Skip redundant pieces
KUMC Policies, Procedures and Operational Protocols  :  Information Resources Policies and Operational Protocols

University of Kansas Medical Center Operational Protocol:
Payment Card Acceptance

 

Principle

The University of Kansas Medical Center (KUMC) is committed to maintaining the security of customer information, including credit or debit card information that is provided to the University during the course of business. Security breaches can result in serious consequences for the University resulting from the release of confidential information, including, but not limited to: damage to reputation, added compliance costs, the assessment of substantial fines, possible legal liability and the potential loss of the ability to accept credit or debit card payments.

Purpose

The purpose of this policy is to apply best security practices to protect against the exposure and possible theft of account and personal cardholder information by complying with credit card company requirements for storing, processing, and transferring payment card information (PCI Data Security Standards) as well as security “best practices”..

Resources covered

All computers and electronic devices at KUMC used in the processing of cardholder information for KUMC are governed by this policy and must adhere to PCI Data Security Standard requirements. This includes servers which store payment card information and workstations which are used to enter payment card information into a central system. It applies to cash registers, point-of-sale terminals connected to a phone line or the KUMC network, and any other devices through which the payment card information is transmitted. Internet transactions involving payment card information, including those that redirect customers to another website to enter payment information, are also covered. In addition, all paper forms or receipts containing cardholder data are also covered under this policy (e.g., registration forms, register receipts).

Groups covered

This policy applies to all KUMC departments, faculty, staff, students, temporaries, vendors, and associated entities or any others who process, transmit, or handle cardholder information in physical or electronic format on behalf of the University. This policy also applies to any affiliated organizations with cardholder information that is either stored on systems connected to the KUMC network or transmitted over the KUMC network.

Exemptions

This policy applies to everyone at all campuses and sites of the University of Kansas Medical Center. There are no exemptions.

Definitions

Cardholder: The customer to whom a credit card or debit card has been issued or the individual authorized to use the card.

Cardholder data\information: Any personally identifiable information (PII) associated with a cardholder (e.g., account number, expiration date, name, address, social security number, and card validation code.) Also referred to as payment card information.

Payment card: General term which includes both debit cards and credit cards.

Payment Custodian: The individual designated as the person who is responsible for the Payment Processor’s compliance with PCI requirements. Each Payment Processor must designate a Payment Custodian.

Payment Processor: Any individual, department, school, or other functional area accepting payment cards in exchange for goods or services on behalf of KU Medical Center, Kansas University Physicians Inc., or their affiliated organizations.

PCI: Abbreviation for “Payment Card Industry”. The PCI Data Security Standards are the result of collaboration between the four major credit card brands to develop a single approach to safeguarding cardholder data. The PCI standard defines a series of best practices for handling, transmitting and storing cardholder data.

Responsibilities

  1. KUMC will establish a Payment Card Committee with oversight of all payment card programs on KUMC campuses.  This Committee will review and approve all requests to accept payment cards, and perform all necessary actions to ensure KUMC’s PCI compliance. The committee will include, but is not limited to, representatives from the Controller’s Office, Compliance, Internal Audit, Internet Development and Information Security.

  2. The Director of Information Security will act as PCI Compliance Officer, with responsibility for KUMC’s overall compliance program.

  3. Each Payment Processor must designate an individual (“Payment Custodian”) who will have primary authority and responsibility for their payment card program.

  4. All personnel with access to cardholder data must:

  • be subject to a criminal and financial background check prior to employment

  • agree (in writing) to adhere to all KUMC PCI security requirements

  • attend annual training on payment card security.

I.  General Requirements for the Acceptance of Payment Cards

  1. Cardholder data is defined as “sensitive information”.  As a result, it must be protected as outlined in KUMC’s Sensitive Information in Electronic and Paper-Based Format policy and the PCI Data Security Standards.

