�鶹��Ƶ����

A. SUMMARY ADMINISTRATIVE PROCEDURE

1. Purpose. The purpose of this policy is to establish business processes and procedures for accepting and handling payment cards on behalf of the �鶹��Ƶ���� as established by the Payment Card Industry Data Security Standards (PCI DSS 4.0) and in accordance with the �鶹��Ƶ���� Payment Card Data Security Policy. In order to maintain compliance with PCI DSS, it is essential that departments that store, process, or transmit cardholder data adhere to procedures within �鶹��Ƶ���� and departmental policies to ensure the safe handling of cardholder data.  This procedure addresses the standards that are contractually imposed by the major payment card brands on merchants that accept these cards as forms of payment. The policy covers the following specific areas contained in the PCI standards related to cardholder data (CHD[1]): processing, transmitting, storing, and disposing of CHD.

Collection and processing of card payments will be conducted in compliance with standards established by the Payment Card Industry Security Standards Council (PCI SSC), University System policies, and the procedures outlined in this document.  Departments are responsible for ensuring all processes, procedures, and technologies follow the security standards dictated by the PCI DSS and as approved by �鶹��Ƶ���� Finance- PCI Team.  This policy is reviewed on an annual basis to ensure operational processes are documented and known to all constituents.  

2. Scope. These procedures apply to any person using �鶹��Ƶ����’s systems and networks involved with payment card handling. This includes processing, transmitting, storing, and disposing of Cardholder Data (CHD) at �鶹��Ƶ����, and use of any third-party system that could impact the security of CHD at �鶹��Ƶ����. In addition, institutions must comply with �鶹��Ƶ���� Information Technology Security Policy USY VI.F.5

3. Authority.  The PCI DSS is a set of requirements created and agreed upon by the five major payment card brands: American Express, Discover, the Japanese Credit Bureau (JCB), MasterCard, and VISA. These security requirements apply to all transactions surrounding the payment card industry. Electronic and paper transactions are covered by this standard. The requirements apply to any organization involved with handling CHD. The card brands apply terms in the merchant agreement to enforce these standards. �鶹��Ƶ���� requires that all campus organizations and departments handling payment card data:

a. Adhere to all applicable  PCI DSS administrative, technical, and reporting requirements;
b. Have pertinent local practices, procedures and documentation in place to ensure compliance with PCI standards; and
c. Provide training for the employees and others that handle CHD.

4. Revision. These procedures may be updated at any time by �鶹��Ƶ���� Finance-PCI and should be reviewed annually by campus merchant departments for changes, in accordance with PCI DSS.

5. Definitions

a. Attestation of Compliance (AOC) - A document that is completed along with a Self-Assessment Questionnaire (SAQ), as a declaration of the merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS). This summary document may be safely shared outside of �鶹��Ƶ���� with third parties with a legitimate business reason to know.

b. Campus Finance/Administration Office – Responsible for approving all requests for acceptance of payment cards.

i. For UNH this is the Central Finance

ii. For PSU this is the Finance & Administration

iii. For KSC this is the Finance & Administration

c. Cardholder Data (CHD) - Those elements of payment card information that are required to be protected. These elements are: 

i. Primary Account Number (PAN), or 

ii. PAN in conjunction with:

• Cardholder name
• Expiration date
• Service code

d. Merchant Department – Any department or unit which has been approved by the Campus Finance/Administration Office to accept payment cards (Visa, Master Card, American Express, Discover) and has been assigned a Merchant Identification number (MID).

e. Merchant Department Responsible Person (MDRP) – An individual within the department who has primary authority and responsibility for payment card transactions and ensuring compliance with PCI DSS.

f. Payment Card Industry Data Security Standards (PCI DSS) - The security requirements defined by the Payment Card Industry Security Standards Council and the 5 major Payment Card Brands.

g. Self-Assessment Questionnaire (SAQ) - reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

h. Service Code – The three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. This data is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.

i. Service Provider - A business entity other than a payment brand directly involved in the processing, storage, or transmission of CHD on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data.

