Information Security

Overview
This policy/procedure focuses primarily on the protection of cardholder data.

Operating Principle
This policy/procedure addresses requirements as outlined in the PCI DSS Global Security Standard pertaining to Information Security in the Business Services department.  This document refers to overlapping policy and procedure provided by the Information Technology department on campus.

Usage policies for devices other than credit card processing machines are located at UMT Policies website.

Procedure

Building and Maintaining a Secure Network

The Information Technology department on campus is responsible for maintenance of the central firewall configuration to protect cardholder data.  Secure methods must be used for system pass wording and all other security parameters that are the responsibility of individual departments, i.e. up to date anti-virus protection and developing and maintaining secure systems and applications.  For more information on policy and procedure regarding building and maintaining a secure network, the use of anti-virus software, and development and maintenance of secure systems and applications, go to IT Security Office.


Protecting Cardholder Data

Only trained, authorized personnel are allowed to transact credit card sales and payments. 

It is policy that credit card data may only be retained by the departments of The University of Montana when approved business purposes are met.  If confidential credit card data is retained, notify Business Services in writing stating:

  1. Business Purpose
  2. Contact information for person in charge of the data
  3. Secure location of data storage
  4. Data Retention and Disposal Policy

Otherwise, cardholder information must be destroyed after completion of a transaction.  Access to credit card data provided by the payment processing vendor is available only to key personnel within Business Services on a business need to know basis.

To apply for a Merchant Account and obtain a credit card machine, log in with your NET ID at the Credit Card Processing web page.

Credit card machines must be purchased through TransFirst Health and Government Services to ensure proper data encryption. The Credit Card Processing Request form addresses department contact information, the credit cards to be accepted, the type of processing, the platform to be used, the purpose, estimated average transaction amount and estimated yearly volume, dates of usage, and the Account Index where the processing fees will be applied.  The credit card clearing revenue account code is 50287.  The request form is submitted to Business Services Treasury Services. The same form may be used to request a loaner machine on hand at Business Services Treasury for intermittent use by departments.  Credit card processing machines are labeled when purchased indicating Merchant Identification number (MID) and Terminal Number for PCI compliance.  Should information previously provided including the main contact for the machine(s) or point of sale device(s) change, notify Business Services by providing a new or updated Merchant Account/Credit Card Machine Request Form.

A listing of credit card processing machines is maintained by Business Services indicating the Merchant ID, main department contact, primary, secondary, web, or third party processors and their PCI DSS compliance status.  All vendors and their related software/hardware for credit card machines must be PCI DSS compliant.

It is the responsibility of the designated main department contact noted on the Merchant Account/Credit Card Machine Request Form and the Business Services inventory listing to ensure that all persons that operate credit card machines including point of sale (POS) devices are authorized and trained.  The main contact will also have a current listing on file in the department of authorized and trained personnel.  Training on the operation and use of the machine can be obtained by contacting the TransFirst Help Desk at 800-654-9256. 


Section 3 of the Department Cashiering Procedures explains the daily batch out process and deposit information.  Credit card chargebacks and reversals are also discussed.

Incidents
Business Services must be notified of any incident involving the security of a cardholder’s credit card information.  Incidents may include fraudulent activity, theft of information or any other event that violates laws, regulations, or security policies.

Treasury Services personnel document all incidents in an incident log.  The log is located and maintained in Treasury within Business Services.

Incident Contacts:

Contact Number
Treasury 243-4646
Student Accounts 243-2223
Public Safety 243-6131

Incident Response Flowchart

Credit Card Processing Request Form To apply for a Merchant Account and obtain a credit card machine, the department representative fills out the Credit Card Processing Request Form. Date Created: Accessible By Campus Users with Net ID.

Information Security - Printable Version Business Services Information Security

Launch UM virtual tour.