Body
Category B Data Protection Standard
Category B data includes data that is governed by Payment Card Industry (PCI) Data Security Standards to protect the confidentiality, integrity, and availability of the payment card data. Category B data is also subject to State of Oklahoma Policy, Standards, Procedures, and Guidelines (PSPG).
Data Collection and Use
- All credit/debit card uses must be approved by the OU Bursar Office.
- PCI Advisory Group: The PCI Advisory Group will act as the governing body for PCI compliance of merchant accounts that are part of the university CDE and the overarching university technologies that support the use of these merchant accounts. The PCI Governance Group will:
- Be the designated authority for decision making and compliance issues related to the PCI DSS
- Meet regularly to discuss and resolve any operational and technical issues related to maintaining compliance with the PCI DSS
- Review risk assessment findings and address any identified gaps in compliance with the PCI DSS
- Report the status of overall PCI DSS compliance and any high-risk findings to the appropriate institutional body
- Office of the Bursar: The Office of the Bursar manages merchant services (credit card acceptance) for the University and is the point of approval and revocation of merchant accounts and the supporting hardware, software, and\or services. The Office of the Bursar will:
- Manage the provisioning of Merchant ID’s and merchant accounts and\or equipment requests related to payment card processing
- In coordination with IT Governance, Risk, and Compliance (IT GRC), validate and\or approve the hardware, software, services, and payment gateways that will be used for storing, transmitting, and\or processing cardholder data for the University
- Accept and evaluate, in coordination with the PCI Compliance Officer, all requests to store cardholder data to verify the business need and to ensure the merchant meets all the PCI DSS requirements for cardholder data storage
- Provide new merchant training that, at a minimum, will address the roles and responsibilities of the merchant staff under PCI DSS for the technology(s) to be used
- Provide Information Technology the number of payment card transactions and total dollar amounts on a per-merchant basis annually or as needed by a member of the IT GRC
- Coordinate annual assessment services provided by a PCI Internal Security Assessor (PCI ISA) for the assurances needed to complete the Attestation of Compliance (AOC)
- Business Units: Business Units are ultimately responsible for maintaining compliance with current PCI DSS requirements within their environment and making sure all individuals are performing their roles as required and\or defined. Business Units will:
- Know and document all individuals authorized to handle cardholder data in any format within the Business Unit and must ensure assignment and completion of the PCI training provided through the current Learning Management System (LMS), in accordance with the PCI DSS requirements. This training must be completed upon hire or prior to assignment of card handler duties and then annually thereafter
- Acquire approval from the Office of the Bursar before storing any cardholder data, and then only with approved policy(ies) and procedure(s) in place to meet the PCI DSS requirements associated with the storage of cardholder data as directed by the Office of the Bursar and the PCI Compliance Officer
- Determine whether there is a business requirement to manually enter (i.e., key-enter) cardholder data at a point of interaction system (computer or POS device). If cardholder data is entered manually, it must be encrypted with a technology that will provide isolation and protection of the card holder data from other computer applications or networks, such as email or the general Internet, as confirmed by the PCI Compliance Officer. If the point of entry system cannot use this level of encryption, the Business Unit must ensure that the point of entry device will not be used for or have access to any other business function or network besides the payment solution such that, an unencrypted point of entry system will NOT have general Internet connectivity or general office applications such as e-mail, spreadsheet, or word processing
- Ensure that business unit specific PCI policies, standards, and procedures are updated and maintained at minimum on an annual basis
- Have processes in place to distribute to their employees the policy(ies) and procedure(s) that address PCI compliance and must regularly assess overall compliance with them
- Regularly inspect the hardware utilized in performing or administering a payment card transaction for tampering as compared to the original Point of Interaction (POI) Characteristics document retained by the Business Unit for the device. This would include, but is not limited to terminals, card readers, PIN pads, desktops, or any combination of these technologies
- Ensure all products are upgraded or replaced before the products’ PCI SSC validation expires or when the product is identified as no longer PCI DSS compliant
- Work with IT GRC for remediation and\or compensating controls to provide the intended protections of the PCI DSS where gaps in compliance are found
- Require that the PCI DSS requirement(s) to be met by the service provider or third-party are identified and documented and have an agreement in place with service provider or third party that assures compliance with the designated PCI DSS requirement(s)
