by the Massachusetts Department of Revenue for the purposes of providing appropriate documentation in the event of an audit. All documentation is stored in a padlocked file cabinet and in a locked room within a secure UIS facility. Access to these files is restricted to the UIS Accounting Manager.
At the end of each fiscal year, all documentation older than four years is disposed of using the University approved shredding company. The Accounting Manager along with the facilities manager witnesses the transfer of all documents to the shredding company. UIS ceased using credit card terminals that display card information in January 2007. Therefore, document retention of this information will no longer be a requirement after fiscal year 2011.
Before settlement, all credit card data is encrypted to meet VISA’s CISP standard, and when displayed, the card number is masked to show only the first 6 and last 4 digits, ie: 532905******4784.
After settlement (1-3 days), the only information contained is the first 6 and last 4 digits which is the industry standard to facilitate an off setting transaction (e.g. returns, credits, exchanges, etc.). All stored credit card data is encrypted. A program will run nightly that automatically purges all numbers once they are over 30 days.
CounterPoint Version Update Process
The Technology Services management team initiates and approves all upgrade/changes to the CounterPoint POS System. Below are the procedure followed when a change, patch or upgrade is made to the CounterPoint POS System.
- Vendor upgrades are processed using the guidelines according to CounterPoint procedures document located in the CounterPoint application “Help” button. This document includes procedures to: complete Pre-installation steps, test database constraints, test all database entry fields, replace/update, remove historical data as needed, review custom modifications, process/backup outstanding CP online data, remote and offline databases, back up data, update registration file, update CounterPoint SQL, and follow procedures for post-installation steps.
- Bouchard Associates (CounterPoint vendor) will not initiate any actions without prior consent from Technology Services.
- Vendor makes all changes in a test environment prior to live implementation.
- Technology Services tests all changes and upgrades using "CounterPoint SQL Fundamentals" documentation located in the CounterPoint application “Help” button.’ This document includes the following: overview, defining items & customers, point of sales and Inventory processing, purchasing and receiving, receivables, and sales history reports.
- The testing process list consists of but is not restricted to the following categories. Each of these processes is followed through in detail in the test environment to ensure that the expected functionality exists.
- Order Entry process
- Inventory process
- Payment process: Credit Card, PO, billing code, Cash, Web (CyberSource)
- Customer billing information
- Transaction and credit card posting
- Invoice process
- Purchase Order creation/receipt
- Return to Vendor Transactions
- Shipping/Receiving
- Transfers
- Prior to moving the test environment into production, all changes must be reviewed and approved by the Manager of Systems and Applications and the Manager of Operations.
The policies, processes and procedures for web site change management are documented in the following Web Site Development Services (WDS) documents
- WDS Customer Contract – Includes requirements for initiating a project or requesting upgrades
- WDS Service Level Agreement (SLA) - Includes the process for communicating website changes or content changes and tracking
- WDS Project Management Guidelines – Is based on IBM’s Rational Unified Process (an industry standard) and includes multiple reviews of requirements, code and deployment.
- WDS Change Control Guidelines- Outlines process for changes initiated mid-way through a project, and provides guidelines for requirements, design, code, and deployment.
Functional Changes
Below are the procedures followed by Technology Services for functional changes to the Technology Services web site that would have an impact on the operation of the web site:
- Technology Services managers* meet with Web Site Development Services (WDS) representatives to review ideas for the site changes
- Functional changes to be made, which would include how an online order is to be processed, how the order information is to be entered by the customer on the online order form, the shopping cart structure, etc., are first discussed internally by the management team. The Web Site “Change Request Information” form is filled out.
- Changes on the change form are reviewed and discussed with WDS. Agreed upon changes are posted to a “staging” site and Technology Services management reviews and tests the functionality of the site.
- If additional changes are identified after the staging site has been reviewed by Technology Services managers, these change requests are added to the change form and submitted to WDS via email or in person
- WDS then posts the 2nd draft onto the staging site
- Technology Services managers view staging site, test the operation of the site and approve/disapprove changes. If approved, the “Change Request Information” form is sign by Technology Services manager indicating authorization and forwarded to WDS.
- WDS moves site from staging to live once approval is received by Technology Services managers
*Managers include Karen Hurst, Tod Hadley, Colleen Warshafsky, May Woo
Non-Functional Changes
Below are the procedures followed by Technology Services for non-functional changes to the Technology Services website that does not have an impact on the operation of the site. These non-functional changes include those made to product information, pricing, text/content, images, news items, and specials.