B. BUSINESS POLICY - ACCEPTING AND HANDLING CARD PAYMENTS

1. User Access and Physical Security: Access to �鶹��Ƶ����’s cardholder system components and data must be limited to only those individuals whose jobs require such access.  Access to cardholder systems, including all in-scope applications and Point of Sale (POS) devices, is restricted based on job responsibilities.  User access requests are submitted to usnh.pci@usnh.edu.  Access to cardholder systems is role-based and permission is granted upon successful completion of all applicable training.  When a user is terminated, transferred, or the job function no longer requires cardholder system access, it is the Department’s responsibility to communicate such changes to usnh.pci@usnh.edu.  

a.    Devices that capture payment card data via direct physical interaction with the card must be physically secured and protected from tampering and substitution.  This includes periodic inspections of Point of Sale (POS) device surface to detect tampering and training personnel to be aware of suspicious activity.  User access to sensitive areas that store, process, or transmit cardholder data is restricted based on individual job function.  

b.    No database, electronic files, other electronic repositories of information, or paper forms may store the card-validation code (aka CVV or CVC) after authorization regardless of the success or failure of the payment.  The full contents of any track from the magnetic stripe on the back of a payment card must never be stored.

c.    Portable electronic media devices or shared file repositories should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives.

d.    CHD should not be retained any longer than required to authorize the transaction and must be immediately deleted or destroyed following authorization. Access to cardholder data is restricted to those with a business “need to know”, and each person with access cardholder data must have a unique ID and password.  Passwords must never be written down or shared with others and must be changed every 90 days (about 3 months). (PCI DSS Requirement 2.1)

e.    CHD must never be stored in any format, electronic or physical, without prior written approval.  

f.    All work computers of employees authorized to handle CHD and shared workstations related to merchant operations must be scanned with the �鶹��Ƶ���� authorized scanning tool on a regular basis to ensure no CHD is stored on those computers, in case of accident, negligence, or other reasons.

g.    All CHD security lapses must be logged and resolved by the MDRP.  CHD security lapses are defined as cases where employees did not follow �鶹��Ƶ���� procedures, but which did not result in a security breach.  CHD security lapse may be grounds for disciplinary action, including termination.

h.    �鶹��Ƶ���� credit card data and bank account information should be protected the same way payment card data is protected. Related procedures should be documented by each department and include the above components, particularly as it relates to storage and disposal of CHD. 

2. Annual Awareness Training: In accordance with PCI DSS Requirement 12.6.1, all users within the department authorized to handle card payments will complete the annual PCI DSS awareness training. The annual PCI DSS training is intended to promote employee awareness of technical and operational requirements to protect cardholder data. Upon hire, the department’s business process owner will notify the �鶹��Ƶ���� team of any new staff required to complete training. 

3. Payment Card Terminals: Purchase or rental of payment card terminals, including mobile applications, must be coordinated through �鶹��Ƶ���� Finance- PCI. Only devices and locations that have been approved and tracked by the PCI Team may be used in any way associated with payment card processing. All devices must meet PCI DSS standards and be on the �鶹��Ƶ���� approved device list.  The department is responsible for ensuring that only authorized staff have access to the terminal and are properly trained. Terminals must be inventoried with �鶹��Ƶ���� Finance-PCI and must be maintained in a secure location.  Sharing or transfer of wireless terminals between departments is not allowed without proper approval and documentation. It is the department’s responsibility to coordinate efforts with �鶹��Ƶ���� Finance- PCI to ensure that terminals are updated with the most recent software version to reduce processing errors.  

Departments may use loaner wireless terminals on a temporary basis for special events to accept in-person card payments at specified times as agreed upon on the  loaner application.   Loaner terminals are kept in a secured location/locked when not in use.  Use of loaner terminals follows the same processing procedures for in-person payments as outlined within this document.  Loaner terminals are checked for tampering and acknowledged that if there are any tamper issues, to be reported to Merchant Service immediately.  If there are no issues, or messages, the application for that time period is acknowledgment of tamper check when the device is received.    

