PCI-DSS Information and Procedures

Credit Card PCI General Information and Procedures

Any department processing payment card transactions via a web site or Point of Sale (POS) machine is affected by the Payment Card Industry Data Security Standard (PCI DSS). The Treasurer’s Office is responsible for maintaining compliance with these standards for the College of Charleston.

All College of Charleston approved employee merchants are required to become PCI DSS compliant, as well as adhere to all policies and procedures.

Training and re-certification is required for all approved employee merchants and is offered throughout the year. Please review the Training page for additional information regarding training/certification requirements for departmental users.

Any office engaged in any form of payment card processing (e.g., POS/swipe or e-commerce) must have the approval of the Treasurer’s Office prior to engaging in commerce activity. No College department may enter into any contracts or otherwise arrange for payment transaction processing or obtain any related equipment, software or services without the involvement and approval of the Treasurer’s Office.

All payment activity must be established within the College’s guidelines,with receipts deposited into the appropriate College indices/accounts.

The College of Charleston official online payment system is provided by TouchNet. All departments wishing to accept online payment card transactions must use the TouchNet Marketplace portal unless there is a determination that there is an expected long term in-person need for a point of sale device.

The purpose of this policy is to outline the payment card acceptance methods suitable for College business and the usage restrictions for payment card transactions. The Treasurer’s Office is responsible for campus compliance with payment card processing and security regulations, in cooperation with Information Security, and is granted authority to take appropriate action to ensure conformity with College policies and procedures. Appropriate action up to and including immediate termination of payment card processing activities will be imposed for any College of Charleston department that violates provisions as detailed on the CofC Payment Card Industries website (pci.cofc.edu) related to payment card processing, security and incident reporting.

Definitions

All terms mentioned in this policy are defined in the Credit/Debit Card Policy as post at http://policy.cofc.edu/documents/2.2.3.2.pdf#pdf. All campus users of payment card information and processors of credit/debit card payments are required to know and fully understand all terms associated with these policies and procedures.

Payment Card Usage

The College of Charleston accepts American Express, Discover, MasterCard and Visa payment cards for College business. (Debit card transactions that require a PIN number are acceptable payment options for walk-in payments where available.) The College accepts payment ONLY via walk-in traffic or an online portal approved by The Treasurer’s Office. Acceptance via email, fax, telephone or other end-user messaging technologies is prohibited. Walk-in payments are to be processed on equipment and/or software supplied by the Treasurer’s Office. The use of TouchNet’s Marketplace is for customer-facing e-commerce sites only.

Any department facing a unique set of circumstances that do not conform to the standard business practices of the College should contact the Treasurer prior to contracting with any entity other than the College approved vendors.

Acceptable Technology

The Treasurer’s Office provides most technology and/or devices for credit/debit card payments. Departments are responsible for any merchant fees associated with credit card payments. Payment processing devices must be configured and implemented as instructed by The Treasurer’s Office, including limiting access on the device to only applications needed for payment processing. Payment card processing must be completed only on devices approved or provided by The Treasurer’s Office.

All departments MUST supply The Treasurer’s Office with a device inventory of all equipment to be used in the processing environment prior to authorization and implementation of the system. The inventory shall include: the physical location of the device, a description of the device, the model number, operating system or firmware information, and a DNS/IP address, if applicable. Departments must notify The Treasurer’s Office within seven days of any changes in processing equipment.

Departments are responsible for the physical security of all devices used in payment card processing within the department. Processing devices must be secured from tampering and/or attended at all times. This requirement also includes access to network jacks that are dedicated to any of the secure commerce networks. Departmental users may not plug a non-commerce device into a network jack on the secure commerce networks or in any other way modify those networks without first gaining approval from The Treasurer’s Office and involving the IT department.

The use of wireless technology for payment card processing is prohibited. The Treasurer’s Office can provide analog credit card processing machines as needed. Access to a phone line is required.

