Administrative and Business Practices
Payment Card Industry Data Security Standards
The university is committed to compliance with the Payment Card Industry Data Security Standard (PCI-DSS), an industry security standard adopted internationally by the major credit card brands (e.g., Visa, MasterCard, Discover, and American Express) to protect credit card data, regardless of where that data is processed or stored (PCI Standard).
Roles and Responsibilities
- Establishing and closing merchant accounts, which are a type of bank account that allows businesses to accept payments by debit or credit cards;
- Establishing and maintaining relationships with the credit card payment processing providers and issuing banks;
- Approving any Point of Sale (POS) system to be used within the university;
- Defining the methods of transacting online payments on behalf of the university;
- Engaging a PCI Qualified Security Assessor, in consultation with Audit Services, Compliance and General Counsel;
- Maintaining an inventory of all USC schools and departments that process credit card transactions using a USC approved merchant account;
- Coordinating with ITS Systems Security, as necessary, to review network segmentation configurations and other technical safeguards;
- Coordinating with the Office of Compliance and/or Audit Services to monitor and audit compliance with this policy;
- Enforcement of this policy and the PCI Standard including immediate suspension or termination of the ability to process or store credit cards if a school or department fails to comply with this policy or the PCI Standard; and
- Other duties related to PCI Compliance as determined by the university.
Office of Treasury Services: Treasury Services is responsible for implementation and oversight of this policy and general compliance with the PCI Standard. Treasury Services' responsibilities include:
Treasury Services, at its discretion, may revoke a merchant account immediately for failure to comply with this policy or the PCI Standard. Revocation of a merchant account will preclude the school or department from being able to process credit or debit cards.
Units processing credit cards: All USC schools, departments and units that accept credit or debit cards (not including the USCard) must protect credit card data in compliance with this policy and the PCI Standard. All USC schools, units and departments that process credit card data shall implement the business standards described in Appendix C.
Schools and departments that processed credit cards prior to the issue date of this policy must be in full compliance with the terms of this policy and the PCI Standard within 60 days of the issue date, in order to continue to process credit cards.
Information Security Liaisons: Information Security Liaisons are designated by deans or vice presidents to serve as the liaison between that respective school or department and the Information Security Office for all matters relating to information security. This individual coordinates with the Information Security Office to implement the university's policies, procedures and education at the relevant school or department and is the Office's contact for information security issues. This individual may be the system administrator for the particular school or department. This individual or his/her authorized designee is responsible for reviewing and approving the Security Safeguards Agreement, described below.
ITS Systems Security: ITS Systems Security is responsible for approving network segmentation configurations performed in compliance with this policy and the PCI Standard in conjunction with Treasury Services. ITS Systems Security is available to assist schools and departments with network segmentation configuration. ITS Systems Security will provide certain security information and event management functions and may perform other monitoring and reviews of computer and/or computer networks to ensure that security features are in place and are adequate to protect credit card data.
Purchasing Services: Purchasing Services is responsible for negotiating and executing the Security Addendum with third party vendors that will have access to or otherwise generate, store and/or transmit credit card data in connection with services provided to the university.
Office of Compliance: The Office of Compliance provides support to Treasury Services in the development and implementation of policies, guidance and education related to the PCI Standard compliance. The Office of Compliance, or its authorized delegate, will conduct appropriate vulnerability scanning of USC systems that transmit, generate or otherwise access credit card information. The Office of Compliance is authorized to monitor and audit compliance with this policy and to enforce its provisions, including immediate suspension or termination of the ability to process or store credit cards if a school or department fails to comply with this policy or the PCI Standard. The Office of Compliance is the lead in investigating and responding to security incidents, as described in the Information Security policy.
Audit Services: Audit Services is responsible for conducting audits of internal controls to confirm compliance with this policy and the PCI Standard. Audit Services is authorized to enforce its provisions, including immediate suspension or termination of the ability to process or store credit cards if a school or department fails to comply with this policy or the PCI Standard.
