Payment Card Industry (PCI) Compliance Policy

Purpose

Franklin & Marshall College is committed to maintaining the security of customer information, including payment cardholder information such as payment card account number, payment cardholder name, expiration date, and payment cardholder verification number.  To uphold this commitment, the College follows the best practices for protecting payment card information as defined by the Payment Card Industry Security Standards Council, including information in computer systems which process, store, and transmit payment card information.  The College must adhere to these standards to limit its liability and to continue to process payments using payment cards.

Scope

Applies to Individuals, Departments, and Organizations wishing to engage in accepting card or payment accounts for financial transactions.

Audience

This policy applies to all faculty, staff and students of F&M.  

Policy Maintenance

The College Information Technology Committee periodically reviews and revises this policy based upon emerging best practices.

Policy Statement

Authorized Vendors and Service Providers
Individuals, Departments, or Organizations must use a College authorized payment application, mechanism and point of sale terminal hardware vendor.  This list is available from the College’s Controller in the Finance & Administration division.

A service provider that stores, processes, or transmits cardholder data on behalf of the College must be validated as a Level 1 service provider by a Qualified Security Assessor (QSA) and listed on Visa’s Global Registry of Service Providers. The company listing must be current, and the service being provided to the College must match the service listed on Visa’s website.

A company providing a service that can affect the security of an eCommerce transaction (eTransaction) must be validated by a QSA as a service provider and the service being provided to the College must match the services validated as compliant during the QSA assessment.

University Card and Payment Account User Agreement
Individuals, Departments, or Organizations wishing to engage in accepting card or payment accounts for the sale of goods or services must obtain approval from the Finance Office and comply with all terms of the College’s Card and Payment Account User Agreement.

Information Security
Card and payment account numbers are classified as confidential data in the College Data Classification Policy.  Individuals, Departments, or Organizations must comply with the requirements for handling confidential data listed in the College Data Classification Policy and College Data Protection Plan to safeguard the confidentiality of information related to payment card transactions.   Only equipment authorized by the College may be used to process payment information and must use secure and approved, or PCI DSS certified, encrypted connections to transmit payment information.

--------

Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer

Last Reviewed: 21 December 2018