4. New Equipment, eCommerce, or Merchant ID Request: The acceptance of credit card payments must be preapproved by �鶹��Ƶ���� Finance- PCI.  There will be �鶹��Ƶ���� approved equipment, gateways and ecommerce supported by �鶹��Ƶ����.  For ecommerce sites outside of the �鶹��Ƶ���� approved eStore, must integrate utilizing the approved �鶹��Ƶ���� payment gateway. Under extreme cases, approval from the �鶹��Ƶ���� Finance- PCI team may occur to utilize a different payment gateway.  A use case for approval must be submitted to  for review.  Venmo, and Square are not approved by �鶹��Ƶ����.  PayPal is accepted with approval through third-party sites where �鶹��Ƶ���� is NOT the merchant of record.

5. Inventory, Maintenance and Approved Equipment, Gateway & eCommerce Store, : The master Inventory of all credit card readers, merchant IDs and Vendors will be documented by �鶹��Ƶ���� Finance-PCI.  As well as obtaining AOCs from vendors.  It is the responsibility of the MDRP to keep department inventory as well as review inventory yearly and communicate any changes as they occur to �鶹��Ƶ���� Finance - PCI. 

6. Batch Settlement: Terminals must be settled no less frequently than daily. The department must maintain (for seven years) all signed receipts and card swipe terminal Batch Total Settlement Reports.

Cardholder System settles each night automatically. At 12:00 EST, a batch for each merchant is closed for the day’s activity and sent to the credit card processor. Funds are posted based on the departments’ merchant account ID and ID provided to Financial Services. Departments will establish and maintain appropriate segregation of duties between card processing, processing of refunds, and the reconciliation of payment card transactions. Each department is responsible to reconcile sales transactions to their general ledger no less than monthly. 

7. Disputes and Chargeback: �鶹��Ƶ���� Finance- PCI will receive and report chargebacks and transaction disputes to the department.  Departments will also receive a paper copy from the bank.  Departments can either accept or reject the chargeback.  If rejected, the department will provide supporting documentation to justify that the transaction is valid.  Failure to respond within the allocated timeframe will result in a loss to the department. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.

8. PCI DSS Annual Merchant Questionnaire: At least annually, each payment card merchant must (1) complete a current PCI DSS (SAQ), (2) participate in periodic vulnerability scans if required by the SAQ, and (3) take necessary action to be able to attest compliance to the current PCI DSS. After review by the QSA, the Campus Finance/Administration Office is responsible for uploading these documents to the �鶹��Ƶ���� merchant bank portal upon completion.

9. Compliance: Any merchant location which is not PCI DSS compliant could be assessed a $25 fee by the current �鶹��Ƶ���� merchant bank every month they are non-compliant. A different fee may also be assessed for non-compliance for locations approved to use providers other than the main �鶹��Ƶ���� merchant bank.  Campus senior leadership must be notified of any non-compliance status and resulting fees.

In coordination with the MDRP, any merchant that remains non-compliant for six consecutive months may be required to stop collecting payments via payment card by �鶹��Ƶ���� or �鶹��Ƶ����’s merchant bank. �鶹��Ƶ���� Finance-PCI will notify Campus Finance office when a merchant is suspended from collecting payments due to non-compliance.

10. Security: (PCI DSS 4.0) Quarterly scans for �鶹��Ƶ���� websites that may redirect to a payment page are to be completed by a third-party scanning vendor and to be rectified within two weeks of any potential findings. 

11. Service Provider Relationships:  Merchants and their service providers must have a documented and consistent level of understanding about their applicable PCI DSS responsibilities.

a. �鶹��Ƶ���� Merchants that utilize a service provider for payment processing, transmission or storage must obtain a written agreement from such provider stating that the named provider is responsible for the protection and security of any CHD that the provider possesses, stores, processes, or transmits on behalf of �鶹��Ƶ����, or any CHD that they could impact the security of. This should be done for all new contracts and to the extent negotiable with any contract renewals.

b. The written agreement must specify the PCI DSS requirements for which the service provider is responsible and those for which the �鶹��Ƶ���� Merchant is responsible. This documentation should be obtained for all new contracts and any contract renewals.

c. MDRP must communicate the PCI requirements for which the merchant department is responsible to all persons (�鶹��Ƶ���� employees)  that will be involved with payment handling in any way.

d. Proof of a Service Provider’s PCI DSS compliance must be provided by vendor to �鶹��Ƶ���� Finance- PCI on an annual basis.  Acceptable types of proof are limited to the following (in order of preference):

i. A signed Attestation of Compliance (AOC) that has been properly completed and is less than twelve months old.

