May 15, 2015
Payment Card Industry Data Security Standards
The university is committed to compliance with the Payment Card Industry (PCI) Data Security Standard, a standard adopted internationally by the major credit card brands (e.g., Visa, MasterCard, Discover, and American Express) to protect credit card data, regardless of where that data is processed or stored (“PCI Standard”).
Roles and Responsibilities
Office of Treasury Services – is responsible for implementation and oversight of this policy and general compliance with the PCI Standard, and:
- Establishing and closing merchant accounts. A merchant account is a type of bank account that allows businesses to accept payments by debit or credit cards;
- Establishing and maintaining relationships with the credit card payment processing providers and issuing banks;
- Approving any Point of Sale (POS) device or system to be used within the university;
- Defining the methods of transacting online payments on behalf of the university;
- Engaging a PCI Qualified Security Assessor, in consultation with Audit Services, Compliance and Office of the General Counsel;
- Maintaining an inventory of all USC schools and departments that process credit card transactions using a USC approved merchant account;
- Coordinating with ITS Systems Security, as necessary, to review network segmentation configurations and other technical safeguards;
- Coordinating with the Office of Compliance and/or Audit Services to monitor and audit compliance with this policy;
- PCI training/education;
- Enforcement of this policy and the PCI Standard including immediate suspension or termination of the ability to process or store credit cards if a school or department fails to comply with this policy or the PCI Standard; and
- Other duties related to PCI Compliance as determined by the university.
Treasury Services, at its discretion, may revoke a merchant account immediately for failure to comply with this policy or the PCI Standard. Revocation of a merchant account will preclude the school or department from being able to process credit or debit cards.
Schools/departments processing credit cards – all schools and departments that accept credit or debit cards (not including the USCard) must protect credit card data in compliance with this policy and the PCI Standard. All schools and departments that process credit card data will implement the business standards described in Appendix D.
Schools and departments that processed credit cards prior to the effective date of this policy must be in full compliance with the policy and the PCI Standard within 60 days of policy issue date in order to continue to process credit cards.
Council on Technology Strategy and Security (CTSS) – CTSS members are designated by deans or vice presidents to serve as the liaison between that respective school or department and ITS and the Information Security Office (ISO) on matters related to technology strategy and security. This individual or his/her authorized designee is responsible for reviewing and approving the PCI Security Safeguards (Appendix A).
ITS Information Security Office – is responsible for:
- approving network segmentation configurations performed in compliance with this policy and the PCI Standard in conjunction with Treasury Services;
- assisting schools and departments with network segmentation configuration;
- providing certain security information and event management functions;
- conducting appropriate vulnerability scanning of USC systems that transmit, generate or otherwise access credit card information;
- initiating investigations relating to security incidents; and
- performing other monitoring and reviews of computer and/or computer networks to ensure that security features are in place and are adequate to protect credit card data.
Purchasing Services – is responsible for negotiating and executing the Security Addendum with third party vendors that will have access to or otherwise generate, store and/or transmit credit card data in connection with services provided to the university.
Office of Compliance – provides support to Treasury Services in the development and implementation of policies and guidance related to the PCI Standard compliance. The Office of Compliance is authorized to monitor and audit compliance with this policy and to enforce its provisions, including immediate suspension or termination of the ability to process or store credit cards if a school or department fails to comply with this policy or the PCI Standard. The Office of Compliance handles any notifications or disclosures required under law or regulation as a result of a security incident.
Audit Services – is responsible for conducting audits of internal controls to confirm compliance with this policy and the PCI Standard. Audit Services is authorized to enforce its provisions, including immediate suspension or termination of the ability to process or store credit cards if a school or department fails to comply with this policy or the PCI Standard.
For comprehensive procedures involving establishing merchant accounts, the PCI Pre-Qualification form, school/department changes to how credit cards are processed, PCI training, use of authorized POS systems, use of third party websites, and closing merchant accounts, see Appendix B.
Third Party Vendor Risk Management
Any third party vendor that processes, transmits, generates, stores or otherwise accesses credit card data on USC’s behalf must sign USC’s Security Addendum. Schools and departments should work with Purchasing Services to initiate this process.
Before Purchasing executes an agreement with a vendor, the school or department should request a copy of the vendor’s most current report on compliance (“ROC”) or attestation of compliance (“AOC”) for the specific services being provided to the university. In addition, the school or department is required to monitor the vendors’ PCI Standard compliance status at least annually.
Incident Response Plan
A “security breach” is an unauthorized acquisition of data that compromises the security, confidentiality or integrity of information maintained by USC and covered under this policy. This includes breaches that involve physical security as well as computer or information systems security and also could include unauthorized access to USC wireless services. Any university employee aware of an actual or suspected information security breach must report it immediately to his/her respective manager and the USC ISO.
The ISO and the Office of Compliance lead the incident response team for breaches of the PCI Standard. The team also includes representatives from:
- Treasury Services
- Audit Services
- Office of General Counsel
- USC Media Relations, as applicable
- CTSS member(s) from the impacted school(s) and/or unit(s)
Depending on the incident, USC may have obligation under state and/or federal law to notify the individuals whose information was breached as well as the applicable state or federal oversight agencies. The Office of Compliance will manage the university’s response and prepare and submit any notifications as required or appropriate, in coordination with the ISO and incident response team.
It also may be necessary to report such a breach to other USC departments, including but not limited to the Department of Public Safety or Human Resources Administration, depending upon the nature of the actual or suspected breach.
Departments may not conduct their own investigation without first consulting and coordinating with the ISO. Further details about the incident response process are included in Appendix C.
This policy will be reviewed on an annual basis in accordance with the PCI Standard. In addition, schools and departments that process credit card data will submit a Self-Assessment Questionnaire (SAQ), network diagram, card flow diagram, and signed PCI Security Safeguards (Appendix A) annually. Individuals who handle credit card data must complete education specific to the PCI standard annually. In addition, the university will conduct a risk assessment in connection with PCI compliance that identifies threats and vulnerabilities.
All university faculty, staff, student workers and other employees must comply with this policy and the PCI Standard or be subject to disciplinary action in accordance with the Faculty Handbook, staff employment policies and SCampus, as appropriate.
Office of Compliance
Robert Abeles, Senior Vice President, Finance, and Chief Financial Officer
University of Southern California