User Access to Processing Environments

Departments authorized to accept payment card transactions will have one or more payment card merchant accounts established by the Treasurer’s Office. All payment card transactions for the department will flow through this account. As a condition of merchant account assignment, all requirements detailed in these policies and procedures MUST be met.

Access to the cardholder data environment will be restricted by job duties of each individual. Every user must be assigned a unique user ID and password to access the cardholder data environment, where applicable. Departments are responsible for ensuring staff are validated to handle payment information prior to assignment of job duties involving cardholder data. System IDs and shared IDs are not permitted for staff use. Passwords for users MUST be changed every 90 days. User accounts must also be locked after a maximum of three failed login attempts and remain locked out for either 30 minutes or until an administrator verifies the user’s identity and re-activates the account. Accounts inactive for at least 90 days must be removed or locked. Credentials for automated services and service accounts must have a password change every 90 days. Departments are required to submit an Access Control List (ACL) to The Treasurer’s Office semi-annually on August 15 and February 15. The ACL must include all accounts in the payment processing system, including sponsored/service accounts.

Vendors that require access to the department processing environment must be granted access by The Treasurer’s Office and Information Security before modifying any campus equipment. Depending on the access requested, this may require the vendor to install software to make a secure connection through the commerce firewall environment. Vendor accounts for this type of connection are managed by The Treasurer’s Office and are only enabled for one business day upon request. Departmental staff are responsible for monitoring the activity of the vendor while handling campus equipment.

Refund Handling

All payment card processing departments must display a refund notification for customers. The refund notification must state that all refunds will be processed back to the card used during the sale. Departmental refund notification must be displayed at point-of-sale locations or on the departmental website (for e-commerce applications). The Treasurer’s Office will provide guidance on creating this notification.

All departments engaged in any form of payment card processing must comply with the procedures listed below for the department payment acceptance method. Each department will assign refund approval duties to a responsible party.

Refunds must be processed on the same Merchant ID account as the original sale.
Refunds cannot exceed the original sale amount.
Refunds must be processed back to the same card used in the original sale.
Departments will account for refunds for processing terminals and third-party systems per the Treasurer’s Office departmental deposit requirements.
Refund requests for TouchNet (including MarketPlace) transactions will be submitted the designated refund agent in the processing department or a request for a refund can be sent to the Treasurer’s Office.

Fees

Each department is responsible for the costs incurred by the College to process its transactions, plus setup fees, if applicable, for any new merchant account. Processing fees will be expensed to the appropriate index monthly by the Controller’s Office.

In addition, each department is responsible for any hardware, software, setup and/or maintenance costs to maintain the processing environment.

Audit Procedures

All processing departments undergo a payment card processing security audit annually. The date of the audit is determined by Treasurer’s Office in coordination with department availability. In order to prepare for the audit, department personnel involved in payment card processing need to ensure that:

All approved employee merchant personnel are current with annual training offered by Treasurer’s Office.
Departmental employee merchants must:

Complete a Departmental Self-Assessment Questionnaire
Prepare a Device Inventory
Prepare an Access Control List
Review/Revise Departmental Processing Procedures
Examine the credit card processing units regularly for tampering.

Incident Reporting

All departments engaging in payment card processing are responsible for immediately reporting a suspected incident of any machine or system used in card processing. For additional information, please refer to the Payment Card Incident Policy.

Cease use of any suspect machine. Do not turn off the machine. Immediately report an incident to the Treasurer. The Treasurer’s Office will begin an investigation into the incident. Do not resume processing until approved by the Treasurer’s Office. Purposefully filing a false report will make the employee subject to disciplinary action.

Listserv Information

All College of Charleston employees approved to handle credit card data will be part of the PCI-DSS listserv. The purpose of the listserv is to update employee merchants and other authorized persons on training requirements, policy updates and changes to the PCI-DSS as they occur. Changes to the listserv will occur only as employees are approved to act as a merchant or as employees cease to serve in this role.