ii. Alternatively, �鶹��Ƶ���� may accept their status as it appears on the Visa Global Service Provider Listing ().

iii. Service Providers eligible to self-assess should provide an AOC signed by an executive of the vendor, dated within the last twelve months, and based on the results of a completed Self-Assessment Questionnaire (SAQ) D for Service Providers. This SAQ should ideally be supported by a Qualified Security Assessor (QSA as defined in the PCI DSS) signature, but this is not specifically required.

iv. �鶹��Ƶ���� may also accept documents deemed appropriate by legal counsel in limited instances.

12. Best Practices:  The �鶹��Ƶ���� QSA provides regular guidance on  for �鶹��Ƶ���� institutions to incorporate into merchant procedures to better understand and comply with the requirements of the standards. All �鶹��Ƶ���� organizations that are subject to PCI DSS are expected to follow these best practices.

C. BUSINESS PROCEDURES - ACCEPTING AND HANDLING CARD PAYMENTS

1. New Payment Card Acceptance and MID: In the course of doing business at any �鶹��Ƶ���� institution, it may be deemed advantageous for a department or other unit to accept payment cards for purchases of �鶹��Ƶ���� goods and/or services. These transactions may include receipt of donations, payment for credit and non-credit courses, conference fees, ticket sales and other approved institutional products and services. Approval of a new merchant account for the purpose of accepting payment cards is done on a case-by-case basis. Each Campus Finance/Administration Office determines where to charge any fees associated with the acceptance of payment cards by its units. 

a. Approved �鶹��Ƶ���� payment gateways and equipment must be used.  If you are looking to utilize a platform that is not currently supported by �鶹��Ƶ����, the new vendor must be able to utilize the �鶹��Ƶ���� selected payment gateway or the creation of a store front.

i. The �鶹��Ƶ���� selected provider is supported and managed by �鶹��Ƶ���� Finance - PCI and ET&S.

b. Departments or units that want to begin accepting payment cards as payment for sales of goods or services rendered should contact their respective Campus Finance/Administration Office to begin this approval process. Steps include:

i. Completion of Application to Accept Payment Card

ii. Completion of PCI-DSS and Best Practices Guide training, and

iii. Submitting the completed application to the Campus Finance/Administration Office for approval.

iv. Signing off on the acceptance and adherence acknowledgement for accepting credit cards.

c. The Campus Finance office submits the approved application to �鶹��Ƶ���� Finance- PCI through to initiate setup of the MID with the �鶹��Ƶ���� Merchant Bank.

d. Any department accepting payment cards on behalf of a �鶹��Ƶ���� institution or affiliated organization must designate an individual within the department who will have primary authority and responsibility for payment card transactions. This individual is referred to as the Merchant Department Responsible Person or MDRP. The department must also specify a back-up, or person of secondary responsibility, should matters arise when the MDRP is unavailable.

e. Once the MID is obtained from the bank, the �鶹��Ƶ���� merchant bank relationship manager will guide the MDRP through the process until the location is up and running. Please allow five to seven business days for a new setup.

f. Requests to obtain or replace point of sale terminals for existing locations must be made to your Campus Finance/Administration Office. Once approved, the equipment can be purchased and the �鶹��Ƶ����’s merchant bank relationship manager can be contacted.

g. Each MDRP may directly contact the �鶹��Ƶ���� merchant bank relationship manager for questions related to maintenance of existing terminals and terminal settings. Current contact information can be obtained from �鶹��Ƶ���� Finance - PCI.

h. Specific details regarding transaction handling and required reconciliation for each merchant location will depend upon the method of payment card acceptance and type of merchant account used. Detailed instructions will be provided by the merchant bank when any new account is established.

i. Merchant Departments accepting payment cards over the internet must post a copy of the “�鶹��Ƶ���� Privacy Policy” and a refund policy on their web site. A Technical Contact is required for all online card collection sites.

