Credit Card Security Information
The following information is an overview of the credit/debit card standards and requirements described in the University of Maine System’s Administrative Practice Letter (APL), “Credit/Debit Card Standards,” with additional information specific to the University of Maine. The APL “establishes procedures and requirements for University of Maine System (UMS) departments accepting payments by credit/debit card…and applies to all departments, individuals, and entities…involved in acceptance of credit/debit card payments on behalf of the UMS.” Click here to view the APL in its entirety (PDF).
The Payment Card Industry (PCI) Security Standards Council has a very thorough standard in place to ensure that merchants safeguard cardholder information. This is known as the Payment Card Industry Data Security Standard (PCI DSS). Click here for a copy of the PCI DSS and other related information.
In order to continue processing credit card payments using a personal computer, you must comply with the following requirements.
You must access the on-line site via a computer that is isolated in a single location and not connected to other locations or systems. This means you will need:
- A personal computer dedicated to the payment processing function.
- A separate port connected to the campus PCI Compliant Network.
- The computer used must be kept up to date with anti-virus software.
- The computer used must be kept up to date with security patches (i.e., Windows updates, MS Internet Explorer updates).
- The computer used must not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store-and-forward).
- The computer used must not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached).
- The computer used must have any wireless capabilities disabled.
In addition, all departments accepting credit cards must comply with the following security procedures relating to the handling of cardholder data. Cardholder data consists of, at a minimum, the personal account number (PAN). Cardholder data may also be in the form of the PAN plus any of the following: cardholder name, expiration date, and/or card verification value (CVV).
- You must not send or receive cardholder data by electronic means such as e-mail, chat or instant messaging.
- You must never store cardholder data in electronic format on any university computer or external device.
- You must retain any paper documents containing cardholder data only for as long as needed to complete the transaction.
- If documents containing cardholder data must be delivered from one employee to another, they must be labeled as confidential and delivered personally or by a trackable delivery service. Do not send cardholder data by regular or inter-campus mail.
- Upon completion of the transaction, any paper documents containing cardholder data must properly destroyed or rendered unreadable. Proper destruction would mean cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
- The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) must never be stored in any form under any circumstance.
- Access to cardholder data must be limited to only those individuals whose jobs require access.
In order to continue to enter credit card payments on-line, you must follow the University of Maine Procedures for PCI DSS Virtual Terminal Compliance
Those departments that elect to continue to manually process credit card transactions via a virtual terminal as identified above must complete the following tasks to properly comply with the terms in this message:
Department must register the computer with UMaine IT (Andy Moody-207-581-1592) by providing the following:
- PC make and model
- PC network name
- IP address of PC
- Department must identify the contact person for management and maintenance of the PC.
- Department must acknowledge compliance with all terms and conditions outlined in this message and their understanding that there will be a separate monthly port charge of $7.00 (current rate) for connection to the campus PCI Compliant Network.
- Any changes in this registration data or in the process for handling credit card transactions must be shared with UMaine IT.
Failure to comply with the terms of this registration can result in disconnection of the PC from the campus network.
Alternative Processing Procedure:
If you no longer wish to enter credit card donations directly, please submit them to the Gift Processing Office in Alumni Hall, along with a Credit Card Gift Submittal Form, available on the Gift Processing web site.
In addition, you must comply with the security procedures listed above relating to the handling of cardholder data. Credit card donation information cannot be sent through campus mail and must be hand delivered.