- Technology Services staff* submits a Remedy ticket to WDS outlining the change requests or makes the changes directly using the tools provided by WDS. All information is written and reviewed by staff internally prior to submitting via Remedy and prior to posting.
- WDS makes the changes directly to the site and sends a confirmation of change via email when the changes are complete
- When email confirmation is received stating that changes have been posted, Technology Services staff visits the site to review accuracy of changes
- If additional changes are required WDS is contacted again via email, phone or Remedy ticket
*Colleen Warshafsky, Manager and Andree Mendes, Coordinator
Back-out Procedures
WDS and/or DLS staff are available 24/7 and would be contacted by Technology Services managers during business and non-business hours to request that the site be disabled.
If a potential credit card security breach is detected, the procedures outlined in the Harvard Credit Card Merchant Handbook are followed. Below are the requirements from the Credit Card Merchant Handbook (in black), and the Technology Services procedure used to ensure compliance
- Technology Services Staffare alerted to potential breaches and regularly monitor system logs for:
- Suspicious behavior (i.e. name on Harvard ID does not match credit card name)
- Unusual incidents in audit logs
- All user activity is logged upon entry to CounterPoint
- If user enters secured area, a separate log is automatically created by CounterPoint which is reviewed by Manager of Systems and Applications
- CyberSource credit card transactions from the web are cross-referenced to the web order prior to CyberSource settlement.
- User or anonymous report of problems
- Unauthorized security configuration changes
- Requires Administrative Login Privileges
- Unusual traffic or activity
- Daily sales history, ticket history, credit card settlements and drawer summary are logged and reported and reviewed by Technology Services Manager and Accounting Manager.
- Cash and Credit Card Reconciliation matched to transactions daily. Drawer cannot be accessed until reconciled.
- Lapsed physical security
- Sensitive information in the wrong place or hands
- User complaint which triggers an investigation
- Loss or theft of a computer or backup media
- Data is password protected - No auto login password permitted
- If any problems occur as stated above, staff is instructed to follow procedures below
- Back-up media is maintained in a secure onsite/offsite facility
- Technology Services Staff (with the assistance of Desktop and LAN Support) will immediately take the appropriate measures to contain and limit the exposure, including:
- Logging all actions taken
- Not accessing or altering compromised systems
- Not turning the compromised machine off. Instead isolating compromised machines from the network (i.e., unplug network cable).
- Preserving all available logs (firewall, IDS, web server, operating system, remote access, etc.) that could be used to help identify the source and extent of the attack.
- If using wireless network, changing SSID on the AP and other machines that may be using this connection with the exception of any systems believed to be compromised.
- Being on high alert and monitoring other systems that accept, store or process credit card account numbers as well as any other computers that users on the breached computer have accounts (too often the same password is used).
- UIS Desktop and LAN Support will contact Cash Management immediately to report that a breach or suspected breach has occurred or is in progress. (See PCI Security Breach procedures in the Harvard Credit Card Merchants Handbook).
- UIS staff will work with PCI Incident Response Team (PIRT) to investigate the breach and repair the systems.
- UIS staff will identify what account numbers or other personal information (PI) may have been compromised.
- UIS staff will work with UTSO, RMAS and OGC to determine if notification should be sent to individuals affected by the incident.
- Compromised systems will not be put back into production or connected to the Internet until the PIRT gives its consent.
- If notifications are to be sent, UIS staff will work with Cash Management and OGC on content of notification. Cost of sending notifications is responsibility of the Merchant (i.e. UIS).
Harvard vendors dealing with Harvard confidential information must have a written contract covering their services. Such contracts must include specific riders requiring the vendor to protect the data. The security design, policies and procedures of some vendors must be reviewed by the Harvard Technology Security Officer and/or Harvard Risk Management and Audit Services. The contract rider requirements to protect credit card information and the rider for protecting Harvard confidential information, can be obtained by going to www.security.harvard.edu, under the "Working with Vendors" section.
Technology Services currently has one consultant supporting the CounterPoint POS system. The contract for that consultant was updated and signed on January 15, 2007. The contract is on file at 1230 Soldiers Field Road.
The following positions have access to the systems used to process credit card information. Each position's privileges related to credit card processing are outlined below:
CyberSource
Customer Service Representative – This position can enter individual credit card numbers but can not view previously entered information in Cybersource.
Technology Services Manager – This position can enter individual credit card numbers but can not view previously entered information in Cybersource.
Technology Service Administrators (Purchasing, Supervisor) – This position can view bank identifier and last four digits of credit card number
BAMS (Bank of America Merchant Services)
Accounting Manager – This position can view encrypted credit card numbers.