PCI DSS Requirements

The Payment Card Industry Data Security Standard (PCI DSS) outlines the requirements for all merchants, banks and payment processors that handle payment card data. The following outlines the basic requirements of PCI DSS. Please note that many of the requirements below are met by the Information Technology Dept. and are NOT the responsibility of individual departments accepting credit card payments.

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

The PCI standard requires all merchants to complete a Self-Assessment Questionnaire (SAQ) every year. All departments accepting payment card information will complete an annual SAQ as part of the audit process. The appropriate SAQ will be assigned to the department on a yearly basis. The departmental SAQ will be online and departments will be notified via email the annual due date of completion.

Processing Best Practices

Never accept payment card transactions through mail, email or by fax. If your department has no other means, immediately contact Treasurer’s Office.
If accepting a payment card transaction over the phone, and you have been approved to accept telephone payments to be processed through a dedicated computer, process directly into the approved system while the customer is on the phone. Never write down cardholder information to process later.
If accepting a payment card transaction over the phone, never repeat back to the customer the payment card number, or other cardholder information.
Never retain paper or electronic data that contains the customer's payment card number. Storage of cardholder data is NOT permitted at the College of Charleston.
All employees processing credit card payments, reconciling department credit card revenue, and those who supervise these operations MUST maintain a copy of all College credit card policies and departmental credit card policies at their workstations. Annual training is required to retain job duties involved with handling credit card payments.
Separation of Duties should be clearly mandated. No single individual should be processing payments, creating refunds, reconciling credit card revenue and/or preparing deposits.
All credit card processing units must encrypt at the poiint of sale/swipe/or any transmission. No credit card information, especially unprotected PANs, should be sent through end-user messaging technology.
Access to any system that processed credit cards is restricted to the lowest level that needs such access according to the employee's role(s). Access should also be restricted to processing areas to personnel and visitors that have no function in these secured areas. Access to these areas can be granted only by the department supervisor, in writing, and in conjuction with the Treasurer if there are any concerns.
If the software and/or department has a hierarchy in role assignment, access should be granted only on the basis of that hierarchy and job description.
No outside personnel should be granted access to processing areas without written consent from the department supervisor, and if necessary, in conjunction with IT and the Treasurer.

Processing Equipment

In addition to accepting online payment via TouchNet, departments may have Point of Sale (POS) systems that utilize vendor equipment for payment card processing. Departments are prohibited from purchasing processing equipment. No processing equipment that could cause risk to the College of Charleston will be approved for use. Departments are required to contact the Treasurer’s Office who will purchase approved equipment.

Departments accepting walk-up (in office) payments or telephone payments MUST use a counter-top swipe terminal device supplied by the Treasurer’s Office. Please contact Treasurer’s Office for additional information.

Kiosks, where the keyboard is used to enter credit card information, are not PCI compliant. Keyboards do not encrypt the data upon being entered. Only certified card processing equipment, attached to the PC, can potentially be viable, provided that the station meets all other PCI-DSS standards.

Any department wanting to offer customers a way to make online credit card payments may contact Treasurer’s Office for additional information regarding a TouchNet eCommerce account.

TouchNet Information

TouchNet is the College of Charleston's official on-line payment application for processing payment card transactions. All departments accepting online payments are required to use TouchNet, unless a waiver is granted by Treasurer’s Office.

The Treasurer, or named delegate(s), must approve all requests to begin accepting credit cards at the College of Charleston. This requirement applies regardless of the transaction method used (e.g. e-commerce, POS device, or e-commerce outsourced to a third party).Departments are charged eCommerce transactions fees imposed by the bank monthly.

To add a user to TouchNet to view reports or view transactions, the TouchNet Security Request form MUST be completed and filed with the Treasurer’s Office. The form MUST also be completed and filed with Treasurer’s Office for any change of TouchNet security or to remove a user's access.

Training Information

Training and re-certification is required for all approved employee merchants handling payment card information on behalf of the College of Charleston and is offered throughout the year. For additional information regarding the Treasurer’s Office training program for departmental users, please contact Treasurer’s Office.

