3.11 Credit Card Processing & PCI Compliance – UGA Foundation Policies and Procedures

POLICY
Statement
The University of Georgia Foundation is committed to safeguarding personal and account information conveyed in processing credit card payments. Credit card payments are processed in compliance with Payment Card Industry – Data Security Standards (PCI-DSS) as well as University of Georgia policy, both of which are intended to limit exposure and/or theft of personal cardholder information. To comply with these standards, it is the policy of the Foundation that procedures relating to payment card transactions be specified and applied. The Foundation will maintain an inventory of approved technologies with which to collect and transmit credit card information. Self-Assessment Questionnaires (SAQ) will be completed as scheduled, and technologies will be routinely monitored to ensure the organization maintains compliance while relying on modern and safe channels for collecting and processing data.

Purpose
The purpose of this policy is to establish a safe and compliant environment for processing credit cards by providing procedures useful to internal and external audiences involved in credit card processing, delegating responsibilities for routine compliance-related activities, including completion of SAQs, inspection of technologies, and providing necessary educational opportunities to applicable staff. Failure to protect donor information may result in financial loss for donors, suspension of credit card processing privileges, fines imposed, and damage to the reputation of the department and University as a whole.

Scope
This policy applies to employees, departments, units, and technologies transmitting credit card transactions on behalf of the University of Georgia Foundation. This policy is designed to work in tandem with the University of Georgia’s policy owned by the Bursar and Treasury Services under the Vice President for Finance & Administration.

Entities Affected
All University departments whose personnel collect, transmit, or process cardholder information on behalf of the Foundation. The policy also applies to departments that outsource the credit card payment processing to third party vendors.

Stakeholder influential in properly executing this policy:
• Division of Development and Alumni Relations (DAR)
• UGA Foundation
• Advancement Information Technology

PCI Committee
A committee representing key areas involved in credit card activities will meet at least quarterly in consultation with the Foundation’s cybersecurity and compliance advisors to discuss any topics related to the processing of cardholder data. Topics may include current status of the Foundation credit card environment, recent requests for expanding credit card services, and trends in new technologies.

The committee will be formed with the following members:
• UGAF’s Chief Financial Officer
• Director of Data Analytics & Internal Control
• Senior Director of Revenue Operations & Compliance
• Executive Director of Advancement Information Technology
• Senior Director of Advancement Services
• Executive Director of Annual Giving
• Associate Director of Infrastructure and Security

The committee must be comprised of individuals above. Other colleagues may attend as designated by the members listed above.

This committee will partner with the Foundation’s cybersecurity advisors to determine the most appropriate SAQs to complete annually. SAQs will be delegated to the area most familiar with the respective activity. General responsibilities are as follows:
• Activity related to gift and event registration payments: Senior Director of Revenue Operations & Compliance
• IT infrastructure: Executive Director of Advancement Information Technology

A list of merchants and related SAQs are supplied in Appendix A of this policy.

Finally, the PCI committee is responsible for reviewing this policy annually to propose any modifications to keep the policy applicable to the quickly evolving industry.

Recurring Requirements
Quarterly Requirements
The PCI Committee reviews changes to any requirements on a quarterly basis. Scans are completed based on requirements of the PCI-DSS and advice from UGAF’s Qualified Security Advisor (QSA).

Annual Requirements
Self-Assessment Questionnaires
UGAF will complete the appropriate PCI Self-Assessment Questionnaires necessary for the current channels collecting credit card information. The questionnaires should be provided to the QSA for review.

Training
All University departments processing credit card transactions on behalf of the Foundation should be familiar with and adhere to PCI-DSS requirements. Individuals collecting, transmitting, or processing cardholder data are required to participate in annual PCI training provided by the UGA Bursar’s Office.

All individuals must act in accordance with the details of this policy as well as related policies of the Bursar’s Office.

Cardholder Data
Access to cardholder data, which consists of the 15- or 16-digit card number, expiration date, and CVV code, must be restricted to only those employees with a need to access. Under no circumstances should cardholder data be stored or transmitted on an electronic device unless it is explicitly approved for use. Once the business need for retaining cardholder data is complete, typically immediately following authorization of a charge, the data must be destroyed using a cross-cut shredder. Note that retaining the last four digits of a card number and expiration date does not constitute cardholder data. Under no circumstances should a CVV be retained. In the event cardholder data cannot be used immediately upon obtaining, the information must be stored in a secure location.

Incident Response on Behalf of UGA Foundation
In the event of a breach or suspected breach, including any exposure, stolen, or misused credit card information on behalf of the Foundation, the suspecting University department should contact Gift Accounting and DAR IT by emailing askit@uga.edu and calling (706) 542-6677. The department must immediately contain and limit data exposure by following the steps in the data breach procedures below.

Data Breach Procedures
Do not turn off the compromised system or device. Instead, discontinue use of the affected devices related to the breach immediately to contain and limit data exposure and minimize data loss, do not power down the devices, and remove from the network by unplugging the network cable or disconnecting from wireless.

Incident Response Plan

Limit data exposure and minimize data loss.
Notify necessary parties immediately, including the UGA Bursar’s Office, the UGAF QSA, merchant services providers, payment card brands, and any other entities that may require notification.
DAR IT will initiate an Information Security Incident with UGA’s Office of Information Security Office per UGA/USG policy: https://eits.uga.edu/access_and_security/infosec/incident/

Related Policies
University of Georgia, Bursar and Treasury Services policy 5.1 Credit/Debit Cards
PCI Security Standards Council

Contacts
Policy Owner(s): UGA Foundation; Gift Accounting, UGA Foundation; Advancement Information Technology, Division of Development and Alumni Relations (DAR)
Policy Contact(s): ugafbusiness@uga.edu; askit@uga.edu; (706) 542-6677

Definitions
PCI: Payment Card Industry
DSS: Data Security Standard
SAQ: Self-Assessment Questionnaire
AOC: Attestation of Compliance
QSA: Qualified Security Advisor