Technology Procedure Categories
PCI Credit Card use policy for applications using card swipe devices (SAQ B-IP) payment channel
This procedure outlines the processes and requirements surrounding the use and protection of Credit Cards, via dedicated card swipe device payment channel.
When Was This Policy Updated?
April 6, 2017
Who Should Read This Procedure?
WSC Staff involved in the with any processing of credit card transactions or with the maintenance of the systems which support those transactions.
- PAN – Primary Account Number
- NATS – Network and Technology Services
- ISPC – Information Security Program Coordinator – currently the Chief Information Officer
- Business Service Owner – the department manager or administrator responsible for the credit card processing service
- PCICC - PCI compliance committee – The body convened by the ISPC to oversee compliance with and management of services using credit cards to receive payment. The membership of the PCICC will include the ISPC, the Comptroller, one or more representatives from NATS as appointed by the ISPC, and one or more Business Service Owners.
WSC PCI base policy
To supplement the WSC PCI Credit Card policy for card swipe (SAQ B-IP) payment channel use.
Business service owners
- Provide a secure storage location for devices when not in use.
- Maintain a list of card swipe equipment and make changes when devices are added/moved/removed.
- Validate any person attempting to work on any device in the card environment and notify NATS immediately.
- Maintain a card swipe device notebook containing card skimming detection procedures, device inventory and photographs, and an inspection log.
Personnel processing transactions
- PANs and other personally identifiable data are not to be transmitted via messaging technologies.
- Do not write down, print, or store PANs on any paper or physical media.
- Validate any person attempting to work on any device in the card environment and notify both the Business Service Owner and NATS immediately.
- Periodically utilize card skimming detection procedures located in the card swipe device notebook and make a log entry in the inspection log.
- Ensure that either the PCI VLAN firewall, the endpoint firewall, or both are configured to only allow the vendor documented transaction functions, along with the supporting services required to participate in a network (DHCP, DNS, etc.).
- Ensure that devices only function on the PCI VLAN
Last Updated: 4/6/2017