  2. The use of cardholder data for any purpose other than conducting University business is expressly prohibited.  No employee, contractor or agent who obtains access to cardholder data may sell, purchase, provide, or exchange the information in any form to any third party other than to an approved acquiring bank, depository bank, Visa, MasterCard or other credit card company, or pursuant to a formal government request. All requests to provide information to any party outside of your department must be coordinated with the Controller’s Office.
  3. Access to cardholder data must be restricted only to those employees who need it to fulfill their job responsibilities.
  4. Payment Processors must obtain advance written approval from the Payment Card Committee before accepting credit and debit cards as a form of payment for goods or services, or before entering into any contracts or purchases of software and/or equipment related to payment card processing.
  5. Payment cards cannot be processed, stored or transmitted using the University’s network unless the following two requirements have been met:  (1) the Payment Card Committee and has reviewed and approved the request to accept payment cards, and (2) the PCI Compliance Officer has verified the existence of all technical controls required in the PCI Data Security Standards and other applicable KUMC policies.
  6. Payment Processors must use KUMC’s preferred electronic payment service (currently Paymentech) unless the Payment Card Committee has approved an exception.
  7. Each Payment Custodian must submit a completed PCI Self-Assessment Questionnaire to the PCI Compliance Officer on an annual basis as an attestation of the Payment Processor’s compliance with PCI requirements.
  8. Contracts with third parties with access to cardholder data must include standard language that requires their adherence to the PCI Security Standards.  A signed statement attesting to the third party’s PCI compliance must be submitted with the Payment Processor’s PCI Self-Assessment Questionnaire.
  9. All systems used to process, store or transmit cardholder data must be registered with Information Security and undergo quarterly vulnerability scans.  Payment Custodians are expected to work with Information Security personnel to review the vulnerability scan results and immediately take steps to comply with PCI Security Standards and to mitigate any other risks that are identified.

II.  Additional Requirements for the Storage, Transmission and Disposal of Cardholder Data

  1. Sensitive cardholder data [i.e., full account number, card type, expiration, PIN, and the card validation code (three-digit or four-digit value printed on the front or back of the card) must not be stored in electronic or paper form subsequent to transaction processing.
  2. Printed receipts or other physical materials containing cardholder information must be stored in a secure environment until they are processed. Secure environments include locked drawers and safes, with limited access by authorized individuals only.
  3. Should it be necessary to print or display payment card information, all but the last four digits of the primary account number should be masked (not printed\displayed).  The full primary account number and expiration date should never be printed or displayed.
  4. The use of mobile devices to store cardholder data is prohibited in accordance with KUMC’s Mobile Device Security policy. These devices include, but are not limited to: laptops, PDAs, smartphones, USB flash drives, DVDs, compact discs, and portable external hard drives.
  5. Cardholder data must not be transmitted in an insecure manner, such as wireless, email, fax, or campus mail.
  6. Payment card information must be disposed of in a secure manner.  Printed receipts or other physical materials containing cardholder data must be shredded subsequent to transaction processing. Computers and other electronic equipment that contain cardholder data must be disposed of as outlined in KUMC’s Computer Equipment Disposal Policy

Enforcement

Suspected or known violations of this policy will be reported to the appropriate University officials, and may result in:

  • Loss of the department or business unit's ability to accept credit cards as a form of payment.
  • Fines of up to $500,000 per incident (as imposed by the PCI Council).
  • Accountability for conduct under any applicable University or campus policies, procedures, or collective bargaining agreements, including disciplinary action.
  • Prosecution under applicable statues.

Suspected or known violations of University regulations and/or State and Federal law will be processed by the appropriate University authorities and/or law enforcement agencies.

Additional Resources

 

KUMC PCI Compliance Website:  http://www2.kumc.edu/security/pci

 

PCI Security Standards Council:  https://www.pcisecuritystandards.org

 

University of Kansas Medical Center Operational Protocol on “Sensitive Information in Electronic and Paper-Based Format”:  http://www2.kumc.edu/ir/operationalprotocols/sensitiveinformation.asp

 

University of Kansas Medical Center Guidelines on “What is Sensitive Information?”:  http://www2.kumc.edu/ir/operationalprotocols/sensitiveexample.asp

 

University of Kansas Medical Center Operational Protocol on “Mobile Device Security”: 

http://www2.kumc.edu/ir/operationalprotocols/mobilesecurity.asp

 

University of Kansas Medical Center Operational Protocol on “Computer Equipment Disposal”

http://www2.kumc.edu/ir/operationalprotocols/equipdisposal.asp

 

Contact information

For information on this policy, please contact:


Sherry Callahan
Director of Information Security
Department of Information Resources
University of Kansas Medical Center
1020 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-0966

Jim Bingham
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
1018 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7300

Jerry Glenn
Associate Controller
University of Kansas Medical Center
120 Support Services Facility, 2100 West 36th Avenue
Kansas City, Kansas 66160
(913) 588-5365

top of page