Due to the secure nature of payment card data, training updates and course offerings will be distributed through the PCI-DSS listserv.

Course Offerings:
Data Security Basics-this is the annual course required for all College of Charleston approved employee merchants involved in the handling of payment card data. The course material each year exposes staff to world of payment card security and acceptance. A knowledge assessment exam is required to complete the course each year and is based on the course material for that year. Staff are notified via email when it is their designated time to complete annual training. If an employee required to complete this course fails to do so, penalties can include the loss of access to handle payment card data.

Credit Card Policies Training-This course if mandatory yearly for all employees involved with credit card processing.

PCI-DSS Procedure and Incident Reporting

Below is the full PCI Procedure and Incident Reporting Procedure

PCI-DSS Information
Executive Summary and Purpose
This Credit Card Acceptance and Processing Policy provides requirements and guidance for all credit card activities for the College of Charleston.  Employees approved as merchants and their respective departments are responsible for being aware of and complying with all terms and conditions included in the full policy and not just those outlined in this executive summary.
This policy is in compliance with the credit card industry’s PCI-DSS (Payment Card Industry Data Security Standard) as set by Visa and the other major credit cards (https://www.pcisecuritystandards.org/ )
The Credit/Debit Card Policy supersedes and replaces all other campus policies and procedures for all issues related to the scope of this policy.
1. Scope
The Credit/Debit Card Policy encompasses people, processes, and systems and as such applies to:
- All computing and network resources with regard to credit card processing. 
- Any free-standing credit card processing unit or Point of Sale system.
- All departments, affiliates, and employees of the College of Charleston who accept and process credit card payments in the conduct of College business.
- All approved external organizations contracted by the aforementioned parties to provide outsourced services for credit card processing for College business.
- All approved departments, affiliates and employees of the College of Charleston who provide credit card processing services for third parties.
1. Definitions
- Account Number: The unique number identifying the cardholder’s account which is used in processing financial transactions.
- Breach Notification Laws: Governing laws that require a merchant to notify customers of a data breach that results in loss or theft of that customer’s personally identifiable information (PII). 
- Business Continuity Plan (BCP): A documented plan for maintaining business operations in the event of a disaster or breach. A supplemental document will be provided by the Treasurer’s Office, IT Information Security and IT Network Engineering to detail the required elements of a Business Continuity Plan. 
- Cardholder data: Cardholder data is any personally identifiable data associated with a cardholder. Examples include but are not limited to an account number, expiration date, name, address, social security number, etc.
- Cardholder Data Environment: The location where cardholder data is stored, processed or transmitted.
- Commerce Server Data Environment: The location of a physical or virtual server machine used in the processing, transmitting or storing of cardholder data.
- Data Compromise: The exposure of sensitive or personally identifiable information (PII) resulting from either intentional security breach (an “attack”) or human error.
- Data Security Breach: The act of circumventing security controls on a system, thus allowing unauthorized access to data via an attack on the system. Data may or may not be compromised during a security breach. 
- Disaster Recovery Plan: A documented plan for information technology continuity in light of a disaster, emergency or breach that details incident response testing procedures and data back-up procedures. A supplemental document will be provided by the Treasurer’s Office and Information Technology to detail the required elements of a disaster recovery plan.
- ISO 27002: The International Standards Organization document defining computer security standards.
- Payment Application Data Security Standard (PA DSS): A set of requirements derived from and closely related to the PCI DSS, but intended to illustrate for payment software vendors what is required for their payment software applications to facilitate and not prevent their customers’ PCI DSS compliance.
- Payment Card: Any credit, debit or pre-paid credit/debit card. All payment card activity for College of Charleston is monitored by the Treasurer’s Office.
- Payment Channel: The hardware/software used to conduct a payment transaction.
- Personally Identifiable Information (PII): Information that can be used to uniquely identify, contact or locate an individual, or information that can be used in conjunction with other sources to uniquely identify an individual. In the case of payment card data, PII can be all printed and non-printed information contained on a payment card that identifies the customer. The Treasurer’s Office and General Counsel will identify and periodically update PII applicable to the Policies and Procedures s revisions to industry regulations and other security factors require.
