Protecting Credit Card Information
Campus Requirements relating to Credit Cards and PCI (Payment Card Industry)
A pdf is available outlining the Campus Requirements relating to Payment Card Industry Data Security Standard.
The document contains:
- What is Cardholder Data?
- What is PCI-DSS?
- Who does PCI-DSS apply to?
- Which payment card method is used
- Point-of-Sale or Other Networked Devices
- Dial-out Terminals, Impact Machines, and Vendor Supplies Wireless Networks
- Storefronts using SecurePay
- UCR's Credit Card Oversight Committee's duties
- Annual Reporting and Risk Assessment information
Specific Requirements for Servers Serving as UCR Storefronts
- Storefronts must have an SSL certificate to ensure that all data sent between the Storefront and SecurePay is encrypted.
- Storefronts must utilize unique (non-public) URLs for the out-of-band communication with SecurePay. In this communication, the storefront must confirm that the transId and transAmt match what was sent to SecurePay.
- Storefronts must verify that the out-of-band communications is coming from the IP address of the SecurePay server (4 different IP addresses can be used).
- Storefront Transaction IDs MUST be 12-32 characters in length, per the following:
- Identifier (T or P) - indicate Test or Prod.
- Sequential number (length of at least 8) - never re-use this number and should start at 00000001.
- 4-6 random alphanumeric character string of (upper and lower case, length of at least 5).
- SecurePay has been designed for maximum security and therefore Storefronts cannot utilize GETs that would allow URL encoding of parameters.
- SecurePay gives the user 5 minutes to complete their transaction, once the customer arrives at the form to enter payment details. In addition to the 5 minutes, there is also a 90-second timeout for the Storefront to issue a response in the out-band-communication between the Storefront and SecurePay.