j. When purchasing new services or equipment to handle payment card transactions, the MRDP must obtain proof of PCI compliance from the service provider or the equipment vendor. New web applications that accept credit card payments on �鶹��Ƶ����’s behalf must be approved by �鶹��Ƶ���� Finance-PCI and ET&S. The vendor must:

i. be PCI compliant,

ii. provide an AOC,

iii. be approved before the contract can be signed, and the contract must include specific PCI language

k. When renewing existing agreements, the MDRP should make every effort to negotiate the PCI compliance requirements in B.1.j. above if not already in place.  If already in place, MDRP must maintain that same level of PCI compliance.

l. Any new or renewal of service agreement must comply with that outlined in this policy and as defined by with �鶹��Ƶ���� Procurement Policy.

m. Each merchant location should record their payment card revenue in the �鶹��Ƶ���� financial system daily, unless other arrangements are made with �鶹��Ƶ���� Accounting Services. Payment card merchants should contact �鶹��Ƶ���� Accounting Services with any questions in this regard.

2. Physical Security Procedures: All equipment and card readers must be securely stored when not in use and only accessible by those trained to utilize the equipment.

a. Upon hire, staff are trained to comply with standards established by the PCI SSC, �鶹��Ƶ���� policies, and the operational procedures outlined in this document.  In addition, staff are also trained to be aware of methods in which devices can be tampered with or replaced.  See training procedures for more details. Training includes the following:

i. Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

ii. Be aware of suspicious behavior.  For example, attempts by unknown persons to unplug or open devices.

iii. Do not alter or attempt to troubleshoot terminals. Troubleshooting support is provided by �鶹��Ƶ���� Finance- PCI.

b. At the start of each day (prior to use), the terminal surfaces are checked to detect tampering or substitution.   Using the Terminal Security Review Sheet (should be housed with the terminal), verify that the device has not been swapped with a fraudulent device by performing the following steps:

i. Compare the serial number and model number listed on the terminal to that included on the Terminal Security Review Sheet.

ii. Review the tamper evident stickers on the surface of the terminal and make sure it is intact.

iii. Inspect the terminal and review for foreign objects (i.e. skimmers), unexpected attachments or cables plugged into the device, pry marks, broken or stressed seams.

iv. If you notice anything unusual or suspect that the terminal has been tampered with or substituted, contact �鶹��Ƶ���� Finance- PCI immediately at usnh.pci@usnh.edu.

v. When mobile terminals are changing hands between department users, an additional tamper check will be performed by the responsible party upon return.

c. Employees are not permitted to change or switch out any transmission wiring without approval from the MDRP or designated IT Support personnel.  The only parties who may modify or move wiring are paid vendors with written permission, or a campus employee with written permission from his/her campus IT or Finance/Administration management. Each card acceptance location should ensure that their employees:

i. Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

ii. Do not install, replace, or return devices without verification.

iii. Are aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).

iv. Report suspicious behavior and indications of device tampering or substitution to MDRP and Department management.

v. Do not use any devices where suspicion exists that substitution or tampering has occurred.

d. Preapproved Stored CHD:

i. Storage of CHD is NOT recommended and only granted under extenuating circumstances

ii. Approval by �鶹��Ƶ���� Finance-PCI may be granted o based on business need and documented procedure of handling.

iii. If approved - A regular schedule of deleting or destroying data must be established in the merchant department to ensure that no CHD is kept after authorization.  Any access of CHD must be logged with the date and time, along with the identity of the employee accessing the secured data and customer contact information in the case of loss (to notify the customer). 

3. Payment Card Processing Procedures:

a. Mail Order – The department receives mail orders for a specified and preapproved reason with credit card information returned on the form.

i. Process mail orders via sred key terminal

ii. Shred mailed in form containing CHD with a cross-cut or micro-cut shredder

b. Fax Order – The department receives orders via fax for a specified and preapproved reason. This fax machine must be secure, and listed how it is secured in department specific procedures.

i. Process faxed order via sred key terminal

ii. Shred faxed order in form containing CHD with cross-cut shredder or micro-cut shredder

c. Phone Order – The department will accept credit card orders via phone for a specified and preapproved reason.

i. Credit card information will be taken and entered directly into sred key terminal.  No numbers or information will be written down.

ii. When accepting phone orders, do not repeat the card number out loud.  If you need to confirm the number, ask the customer to repeat it.

iii. Confirmation Number will be given to the customer once the card is accepted.

d. Email Order - N/A – �鶹��Ƶ���� does not accept credit card numbers sent via email.

