Legal

Compliance Policy for Payment Card Industry Data Security Standards

Purpose

Departments and business units throughout the William Davidson Institute (WDI) have entered into merchant contracts with the Payment Card Industry (PCI) as part of their business transaction service sets. Because of rapidly evolving financial crimes and cyber-related security challenges, the payment industry, including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, has published specific "PCI Data Security Standards" in an effort to better secure payment account data in a globally consistent manner. All merchant contract holders are required to adopt and implement tools, practices, and policies to comply with these standards. Failure to comply may result in financial penalties or security breaches.
This policy helps ensure PCI compliance requirements are met throughout all William Davidson Institute (WDI) business units and departments. It also provides WDI procedures for use, reporting requirements of contracted payment card services, and the process for obtaining and maintaining merchant contracts.

Policy Definitions

Merchant: Any office, unit, department, or organization at the William Davidson Institute (WDI) that accepts credit cards as a form of payment for goods and/or services.
Merchant Level: PCI security standards provide four different levels of compliance activities that must be completed annually. These levels, (merchant levels 1–4) are based on the transaction volumes of a merchant. Essentially, merchants with the most transactions have the most compliance work to perform to stay in compliance. The specific compliance requirements for each merchant level can be found below:
Merchant Levels and Compliance Validation Requirements Defined
All merchants will fall into one of the four merchant levels based on transaction volume over a 12-month period. Transaction volume is based on the aggregate number of transactions. In cases where a merchant has more than one Merchant ID, the aggregate volume of all transactions stored, processed or transmitted by the merchant is used determine the validation level.
In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly external network scans to achieve compliance. Acquirers may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

Information provided by VISA (http://usa.visa.com/merchants/risk_management/cisp_merchants.html.
Online Privacy Policy: All Web sites that host payment transaction applications must have an online privacy policy that is easily located by the potential customer who visits the website. This privacy policy must clearly state the limitations of use, retention, and protection measures related to data that customers submit. It should also state what, if any, electronic monitoring, and HTTP cookie use the UW intends to perform with a visitor's electronic connection. The site must also provide contact information for customers to ask questions about the privacy policy.
OWASP Standards: Open Web Application Security Project (OWASP) secure coding standards are referenced in the PCI security standards for Web application developers to use to avoid common coding vulnerabilities in the software development process.
PCI Security Standards: The information security standards, published by the PCI, that all MCHs are required to adopt and implement. Failure to comply may result in serious fines, penalties, and/or restrictions on merchant account activity.
Transaction Service Provider: The third party who provides a secured processing connection with the MCH's transaction processing bank.

Policy

All WDI MCHs, both terminal and Web application-based, are required to comply with and support PCI security standards. All WDI MCHs are required once a year to submit to WDI Fiscal Services completed PCI compliance surveys that will be sent to the MCH by WDI Fiscal Services.
All WDI merchant contractual agreements must be obtained through WDI Fiscal Services.
All MCHs are required to use a WDI-preferred transaction service provider.
All MCHs that offer Internet-facing payment services must certify that the security of their Web forms or applications meet OWASP standards through secure code reviews and/or penetration testing.
WDI internally hosted transaction service technology deployments must comply with all relevant WDI security policies and standards in addition to PCI security standards.
An online privacy policy statement is required for Web sites that host PCI-related transactions and should include the WDI's uniform content language provided by WDI Fiscal Services.
If any existing or future WDI MCH has specific needs or operational requirements that are exceptions to this policy, they must request a formal "exception" with WDI Fiscal Services in writing. WDI Fiscal Services will review the request and notify the requesting party if the exception is allowable and whether there any specific conditions that must be honored as part of the exception.

Applicability

All current and future WDI MCHs or temporary transaction service setups to accept credit card transactions for a specific activity or event are required to comply with this policy.

Enforcement

Failure to comply with this policy may result in restrictions on use or closure of merchant account-related services, and disciplinary action.

Additional Information

For additional information, contact info@globalens.com