UW-Whitewater Policies

PCI Management (Procedure #611.A)

Purpose of Procedure

The purpose of this document is to ensure appropriate management of Payment Card Industry (PCI) best practices at UW – Whitewater.  

Responsible UW-Whitewater Officer

Controller

Definitions

PCI Security Incident: A violation or imminent threat of violation of PCI data confidentiality. Examples include exposure or a hack of cardholder data to unauthorized organizations or persons.  The exposure could happen internal to the University or with a third-party processor. 

Institutions: All four-year UW System campuses, UW Colleges, the University of Wisconsin- Extension, and UW System Administration. 

Cardholder: The person to whom a payment card is issued or any individual authorized to use the payment card. 

Cardholder Data: At a minimum, cardholder data consists of all the full Primary Account Number (PAN).  Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as a part of a payment transaction.  

Merchant Account: A bank account that enables the holder to accept credit cards for payment. 

Merchant department: any department or unit (can be a group of department or a subset of a department) which has been approved by a UW System institution to accept payment cards. 

Payment Card: a financial transaction card (Credit, Debit, etc.) issued by a financial institution: also called bankcard/payment card/charge card/ credit card/ debit card. 

Procedures

Best practices involve the implementation of preventative measures to secure systems and reduce the risk of incidents occurring. 

Specific Responsibilities

  1. The UW-Whitewater Instructional, Communication and Information Technology Department (iCIT) will evaluate current methodologies used to monitor systems for indicators of compromise. They will also review and evaluate tools and processes to improve threat prevention and detection. iCIT will leverage the Information Security Incident Response Procedure to implement improvements in vulnerability management, and incorporate improvements based on lessons learned from incident handling.  
  2. The Merchant Department is expected to:
    1. maintain a list of third-party processors used as part of its PCI transactions and document their procedures. 
    2. ensure contact information is up to date with the third-party processor for proper communications.
    3. monitor business and vendor information to identify potential risks.
    4. notify the Director of Financial Services of the potential incident. 

General Milestones for Prioritizing PCI Compliance Efforts

  1. Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it. 
  2. Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises, and the processes for responding. 
  3. Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data. 
  4. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment. 
  5. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data. 
  6. Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment. 

Information Security Incident Response

  1. The Merchant Department and/or iCIT Help Desk will alert the Director of Financial Services of a potential incident.  
  2. The Director of Financial Services will notify the Associate Vice Chancellor for iCIT and the Vice Chancellor for Administrative Affairs of the potential incident. Consultation of the Information Security Incident Response Procedure will occur to manage the preparation, detection and analysis, containment, eradication and recovery, as well as necessary post-incident activity. 
  3. UW-W iCIT, Director of Financial Services, and the Merchant Department will discuss the appropriate response to the potential incident including further confirmation with third-party processors, additional internal testing, and communication with UW System AVP for Information Security.  
  4. The Merchant Department will: 
    1. collect all information received or available publicly related to a third-party processor’s potential incident and store PDFs of this information related to the potential incident.  This includes email notifications.   
    2. collect all related communications.
    3. collect any subsequent testing and/or analysis related to the potential incident.
    4. maintain all information for a three-year period. 
  5. The iCIT Department will test the incident response procedure annually to evaluate and enhance response capabilities, as well as ensure this procedure stays in alignment with the Information Security Incident Response Procedure and the Payment Card Procedure. 

Procedure History

First approved: 2019

COOKIE NOTICE

We use cookies on this site. By continuing to browse without changing your browser settings to block or delete cookies you agree to the UW-Whitewater Privacy Notice.