- In the context of payment card operations, it is strictly prohibited for a College of Charleston entity to retain the following elements of PII: credit/debit card number, Card Validation Code (CVC), customer’s PIN or contents of the magnetic stripe of a payment card.
- Payment Card Industry Data Security Standard (PCI DSS): The Payment Card Industry Data Security Standard is the result of collaboration between the major credit card brands to develop a single approach to safeguarding sensitive data. The PCI DSS defines a series of requirements for handling, transmitting and storing sensitive data. Entities engaged in any form of payment card processing must comply with these standards as a condition of their payment card processing contracts. A copy of the PCI DSS can be obtained at https://www.pcisecuritystandards.org/
- POS Device: Point of Sale (POS) computer or credit card terminals either running as stand-alone systems or connecting to a server either at the College of Charleston or at a remote off site location.
- Processing Method: The means by which authorized departments accept payment cards. Payment card transactions can only be accepted via walk-in (face-to-face) payment, telephone (in authorized locations only.  Telephone calls cannot be recorded) or customer-initiated online payment. Tuition/fee payments are accepted only as customer-initiated through the MyCharleston or in person. No department may accept a payment card transaction or payment card information via mail, email, fax, any end-user messaging technology or on a website that collects payment card information unless the site is authorized by the Treasurer’s Office via a system usage waiver.
- Risk Assessment: A documented process used to identify and qualitatively and/or quantitatively evaluate risks and their potential effects, including brand damage and monetary effects. A supplemental document will be provided by the Treasurer’s Office and Information Technology to detail the required elements of a Risk Assessment. 
- Sensitive Cardholder data: Sensitive Cardholder data is defined as the account number, expiration date, CVC2/CVV2/CID (a three or four digit number displayed on the signature panel of the card or in the case of American Express on the face of the card), and data stored on track 1 and track 2 of the magnetic stripe of the card.
- Web Development: The design, development, implementation and management of the user interface of the e-commerce application
1. Statement of Policy
Responsibility of College Departments
All departments that manage credit card transactions must adhere to strict procedures for ensuring that data is secure at all times. Regardless of which credit card vendor is used, the College of Charleston faces steep penalties, including fines and lost business, or revocation of card processing privileges if credit card data is stolen.
All College of Charleston divisions and departments desiring to accept payment for financial transactions electronically via the Internet using e-commerce are required to process all transactions through gateways approved by the Treasurer’s Office. The College provides PCI ready solutions, such as TouchNet’s MarketPlace, to appropriately handle these transactions.  All requests for access to credit card acceptance must be made to the Treasurer’s Office.
Types of E-commerce:
- Web Sites: The College provides secure and PCI compliant transactions through TouchNet’s MarketPlace product.  The MarketPlace (https://secure.touchnet.com/C20590_ustores/web/) is available to all departments at CofC.  To find out more please contact the Treasurer’s Office at treasurer@cofc.edu.
- E-Mail:  Credit card information should never be solicited or accepted by email.  This presents a risk to both the credit card holder and the College. 
- Products or services provided by e-commerce sites are limited to those that support the College of Charleston mission.
Approved Process:
The approval process for all credit card activities will be as follows:
The Treasurer, or named delegate(s), must approve all requests to begin accepting credit cards at the College of Charleston before a unit enters into any contract or purchase of software and/or equipment. This requirement applies regardless of the transaction method used (e.g. e-commerce, POS device, or e-commerce outsourced to a third party). All credit card processing equipment should be provided to the Treasurer’s Office and all personnel processing credit cards must receive PCI training.
All technology implementations (including approval of authorized payment gateways) associated with the credit card processing must be in accordance with the Credit/Debit Card Policy and approved by the Treasurer, VP of Fiscal Services, Procurement, and Information Technology Dept. prior to entering into any contract or purchasing software and/or equipment.
Sensitive cardholder data must not be stored in any way on the College of Charleston computers or networks. Credit card numbers should never be written down nor appear in emails or fax documents.
All unsolicited credit card information must be destroyed using a crosscut shredder.
Third party vendors must not collect or track customer information (e.g., web bugs, cookies, software buffers).
Maintaining Standards:
Departments and events approved for credit card processing activities must maintain the following standards:
All approved employees including students involved in e-commerce or POS transactions must understand all requirements as outlined in the Credit/Debit Card Policy.  The Treasurer’s Office must be provided a list of all individuals handling payment transactions per the Cash Receipts Policy and the list must be kept current noting any changes in personnel and business processes.  All employees involved in credit card processing, including Information Technology, Public Safety, Physical Plant and MarketPlace users, must complete PCI training prior to credit card acceptance or gaining access to network access areas on campus.
All servers and POS devices will be administered in accordance with the requirement of the PCI-DSS standards.
Access to credit card processing systems and related information must be restricted to appropriate personnel.  In some cases personnel may be subject to background and credit checks prior to participating in the processing of credit card payments.
Each department responsible for credit card processing will be subject to an Annual Self-Assessment Questionnaire and a Quarterly Network Scan as scheduled by the Information Technology department. All systems processing cardholder data must comply with the Credit/Debit Card Policy and the associated procedures. The College’s IT Department and the Treasurer’s Office will assist in the initial self-assessment. To combat the loss of payment card information to hackers, e-commerce sites must comply with all security requirements as outlined in the PCI-DSS standards (https://www.pcisecuritystandards.org/documents/PA-DSS_v3-1.pdf).
Third party source code (HTML, CGI or script) should be provided to the Treasurer’s Office and/or Information Technology at the College of Charleston upon request.
Third parties providing payment gateways or who interact in any way with credit cards as a form of payment must provide certification of PCI-DSS or PA-DSS compliance annually. These documents must be provided to the Treasurer’s Office each year.
All third party vendors must provide evidence of adequate liability insurance.  The State of South Carolina regulations currently require coverage of $5 million per occurrence or $10 million aggregate.
Only approved College of Charleston logos may be used on e-commerce sites existing within the College of Charleston domain.
1. Revisions and Exceptions
The Credit/Debit Card Policy may be revised only with approval of the Vice President of Fiscal Services and Executive Vice President for Business Affairs. The Vice President of Fiscal Services may grant written exceptions to the policy in extreme circumstances and will notify the Executive Vice President for Business Affairs, Treasurer, Chief Information Security Officer and Internal Auditor.
1. Compliance
Failure to comply with the Credit/Debit Card Policy and the above referenced procedures will be deemed a violation of College policy and will result in suspension of electronic payment capability for the affected department. Additionally, fines may be imposed by the affected credit card company, generally $50,000 for the first violation. Technology that does not comply with the Credit/Debit Card Policy and the associated PCI-DSS standards will be disconnected from network services.
1. Communication
Upon approval, the Credit/Debit Card Policy shall be published on the College of Charleston Hub. The Treasurer, Chief Information Security Officer and Internal Auditor will recommend subsequent revisions to the Credit/Debit Card Policy for approval by the Vice President of Fiscal Services and Executive Vice President for Business Affairs.
Incident Reporting Procedure
Incident Reporting
All departments engaging in payment card processing are responsible for immediately reporting a suspected incident of any machine used in card processing.
Campus-wide Security Incident Reporting information can be found at https://charleston.edu/it/index.php
IF THERE IS A SUSPECTED OR ACTUAL BREACH, IMMEDIATELY FOLLOW THESE STEPS:
1. Cease use of any suspect machine.
2. Do not turn off the machine.
3. Immediately report an incident, using the Credit Card Security Breach Report.
The Treasurer’s Office and/or Information Security and/or Public Safety will begin an investigation into the incident. Do not resume processing until approved by the Treasurer’s Office.
False reports will be subject to disciplinary action.
Notification Procedures in Case of Breach of Privacy
College of Charleston takes several measures to ensure the privacy of personally identifying information it collects and maintains about faculty, staff, and students.
The College of Charleston Information Technology department hosts servers that may have sensitive data in a controlled access area. Servers are secured with firewalls, virtual private networks, data access monitoring software, and passwords, as well as other methods.
Access to personally identifiable information is limited to those employees with a legitimate, job-related need to know. Employees have access only to those data elements which they actually need for designated purposes, and access is controlled through an electronic desk system and other security access systems. There is regular review of those data elements to which individual employees are allowed access.
If security is breached and personally identifying information is compromised, the College will immediately notify law enforcement officials including, as appropriate, CofC Public Safety, the FBI, the U.S. Secret Service, the U.S. Postal Inspection Service and/or other law enforcement agencies.
The College will contact everyone whose identity may have been put at risk, regardless of whether personal data appears to have been accessed or extracted. It will also notify the campus community about the security breach through electronic and others means. The notification will include the following information:
