POLICY STATEMENT / PURPOSE OF PROCEDURE
The purpose of this policy is to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS) at Missouri Valley College as a payment card accepting merchant.
MVC Employees are strictly prohibited from storing, charging, processing, copying, or otherwise transmitting any data related to debit or credit cards, unless it is within the following capacities:
- Using the self-service portal as the primary and preferred option for students and other stakeholders to make payments. The portal utilizes a PCI compliant gateway to process transactions.
- When absolutely necessary to take payments over the phone, the employee must be using the IP phone assigned to them by ITS, disable any call recordings, and fully process the transaction while the customer is still on the line. Employees must not process transactions using a cell phone, or take note of card information to process at a later time.
- Employees must only process transactions using a secure environment. This is limited to SSL/TLS encrypted self-service applications, or secure PCI compliant terminals.
Employees must reject credit/debit card numbers sent to them via email, text message, or any other digital form of communication. Likewise, paperforms containing card holder or payment card data are to be rejected.
Data Access (PCI 7.1.2):
Employee access to data will be strictly restricted to the minimum data elements required to fulfill their job duties. Requests for escalating data access will be reviewed by the employee’s direct supervisor and the Information Technology Services department. Unreasonable or unnecessary requests will be denied.
Business continuity and Backup procedures:
MVC does not store payment card data on any of its servers. All PCI related information is stored in cloud servers provided by our PCI compliant payment gateway. Their PCI compliance is reviewed annually by ITS. All other college systems are backed up daily (full) and hourly (differential ) depending on the critical nature of each system. Back ups are stored in secure on and off-site locations.
Two Factor Authentication:
Staff members are required to have two-factor authentication enabled on their MVC accounts. Two-factor authentication is also required for their accounts on our payment processing portal (Braintree).
Employee Account Termination:
Staff members that process credit card transactions will have their access to payment systems revoked at midnight of the termination date set forth by their supervisor. They will retain access to email according to The College’s account deletion policy.
Data breaches and compromised accounts:
If a data breach occurs, ITS will notify all involved parties upon detailed analysis of the incident. Depending on the scope of the breach, ITS will conduct an investigation and will collaborate with the appropriate authorities in accordance with State and Federal Laws.
Vendors operating on the Missouri Valley College campus are responsible to process transactions using a PCI compliant gateway, PCI Compliant hardware, or partner with MVC to utilize the College’s secure payment gateway system.
Violation of this policy, other concerns, and unforeseen incidents will be investigated by Information Technology Services. Appropriate action will be determined in collaboration with the College’s leadership team.
This policy will be reviewed by the President’s Cabinet annually.