- About OUS
- OUS Vision and Goals
- Chancellor's Office
- Campuses & Centers
- Governance and Reform
- Diversity & Community Engagement
- Doing Business with OUS
- Employment Opportunities
- Policies & Procedures
- University Presidents
- Provosts' Council
- Research & Innovation
- Records Management
- Senate Bill 242
- American Recovery & Reinvestment Act
- OUS/SEIU Classified Staff Negotiations
- Academic Strategies
- Board's Office
- Budget Operations
- Capital and Facilities Planning
- College Access Programs
- Contracts and Purchasing
- Controller's Division
- Accounting & Reporting
- Banner Standards Management
- Business Services
- Payroll Operations
- Treasury Operations
- Policies & Procedures
- Other Resources
- Controller's Site Map
- Finance & Administration
- Government Relations
- Human Resources
- Industry Partnerships
- Institutional Research
- Internal Audit
- Legal Counsel
- Student Success Initiatives
- Risk Management
- State Board of Higher Education
- Board Meetings
- Board Committees
- Board Members
- Board Strategic Plan
- Joint Boards
- Board Minutes and Records
- Policies & Procedures
- Students and Counselors
- Campuses & Centers
- Counselor Resources
- Prospective Students
- Transfer Students
- Transfer Admission
- OUS Campus Transfer Links
- Planning to Transfer in Oregon
- College Costs
- Financial Aid
- Degree Partnership Program
- Pre-College Programs
- Undergraduate Programs
- Graduate Programs
- Teacher Education
- Veterans Benefits
- Reverse Transfer
- Facts and Reports
- Entering Freshman Profile
- Enrollment Watch
- Fact Book
- System & Student Reports
- Tuition & Fees
- University Profiles
- Performance Measurement
- Operating Reports
- Initiative Reports
- Other Databases & Resources
- Alignment and Partnerships
- Contact Us
10.20 PCI & ACH Compliance with Incident Response for Electronic Commerce
10.20 PCI & ACH Compliance with
Incident Response for Electronic Commerce, Chancellor's Office Business Practices & Procedures
The Chancellor’s Office views electronic commerce (eCommerce) as a natural extension of the business processes already conducted. We encourage departments to utilize eCommerce to improve service to students, faculty, staff, and the public, and to reduce the cost of providing these services. For purposes of this policy, eCommerce includes all business transactions accomplished using an electronic medium.
It is important that Chancellor’s Office entities processing credit card, ACH transactions, or electronic check payments take measures to safeguard sensitive customer information including credit card and bank account numbers. Failure to comply with Payment Card Industry (PCI) and National Automated Clearing House Association (NACHA) rules may result in financial loss, fines, suspension of credit card processing privileges, and/or damage to the reputation of the Oregon University System.
This policy provides guidelines for all credit card, ACH, and eCommerce payment processing activities in the Chancellor’s Office.
The Associate Vice Chancellor for Finance and Administration and Controller has authority for administering this policy and has delegated its implementation to the Director of Treasury Operations.
The Associate Vice Chancellor for Finance and Administration and Controller is responsible for Chancellor’s Office debit/credit card and ACH security, the distribution of security policies and procedures, monitoring of system access and alerts, and incident response.
The Associate Vice Chancellor for Finance and Administration and Controller shall approve all eCommerce activities in the Chancellor’s Office, including card present or point of sale transactions, ACH transactions, transactions conducted over the phone, by fax, and/or on the internet.
Chancellor’s Office departments with approved credit card and ACH processing activities must maintain the following standards:
- Protect Customer Information
- Do not store, process, or transmit credit card data on the university network. Instead, use Office of the State Treasurer (OST) approved, secure, and fully hosted third party payment processing services.
- Do not create an electronic file containing full credit card or bank account numbers (database, spreadsheet, word processor, image, etc.)
- Avoid the retention of paper records containing complete credit card or bank account numbers. If, for business reasons, you must store full card or ACH numbers, then do so for no longer than 36 months before securely disposing of them (confidential recycle, cross-cut shred, pulp, or incinerate). Mark these records as ‘Confidential’.
- Records containing partial card or ACH numbers should be retained for no longer than seven years.
- Strictly limit access to paper records containing credit card and bank account numbers based on job function. Where practical, limit access to full time professional staff.
- Access to electronic records must be authorized in writing by the employee’s manager.
- Hypercom terminals must be programmed to mask card numbers on both merchant and customer copies of receipts.