Unencrypted electronic communication methods such as email, instant messaging, chat, SMS, Snapchat, Facebook Messenger, etc. must not be used to transmit CHD or personal payment information or be accepted as a method to supply such information. Each merchant department must include the proper method to handle and respond to emails or other unsecure communications sent by customers and containing CHD in their departmental PCI DSS procedure. In the event this does occur, handling the received CHD as outlined in section B.2.J below is critical. Also see item 6.) in the Best Practices Guide for additional information in this regard.

i. Accepting and sending payment card information through email is strictly prohibited. If an email is received with cardholder data, the recipient should immediately reply to the email with the message below. Before sending the reply email, remove the cardholder data.

“Thank you for providing the necessary information to process your payment for ______.  The UNIVERSITY strives to protect all vital information of our customers and email is an unsecure process for providing cardholder information, therefore the email with your card information has been deleted and your payment has not been processed.  Please reach out to _________ to make a secure credit card payment.”

ii. The email MUST be permanently deleted from email inbox and trash.

e. In Person – The department accepts credit card payment in person at the agreed upon location.

i. Request card from cardholder for processing.  Ensure the card is signed, if not, request ID.

ii. Process transaction via credit card terminal.

iii. Have customers sign merchant copy/receipt. Verify signature matches back of card. Ask for photo ID from any customer without a signature on the back of the card.

iv. Give the card and receipt to the customer.

f. On-line Orders

i. Online orders are taken via the Department’s online solutions approved by �鶹��Ƶ���� ONLY.

ii. Department individuals with authorized access to the system will fulfill orders on a daily basis.

g. At Home Processing

i. �鶹��Ƶ���� does NOTallow staff to accept payments on behalf of �鶹��Ƶ���� from home. All payments must be directed through an online portal or through a staff member at an approved �鶹��Ƶ���� office.

4. Training Procedures: Annual PCI training is conducted online through a vendor portal.  Anyone who handles or accepts credit cards as well as requires access to systems for reporting require PCI training.

a. Who is responsible for ensuring card users are registered for this program and complete this training annually?

i. This is a team effort. The designated account holder is responsible to ensuring that new trainee information is sent to �鶹��Ƶ���� Finance-PCI and �鶹��Ƶ���� will make sure the account holder is informed on who needs to finish their training based on the information supplied.

b. What is the process for requesting new users and deactivating users?

i. All training requests are to be sent to usnh.pci@usnh.edu using the

ii. Information needed is as follows in an excel format (template provided):

• First & last Name
• �鶹��Ƶ���� SSO Username
• Location
• Department
• Whether they are a training admin or not
• Adding or removing from the training

iii. Once the request has been submitted to the training vendor and completed, the requestor will receive a confirmation email from the �鶹��Ƶ���� Finance- PCI team.

c. How will I know when my team has completed training?

i. You may require the employee to submit their completion certificate to you (quickest option if they need to start immediately).

ii. A list of those who have not completed their training will be sent to account holders weekly. If you do not have any delinquent training, you will not receive an email.

iii. NOTE: Logins/ access to any device or program is to be restricted until PCI training is complete.

d. What if an employee leaves or changes role?

i. Using the same form submitted to add a new trainee, there is a column to have employees removed from training. This form is to be submitted to .

5. Refund Procedures: Clear disclosure of return, refund, and cancellation policies can help to prevent potential cardholder disputes/chargebacks. The major card brands (Visa, AMEX, MC, Discover) will support refund policies provided they are clearly disclosed to cardholders.  Departments using gateway or terminal must communicate refund/return/cancellation policy either in the sequence of pages before final checkout with a click to accept button or checkbox on the checkout screen / location with electronic signature.

a. Each department is responsible for documenting their refund policy and communicating this with staff and customers.

b. Procedures to refund a credit card transaction are included in the user manual for the POS devices and Nelnet guides.