- Cooperate with the ongoing University compliance validation and risk assessment process coordinated through the Office of the Bursar and IT GRC
- Must obtain background checks for all current and prospective employees aged 18 and above who are to be retained in, hired, appointed, transferred, or promoted into a workforce position having responsibilities or activities that include the handling of Cardholder Data or other involvement in the Cardholder Data Environment, even if not explicitly required by the PCI DSS
- May not permit volunteers or minors to handle Cardholder Data or have other involvement in the Cardholder Data Environment, without official express permission granted by the University PCI Governance Group and agreement to additional requirements specific to volunteers and minors
- Must obtain approval from the Office of the Bursar prior to making changes to existing environments, technologies and/or processes associated with Cardholder Data
- Must obtain approval from the Office of the Bursar prior to entering into, or revising, any agreement for the provision of services by an external service provider
- Will be responsible for providing, and all costs associated with providing activities and actions for escalation, notification, and response activities including fines, judgments, legal fees, and expenses associated with the event in the event of a failure of safeguard efforts resulting in a breach or suspected breach of information
- Credit Card Handlers: Credit Card Handlers are individuals who perform cashier, accounting, or other duties that interact directly with payment\credit card data. Credit Card Handlers will:
- Credit Card Handlers must complete the PCI training made available to them through the current LMS prior to handling any cardholder data and then annually thereafter.
- Credit Card Handlers must review all Business Unit policy, standards, and supporting processes and procedures related to the handling of payment card data at least annually to stay abreast of what is required and expected of them by their Business Unit and the University.
- Credit Card Handlers must adhere to all policy, standards, processes, and procedures of the Business Unit and University related to the protection and handling of cardholder data.
- Credit Card Handlers must not disclose or acquire any information concerning a cardholder’s account except as necessary to perform their job duties.
Granting Access or Sharing
- Acquire approval from the Office of the Bursar before storing any cardholder data, and then only with approved policy(ies) and procedure(s) in place to meet the PCI DSS requirements associated with the storage of cardholder data as directed by the Office of the Bursar and the PCI Compliance Officer.
- Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved by the Office of Legal Counsel.
- Per the Identity and Access Management Policy, all access shall be approved by an appropriate Data Owner or Steward and tracked in a manner sufficient to be auditable.
- Business Units storing Category B data must know and document all individuals authorized to handle cardholder data in any format within the Business Unit and must ensure assignment and completion of the PCI training provided through the current Learning Management System (LMS), in accordance with the PCI DSS requirements. This training must be completed upon hire or prior to assignment of card handler duties and then annually thereafter.
- Business Units must obtain background checks for all current and prospective employees aged 18 and above who are to be retained in, hired, appointed, transferred or promoted into a workforce position having responsibilities or activities that include the handling of Cardholder Data or other involvement in the Cardholder Data Environment (CDE), even if not explicitly required by the PCI DSS.
- Business Units may not permit volunteers or minors to handle Cardholder Data or have other involvement in the Cardholder Data Environment, without official permission granted by the University PCI Advisory Group and agreement to additional requirements specific to volunteers and minors.
- Access to Category B data must require multi-factor authentication, in accordance with the Identity and Access Management Policy.
- Staff, faculty, or student accounts must authenticate to Category B data, using an an approved authentication method, in accordance with the Identity and Access Management Policy.
- Data Owners and Stewards must review access to Category B data in accordance with the Identity and Access Management Policy.
- All interfaces used for sharing Category B data must be registered in the IT Asset Inventory, in accordance with the IT Asset Management Policy.
Disclosure or Posting
- Disclosure or public posting of Category B data is not permitted unless required by law.
Electronic Display
- Category B data shall be displayed only to authorized and authenticated users of a system.
- Identifying numbers or account number shall be, at least partially, masked or redacted.
Open Records Request
- Category B data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting the sensitive portions of records.
- Data can be readily provided upon request with approval from the OU Open Records Office.
Exchanging with Third Parties, Service Providers, or Cloud Services
- Business Units must obtain approval from the Office of the Bursar prior to entering, or revising, any agreement for the provision of services by an external service provider.
- Require that the PCI DSS requirement(s) to be met by the Third Party or Service Provider or third party assures compliance with the designated PCI DSS requirement(s).