- Exactly when and how did the breach occur, and when was the breach detected?
- How many individuals are affected?
- What personal information was put at risk?
- Does the College know whether any information was stolen?
- What procedures did the College follow with regard to the security breach?
- How should individuals respond if they discover fraudulent use of their personal information?
- What steps is the College taking to prevent illegal access of confidential information in the future?
- What has the College done to notify those affected?
- Who can respond to additional questions concerning this security breach?
The custodian of the data is responsible for notifying those affected by an electronic security breach. In the case of a non-electronic security breach, the office or department where the breach occurred will be responsible for notification.
Incident Response Team
The Incident Response Team is established to provide a quick, effective and orderly response to computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications. The Incident Response Team’s mission is to prevent a serious loss of profits, public confidence or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks or databases. The Incident Response Team is authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. The Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities as necessary. The Incident Response Team will subscribe to various security industry alert services to keep abreast of relevant threats, vulnerabilities or alerts from actual incidents.
Incident Response Team Members
Each of the following members will have a primary role in incident response.
Treasurer
Chief Information Security Officer
Senior Information Security Analyst
Network Manager/Senior Architect
Each of the following members may provide supporting roles during incident response.
Vice President Finance and Administration
Information Technology Service HelpDesk
CIO
Internal Audit
Incident Response Team Roles and Responsibilities:
Treasurer:
- Notifies members of the team that the breach occurred
- Contacts merchant on campus to verify that they have followed all instructions
- Escalates to executive management as appropriate
- Contacts auxiliary departments as appropriate
- Monitors progress of the investigation
- Ensures evidence gathering, chain of custody, and preservation is appropriate
Chief Information Security Officer
- Determines the nature and scope of the incident
- Contacts qualified information security specialists for advice as needed
- Determines which Incident Response Team members play an active role in the investigation
- Provides proper training on incident handling
- Monitors progress of the investigation
- Prepares a written summary of the incident and corrective action taken
- Ensures evidence gathering, chain of custody, and preservation is appropriate
Network Manager/Senior Architect
- Analyzes network traffic for signs of denial of service, distributed denial of service, or other external attacks
- Runs tracing tools such as sniffers, Transmission Control Protocol (TCP) port monitors, and event loggers
- Looks for signs of a firewall breach
- Contacts external Internet service provider for assistance in handling the incident, if necessary
- Takes action necessary to block traffic from suspected intruder
Senior Information Security Analyst
- Monitors business applications and services for signs of attack
- Reviews audit logs of mission-critical servers for signs of suspicious activity
- Contacts the Information Technology Helpdesk with any information relating to a suspected breach
- Collects pertinent information regarding the incident at the request of the Chief Information Security Officer
- Examines system logs of critical systems for unusual activity
Other Duties to Assign As Necessary
- Ensures all service packs and patches are current on mission-critical computers
- Ensures backups are in place for all critical systems
Internal Auditor
- Periodically reviews policies and procedures for compliance with information security standards, PCI-DSS policies and Risk Assessment
Payment Card Incident Response
The Treasurer’s Office will coordinate all responses to suspected or confirmed payment card security incidents, with the assistance of IT Information Security and, if need, the Office of Public Safety.
Payment card security incidents are defined as malicious attempts to access a payment system, successful attacks to compromise personally identifiable information (PII), or any unauthorized access to a payment system, including internal access outside of an employee’s job duties (even if accidental). Upon notification of a payment card security incident, the Treasurer’s Office and IT Information Security will begin an immediate investigation into the reason for and scope of the incident. All processing for that payment acceptance channel may be suspended until after the investigation is completed, and it is deemed safe to resume processing transactions.
The purpose of this policy is to establish procedures to evaluate, contain and report any attempt to compromise any approved College processing method. All incidents will be reported using the Credit Card Security Breach Report. False reporting of an incident is considered unlawful and appropriate disciplinary action will be taken.
Definitions
All terms mentioned in this policy are defined in College of Charleston PCI-DSS Policy and Procedures.