Sr. Financial Applications Analyst – This position can view encrypted credit card numbers.
CounterPoint
Customer Service Representative – This position can enter credit card numbers.
Technology Services Manager - This position can enter credit card numbers.
Technology Service Administrators (Warehouse, Purchasing, Supervisor, Service Technician) – This position can view bank identifier and last four digits of credit card number.
Accounting Manager – This position can view encrypted credit card numbers.
Cash Accounting Assistant – This position can view encrypted credit card numbers.
Manager of Systems and Applications – This position can view encrypted credit card numbers.
Financial Partner - This position can view encrypted credit card numbers.
CounterPoint Consultant (Joe Bouchard Associates, Inc.) – This position can view encrypted credit card numbers.
Employees who are involved in credit card or cash handling processes will receive copies of the UIS Cash and Credit Handling Policy and the PCI Credit Card Compliance Policy, both of which reference the Cash Management web-site containing University policies including the Harvard University Credit Card Merchant Handbook. Annually, management will require employees to sign an Employee Acknowledgement Form that they have read and understand these policies and practices and that they will comply with them. As part of the business unit’s process, UIS management will send the signed acknowledgement forms to UCIO Human Resources and request that they are maintained in the employee’s individual personnel files. It is UIS management’s responsibility to maintain a list of all active employees that they have identified as having cash handling or credit card responsibilities. It is also UIS management’s responsibility to have existing procedures that insure the annual review and signing of the acknowledgement forms by employees is timely.
All new employees and transfers into positions that have access to sensitive credit card information will be subject to background checks through the University back-ground check program. Because no current employee will have access to more than one card number at a time, they are exempted from this requirement. Below is the list of positions within UIS that have access to sensitive credit card information and are therefore subject to background checks:
Customer Service Representatives
Technology Services Managers
Technology Services Administrators (Warehouse, Purchasing, Supervisor, Service Technician)
Accounting Manager
Cash Accounting Assistant
Manager of Systems and Applications
Financial Partner
Sr. Financial Applications Analyst
On an annual basis (usually in February), Technology Services Manager of Administration offers the Credit Card Policies, Procedures and Practices training class. Training is focused on education of local and University-wide policies regarding the proper handing of credit card transactions and on PCI compliance. This class is mandatory for all of the roles identified above.
Reconciliations
There are two reconciliations, CyberSource and CounterPoint that take place regarding UIS credit card processing. The transactions that are processed through CyberSource, Technology Product Center personnel print the CyberSource Transaction Detail Invoice, the CounterPoint Point of Sale Invoice, and the CyberSource Payment Batch Detail Report. This report and invoices are sent the UIS Accounting Office where the Accounting Assistant checks the CyberSource Transaction Detail Invoice and the CounterPoint Invoice to the CyberSource Payment Batch Detail Report. Any discrepancies are referred back to the sales representative for resolution. The CyberSource Payment Batch Detail Report is used for UIS’s bank deposit backup and is submitted to Cash Receipts along with the Massachusetts Taxable Sales Deposit Form for data entry into the general ledger.
Transactions that are processed directly through the CounterPoint Point-of-Sale System, the Technology Product Center (TPC) sales representatives forward copies of the CounterPoint invoices to the Accounting Office. The Accounting Assistant prints the Batch Settlement History Report, which gives the total daily credit card activity. The Batch Settlement History Report is used for UIS’s bank deposit backup and is submitted to Cash Receipts along with the Massachusetts Taxable Sales Deposit Form for data entry into the general ledger.
The Accounting Assistant checks all credit card payments to the CounterPoint Invoice Register Report. On a monthly basis the UIS staff accountant reconciles the Massachusetts Taxable Sales Deposits to the Bank of America Merchant Statement. Cash Management is responsible for reconciling the bank statement.
Chargebacks
UIS receives from Bank of America Merchant Services a notice of Retrieval Request for a copy of the sales draft. The UIS Accounting Assistant researches the sales draft by sales date and then matches the amount, and the last four digits of the credit card number to the Retrieval Request. Once the customer is identified the Accounting Assistant will contact the customer to discuss the Retrieval Request and agree upon a plan for resolution. UIS forwards the appropriate documentation to Merchant Services within the established time frame. All customer credits to be issued will be processed by UIS and Merchant Services will be notified of the action. No refunds are ever issued without UIS investigating the Retrieval Request.
Should you have any questions or concerns, please contact Dave Murphy in the UIS Accounting Office at 617-495-1836.
|