- A contractual agreement outlining security responsibilities shall be in place and approved by the Office of Legal Counsel before exchanging data with the third party or service provider.
- An IT Security Assessment must be completed before the purchase or integration of new hardware, software, or third-party technology services that collect, store, transmit, or process Category B Data.
- Any contract involving third party-provided credit card services must require that the third party provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in the provision of the services.
- All contractors, consultants, third parties, or other non-employees must only be given Privileged Access to data or systems when the Data Steward or Asset Administrator, determines there is a legitimate business need. These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks. Unattended access by contractors, consultants, third parties, or other non-employees requires an OU IT Exception Request be submitted.
- All access by contractors, consultants, third parties, or other non-employees must be monitored and reviewed by the Office of Information Technology and Asset Administrators.
- Procurement Staff: Procurement Staff are individuals who perform a role in acquiring or purchasing any software, hardware (products), or service(s) that store, process, transmit, or could impact the security of cardholder data. Procurement Staff will:
- To maintain overall compliance, Procurement Staff must manage the acquisition of these products and services, assuring due diligence has been performed prior to purchase and\or engagement, which includes, at a minimum:
- Ensuring these products and\or services have been evaluated by IT GRC prior to purchase.
- Ensuring these products and\or services have been verified and approved for compliance and supportability by the Bursar with the current merchant services provided.
- Ensuring that a written agreement is in place with any service providers or third parties who store, process, transmit, or otherwise impact the security of cardholder data; the agreement must define the PCI DSS requirements the service providers or third parties are responsible for and must require that PCI DSS compliance will be maintained, and cardholder data will be protected.
Storing or Processing: Server Environment
- Storing credit/debit card PAN data is not permitted.
- Servers that connect to the OU network shall comply with IT Security Policies and Standards.
- IT Administrators and Developers: IT Administrators and Developers are System, Database, and Network Administrators and other staff who maintain or have privileged access to IT systems that may store, process, transmit, or impact the security of cardholder data; otherwise known as, Cardholder Data Environment (CDE). IT Administrators and Developers will:
- Know what systems in their environment are part of the University’s CDE.
- Will ensure the system(s) is\are built, configured, managed, and\or maintained in accordance with current PCI DSS and applicable University IT Security Policy(ies).
- Will ensure any vendor or external\remote access to systems in the University’s CDE is strictly monitored and performed in accordance with the current PCI DSS.
- Will use encryption and some form of multi-factor authentication when accessing or managing any part of the CDE remotely (non-console access).
Storing or Processing: Endpoint Environment (e.g., laptop, phone, desktop, tablet, etc.)
- Endpoints that connect to the OU network shall comply with IT Security Policies and Standards.
Storing on Removable Media (e.g., USB drives, flash drives, CDs, DVDs, etc.)
- Category B data shall not be stored on removable media.
Electronic Transmission
- Secure, authenticated connections or secure protocols shall be used for transmission of Category B data.
Email and other Messaging
- Messages shall only be sent to authorized individuals with a legitimate need to know.
- Messages shall be transmitted in an encrypted format by placing [SECURE] or [ENCRYPT] in the subject line.
Copying and Printing
- Data should only be printed when there is a legitimate need.
- Paper copies of data must be limited to individuals authorized to access the data.
- Paper copies should be labeled 'Confidential'.
- Paper copies should not be left unattended where others may see them.
- Unauthorized access to printed materials must be prevented by locking doors, cabinets, etc.
Retention and Disposal
- Category B data must be destroyed when the data is no longer required for legal, contractual, or business purposes.
- Copies of records may be destroyed when they are no longer required for administrative purposes.
- Data shall be deleted and rendered unrecoverable using a DoD 3-pass secure deletion technique.
- Printed materials or paper copies shall be destroyed by the shredding method.
Revision, Review, and Approval History
- October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
- January 2024: OU IT Governance, Risk, and Compliance: Comment period closed
- March 2024: OU IT Governance, Risk, and Compliance: Added Granting Access and Sharing statements. Added Exchanging with Third Parties statements. These statements align with the Identity and Access Management Policy.
- April 2024: OU IT Governance, Risk, and Compliance: Added statements from PCI Standard draft.