- Establishing merchant accounts
- A school or department must obtain a merchant account from Treasury Services before accepting credit cards. A merchant account must be renewed annually. Before providing or renewing a merchant account, Treasury Services will require, as described below:
- PCI Pre-Qualification form
- Any USC school or department that wants to accept credit cards must complete and submit a PCI Pre-Qualification form to Treasury Services. The form requires, among other things, (1) a list of devices/methods and USC personnel by title authorized to use such devices/methods to process or otherwise access credit card information; and (2) a legitimate business reason for the request to process credit card transactions. The form also must be signed by the dean, vice president or CEO of the respective school or department as well as the Information Security Liaison or authorized designee. Schools and departments may not begin to process credit cards until Treasury Services has given written approval.
- School/department changes to how credit cards are processed
- Schools and departments must submit a revised pre-qualification form any time they propose to change the devices or methods used to process credit cards. Treasury Services must approve the change in writing before the school or department can implement the change. If a school or department is uncertain whether a particular change triggers this requirement, Treasury Services should be contacted for guidance.
- Security Safeguards Agreement
- Any USC school or department that wants to accept credit cards must agree to comply with the security criteria set forth in Appendix A. The Security Safeguards Agreement must be renewed annually from the date of signature.
- PCI training
- All USC employees (faculty, staff and student workers) who handle credit card data must complete the university's PCI training program before they will be permitted to access or process credit card data. Training must be completed annually. As part of the annual training, employees handling credit card data must acknowledge that they have read and understand both this policy and USC's information security policy. The school or department is responsible for maintaining a list of employees who handle credit card data and will provide it to Treasury Services Compliance or Audit Services upon request.
- Use of authorized POS system
- Any USC school or department that wants to accept credit cards through a POS device or system must use a POS device or system authorized and approved in writing by Treasury Services.
- Use of third party website
- All schools or departments that accept credit cards over the internet through any means (including phone applications and mobile solutions) must redirect all such credit card submissions to a third party website authorized and approved in writing by Treasury Services.
- Closing merchant accounts
- the school or department is the business owner of the merchant account to be closed;
- all terminal equipment has been returned to Treasury Services;
- all e-commerce activity has been decommissioned; and
- any paper or electronic records will be destroyed in accordance with the university's Record Management policy.
Closing merchant accounts is the sole responsibility of Treasury Services in accordance with this section. A school or department that wishes to close a merchant account must make a request in writing to Treasury Services, representing, as applicable, that:
Upon confirmation, Treasury Services will arrange for the merchant account to be closed.
Third Party Vendor Risk Management
Any third party vendor that processes, transmits, generates, stores or otherwise accesses credit card data on USC's behalf ("Vendor") must sign USC's Security Addendum. Schools and departments should work with Purchasing Services to initiate this process.
Before executing an agreement with a Vendor, the school or department should request a copy of the Vendor's report on compliance ("ROC") or attestation of compliance ("AOC") for the specific services being provided to the university.
Incident Response Plan
A "security breach" means an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of information maintained by USC and covered under this policy. This includes breaches that involve physical security as well as computer or information systems security. It is the responsibility of all university employees aware of an actual or suspected information security breach to report it immediately to their respective supervisor and the Information Security Office for review.
Depending on the incident, USC may have obligation under state and federal law to notify the individuals whose information was breached as well as the applicable state or federal oversight agencies. The Office of Compliance will conduct the investigation, coordinate the university's response and prepare and submit any notifications as required or appropriate, in conjunction with the Incident Response team.
- Treasury Services
- ITS Systems Security
- Audit Services
- Office of General Counsel
- Media Relations, as applicable
- IT liaison from the impacted school or department
The Incident Response Team for breaches of the PCI Standard will be led by the Director, Information Security in the Office of Compliance. The team is comprised of representatives from:
It also may be necessary to report such a breach to other USC departments, such as the Department of Public Safety or Human Resources Administration, depending upon the nature of the actual or suspected breach.