6. User Change(s) at Merchant Location(s): Merchants must notify their MDRP of any changes of personnel involved in payment card processing. This includes any new hires, personnel who have been assigned new duties that include payment card handling and/or settlement duties, as well as changes in volunteers and contractors with access to CHD. This also includes employees, volunteers or contractors that have left their position and are no longer involved in payment card handling. Each Campus Finance/Administration Office should determine the manner in which these notifications will occur. The User Change Form is provided as a model to use in reporting these changes to the MDRP.

7. User Statement of Understanding: Persons (i.e. employees, volunteers, and contractors) who handle CHD as part of their employment or other activity at �鶹��Ƶ���� must fill out and sign the related User Statement of Understanding Form. The MDRP must ensure the completeness of these filings at all times.

8. Incident Response Procedures: An incident is defined as a suspected or confirmed data compromise in which there is a potential to impact the confidentiality or integrity of payment card data.  A data compromise is any situation where there has been unauthorized access to a system or network where prohibited, confidential, or restricted payment card data is collected, processed, stored, or transmitted.

In the event of a breach or suspected breach of security, the department or unit must immediately execute each of the relevant steps outlined below in addition to following applicable local institutional or departmental incident management procedures:

a. Contact the �鶹��Ƶ���� ET&S Cybersecurity team for proper direction related to preservation of electronic data. The steps should include:

i. Disconnecting the impacted device(s) from all networks. To disconnect a device from the network, simply unplug the Ethernet (network) cable. If the device uses a wireless connection, simply disconnect it from the wireless network. For devices connected via an analog telephone line, simply unplug the phone line.

ii. DO NOT turn the device off or reboot. Leave the device powered on and disconnected from the network.

iii. Prevent any further access to or alteration of the compromised system(s) (i.e., do not log on to the machine and/or change passwords; do not run a virus scan). In short, leave the system(s) alone, disconnected from the network, and wait to hear from the IT security office.

iv. Help Desk Numbers:

• KSC: (603) 358-2532
• PSU: (603) 535-2929
• UNH (603) 862-4242

b. Notify �鶹��Ƶ���� Finance-PCI of incident in tandem with or directly after �鶹��Ƶ���� ET&S Cybersecurity.

c. Document every action taken from the point of suspected breach forward, preserving any logs or electronic evidence available. Include the following in the documentation:

i. Date and time

ii. Action taken

iii. Location

iv. Person performing action

v. Person performing documentation

vi. All personnel involved

d. Notify the department’s MDRP, the Dean, Director or Department Head of the unit experiencing the breach and the campus Finance/Administration office of the breach circumstances.

e. Relay all such communications to the �鶹��Ƶ���� Treasurer, �鶹��Ƶ���� General Counsel and �鶹��Ƶ���� Internal Audit.

f. Once a full determination of the scope of a breach is made, the Campus IT Security Officer and �鶹��Ƶ���� Treasurer will be responsible for notifying �鶹��Ƶ���� executive management, banking representatives, and any other parties as appropriate.

g. A suspected breach may also be reported to �鶹��Ƶ���� by the processing bank or an outside party. In that case, �鶹��Ƶ���� will notify the campus merchant involved in the suspected breach and the relevant steps outlined above should be executed.

h. A detailed incident response plan will be completed and maintained by �鶹��Ƶ���� IT Security Officer. This incident response plan shall be in accordance with the parameters set forth by the card brands.

i. Refer to Incident Response Plan for further instructions.

Each Merchant is responsible for including department specific procedures in addition to the above.  Those procedures should include how to accept and process a card, completing a refund, frequency of inspections, reconciliations, and communication procedures between department & �鶹��Ƶ���� and department & customers.

D. FAILURE TO MEET THE REQUIREMENTS OF �鶹��Ƶ���� POLICY AND PROCEDURES

Departments and merchants have a responsibility to follow all applicable �鶹��Ƶ���� Policies and Procedures.

1. Failure to meet the requirements outlined in this policy and procedure will result in suspension of the physical and, if appropriate, electronic payment capability for affected units.  Additionally, if appropriate, any fines and penalties which may be imposed by the affected payment card brand(s) will be the responsibility of the impacted unit.

2. Individuals who fail to meet the requirements outlined in this procedure may be subject to disciplinary action including termination under policy USY V.C.9 and related campus specific procedures.

1. ---

   [1] See section A.5.c for a description of items included in cardholder data.