All campus users of payment card information are required to know and fully understand all terms associated with this set of policies and procedures related to payment card processing, security and incident reporting.
Department/Merchant Responsibility
In the event of a payment card data security breach, the affected department/merchant is required to immediately notify the Treasurer’s Office using the Credit Card Security Breach Report and emailing the form to treasurer@cofc.edu, regardless of time of day. Training for designated incident response personnel within each payment card processing department will be conducted annually by the Treasurer’s Office.
The affected department MUST discontinue processing transactions and disconnect all affected systems from the university network; DO NOT SHUT DOWN ANY EQUIPMENT. All staff MUST remain logged off of the affected systems. The department MUST NOT resume normal business operations until notified by the Treasurer’s Office. This requirement is enforced for ALL College of Charleston departments/merchants, regardless of the payment system used.
If the breach is contained to one department/merchant, the Treasurer’s Office will assist that department with any required Payment Card Industry Data Security Standard (PCI DSS) post-incident reporting. If the department is found to be responsible for any compromise, the department can be penalized up to the immediate revoking of their processing privileges. Any financial loss incurred by the College resulting from inadequate controls or lack of adherence to PCI DSS, other industry security requirements and the College’s PCI policies may be charged to the department at the time of the breach.
Departments MUST have their own disaster recovery, business continuity, and risk assessment policies and procedures in place. Those policies must be approved by the Treasurer’s Office and IT Information Security prior to implementation. The Treasurer’s Office can assist departments in drafting and revising procedures as industry or processing environment changes occur. Departmental staff should immediately notify the Treasurer’s Office of a suspected compromise, and the Treasurer’s Office and IT Information Security will coordinate any and all investigations into an incident that results in a data breach to that system. If an incident occurs, all audit logging for the external processing system is to remain functional during and after an incident.
The Treasurer’s Office Responsibility
The PCI DSS requires that College of Charleston MUST complete the following if a payment card data security breach is detected:
- Immediately contain the exposure of the breach.
- Immediately notify the necessary institutional parties.
- Prepare the Incident Response Report and file with the merchant bank within three business days.
- Prepare a list of compromised accounts and file with the merchant bank within ten business days.
The Treasurer’s Office will assess the situation and will immediately begin notifying necessary parties of the incident as appropriate. PCI DSS requires that the affected system be made unavailable until a forensic investigation is completed. The College will make the determination whether the circumstances surrounding the incident require notification of law enforcement.
- The Treasurer will notify the Vice President of Fiscal Services, the CIO, and the Executive Vice President for Business Affairs.
- The Treasurer will notify the College’s acquiring banks.
Annual testing of the College incident response plan is required to ensure all parties understand responsibilities for their area. The Treasurer’s Office will guide departments through the testing procedures. Departments with an active system usage waiver will also have their system tested as part of College’s annual incident response plan testing.