- Physically secure paper records containing full credit card or bank account numbers in locked cabinets or offices with adequate key control.
- Inventory paper records containing full or partial credit card or bank account numbers every six months to identify loss or theft of items.
- Do not send or receive complete credit card or bank account numbers using email or campus mail.
- Properly Account
- Adhere to appropriate accounting standards as established by the Associate Vice Chancellor for Finance and Administration and Controller.
- Uniquely serialize and fully journalize all transactions to provide a conclusive audit trail.
- Routinely reconcile all goods and services provided and received with the accounting records.
- Provide Employee Training
- Designate a unit information security officer or single point of contact.
- Train all employees involved in processing card and ACH transactions to protect card and ACH data, and ask them to review this policy annually and when business processes change.
- Perform an Annual Risk Assessment
- All offices processing credit cards or ACH transactions will participate in an annual PCI and ACH risk assessment.
Third Party Vendors
In accordance with Oregon State Treasury (OST) Cash Management Policy 02 18 14.PO, all third party vendors must be approved in advance by OST. To obtain approval vendors must complete the OST 3rd Party Vendor Prequalification Form (see Forms, below).
Oregon law requires that state funds be deposited directly into a recognized Oregon depository within 24 hours. For this reason the use of PayPal or similar services that do not deposit proceeds directly into an OST merchant account are prohibited.
Breach of Security Actions
In the event of a breach in card or bank account data security, it is imperative that the unit act to immediately contain and limit the exposure of cardholder and bank data by performing the following steps:
- Alert the Director of Treasury Operation, Controller’s Division (see Contact Information, below).
- Conduct a thorough investigation of the suspected loss or theft of account information.
- Do not access or alter compromised systems (e.g., do not log on or change passwords; do not log in as ROOT).
- Do not turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the cable).
- Preserve logs and electronic evidence.
- Log all actions taken.
- If using a wireless network, change the Service Set Identifier (SSID) on the Access Points (AP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
- Be on high alert and monitor all systems with cardholder and ACH data.
- Provide the Controller’s Division with a report containing account information at risk and the source and timeframe of the compromise. The Controller’s Division will alert all necessary parties immediately.
- Complete an Incident Report as soon as possible but within three business days. (See Contact Information and Forms, below.)
In the event of a breach of security, contact the following:
|Incident occurs during normal business hours, between the hours of 8 AM and 5 PM||Internal Information Security group and Incident Response Team, OUS Controller’s Division: Assoc. VC Finance and Administration and Controller, and Director Treasury Operations, 541-737-3636.||Provide all details verbally in addition to preparing a written report for submission.|
|Incident occurs during normal business hours, between the hours of 8 AM and 5 PM||Office of the State Treasurer (OST), 503-378-4000.||Notify the receptionist that you have experienced a merchant card or ACH breach, and ask to speak with the Merchant Bank Liaison on the Banking Team or a member of the Relationship Management Services team will then notify U.S. Bank, and coordinate all communication.|
|Incident occurs outside of normal business hours||U.S. Bank, 1-800-725-1243||
Identify that you are a “National Account” with the State of Oregon, and provide them with your Merchant ID (MID) #. Notify the U.S. Bank customer service representative that you have experienced a merchant card or ACH breach, and ask that the incident be reported to the Risk Department.
|Within three business days||
Office of the State Treasurer
|Complete an Incident Report and submit to the Office of the State Treasurer (see section .700, FORMS). OST will forward it to U.S. Bank/NOVA. Visa and U.S. Bank/NOVA will determine and notify the agency and OST if an independent forensic investigation, compliance questionnaire, and vulnerability scan are required.|
- OST 3rd Party Vendor Prequalification Form: http://www.ost.state.or.us/Services/CashMgmt/policy/02.18.14.Application.pdf
- Incident Report
This must be completed within three business days, and provided to the Office of the State Treasurer. OST will forward it to U.S. Bank/NOVA. Visa and U.S. Bank/NOVA will determine and notify the agency and OST if an independent forensic investigation, compliance questionnaire, and vulnerability scan are required.
- Payment Card Industry Data Security Standards (PCI DSS): https://www.pcisecuritystandards.org
- Oregon State Treasury Cash Management Policy: http://www.ost.state.or.us/services/cashmgmt/Policy/2-18-14.3rd.party.vendor.pdf
- OUS Fiscal Policy Manual Electronic Commerce Policy: http://www.ous.edu/dept/cont-div/fpm/elec-40-005