Departments should not conduct their own investigation without first consulting the Office of Compliance. Further details are included in Appendix B.
This policy will be reviewed on an annual basis in accordance with the PCI Standard. In addition, schools and departments that process credit card data will submit a pre-qualification form annually. Individuals who handle credit card data must complete education specific to the PCI standard annually. The university will conduct a risk assessment in connection with PCI compliance that identifies, at minimum, threats and vulnerabilities.
All faculty, staff and other employees must comply with this policy and the PCI Standard. Individuals who do not comply are subject to disciplinary action in accordance with the Faculty Handbook, staff employment policies, and SCampus, as appropriate. Any disciplinary action under this policy will take into account the severity of the offense and the individual's intent.
Appendix BPCI Incident Response Plan
The Information Security Office of the Office of Compliance (ISO) shall be informed of all actual or suspected breaches by calling (213) 821-2629 or the USC Help and Hotline at (213) 740-2500. Upon notification, the Office of Compliance is responsible for investigating and coordinating with necessary members of the university community to ensure PCI requirements are met.
This PCI Procedure shall include preparation, detection and analysis, containment, eradication and recovery as well as post-incident activity.
- Determine whether an incident has occurred
- Analyze and correlate initial information reported to the ISO
- Gather research based on other means such as technical capabilities
- Conduct legal analysis to determine whether breach occurred as defined by federal and state law
- If an incident is believed to have occurred, begin documenting the investigation and continue gathering evidence
- Prioritize handling the incident based on risk and impact to the organization
- Convene the Incident Response Team described in this PCI policy, as applicable
- Report to other units within USC and senior management based on the analysis of legal requirements and criticality of systems' information within USC's Business Continuity/Disaster Recovery Plans
- Ensure appropriate evidence handling (acquire, preserve, secure and document)
- Engage IDExperts, as applicable to facilitate call center and other consumer services
- Ensure appropriate containment of the incident using the most appropriate options (system power shut down, disconnecting from the network or disabling certain functions) Note: do not assume that further damage is being prevented just because containment has taken place. Malicious software could continue to do further damage once it detects that attempts to contain it have been made.
- Implement corrective action
- Identify and mitigate vulnerabilities that were exploited
- Remove malware, inappropriate materials, and other components
- Repeat the detection and analysis steps to identify other affected areas and proceed with containment, and eradication/mitigation.
- Report to appropriate parties as determined by Compliance and Incident Response Team
- To the credit card issuing organizations to fulfill their PCI requirements:
- To local and federal law enforcement as deemed appropriate by the Incident Response Team
- To impacted individuals
- To applicable state and federal regulatory agencies as required by law
- Implement additional monitoring to look for future related activity, if appropriate
- Prepare investigation report, as applicable
- Debrief from incident and implement any lessons learned
The ISO will use the following Incident Handling Checklist:
Appendix CBusiness Standards
- Credit card processors do not accept credit card transactions for more than the amount of the purchase and the amount entered into the credit card machine agrees with the purchase amount.
- The credit card expiration date is not included on the receipt.
- Only the last 4 digits of the credit card number prints on the receipt copy given to the customer.
- Credit card data will not be stored absent a legitimate business purpose as approved by the Office of Treasury Services. In no event will CVV, PIN or expiration date be stored.
- Hard copies of credit card data, if any, will be stored with appropriate physical safeguards, including storage in locked cabinets with access restricted to those with legitimate business need.
- Electronic copies of credit card data, if any, will be stored with appropriate technical safeguards as approved by Treasury Services and the Information Security office.
The school or department has procedures to ensure the following:
Office of Compliance
Todd R. Dickey, Senior Vice President, Administration
Robert Abeles, Senior Vice President, Finance, and Chief Financial Officer
University of Southern California