A department seeking to accept payment card transactions must submit a New Merchant Request Form and receive written approval from Financial Services and the University Commerce Committee.

Brown currently has negotiated contracts with and accepts Visa, MasterCard, Discover (including Discover network cards), and American Express. In addition, various digital equivalents are accepted (e.g., GPay, ApplePay, Venmo, PayPal). For the purpose of this policy, digital equivalents are included in the term “Payment Card.” Departments may not negotiate their own contracts with Payment Card or digital wallet financial companies.

Departments engaging in Payment Card business must either use an authorized TPSP or provide evidence to the University Commerce Committee that existing authorized TPSPs cannot meet the business needs of the department, and that an alternative TPSP meets University requirements for security and for integrating transaction information into Brown’s financial system. The University Commerce Committee has the authority to approve or deny a department’s request for an exception to the existing process or authorized TPSPs.

Departments may engage in commerce only with the approval of the department head, Financial Services, and the University Commerce Committee. When engaging in commerce activities, the department must:

• Adhere to appropriate financial and accounting standards established by the University;
• Transmit financial information electronically using a level of security that meets or exceeds common industry standards;
• Use Brown University’s authorized commerce TPSPs or otherwise approved by the University Commerce Committee;
• Satisfy security requirements defined by the University for secure connections and data management;
• Adhere to Contract Review Policies and Process and the Brown Contract Management System (BCM);
• Adhere to University PCI IT Security Standards, Information Security Policy, Network Connection Policy, and Policy on the Handling of Brown Restricted Information;
• Provide a link to the University’s Privacy Policy from their e-commerce site; and
• Keep abreast of University policies and standards as they relate to e-commerce.

Only Payment Card devices and locations that have been approved and tracked by Financial Services may be used for Payment Card processing.

• The purchase, rental, and/or use of Payment Card devices, including mobile applications, must be coordinated through Financial Services and must meet PCI DSS standards.
• All card payment devices and solutions must be listed as a PCI Council validated Point-to Point Encrypted (P2PE) product and solution.
• The department is responsible for ensuring only authorized staff have access to the device and are properly trained.
• Devices must be inventoried with Financial Services and must be maintained in a secure location.
• Sharing or transfer of Payment Card devices between departments is not allowed without proper advance, written approval from Financial Services.
• The department is responsible for working with Financial Services to ensure that Payment Card device software is kept up-to-date.

In order to protect cardholder data and maintain the University’s PCI DSS Compliance, all departments accepting and handling cardholder data, Financial Services, and the Office of Information Technology must maintain the following requirements.

1. Maintain compliance with PCI DSS for each merchant.
2. Build and Maintain a Secure Network and Systems: Card payment processing applications are not allowed to utilize any of Brown University Wi-Fi networks, unless they leverage a PCI SSC listed validated P2PE solution and device. Brown Wi-Fi networks are blocked by firewalls from all access to the cardholder data environment (CDE).

3. Protect Cardholder Account Data:

   Brown University does not allow card payment via fax, email or other end-user messaging technologies (i.e. instant messaging, SMS/text, chat).

   For departments accepting cardholder data via paper form, transactions must be processed immediately. Cardholder data must be stored in a secure locked space and not be retained beyond four business days. Cardholder data must be destroyed after processing by a cross- shredder or incinerator so that cardholder data cannot be reconstructed.

   The primary account number (PAN) must be masked, showing only the last four digits wherever it is stored.

   For department merchants, and any other TPSPs involved with payment card processing, sensitive authentication data must never be stored after authorization. This includes the card verification code (CVV), personal identification number (PIN), and PIN block.

4. Maintain a Vulnerability Management System:

   1. Protect All Systems and Networks from Malicious Software: All workstations and servers involved in PCI operations utilize current generation anti-malware software capable of detecting, removing, and protecting against known malicious software.

      All antivirus settings must be configured so as to be unalterable by end-users, and update automatically.

   2. Develop and Maintain Secure Systems and Software:

      For web servers that host a page that provides the URL of the TPSP’s payment page/form:

      • Security vulnerabilities are identified and addressed in accordance to their risk rating;
      • All system components are protected from known vulnerabilities by installing critical or high-security patches/updates within one month of release; and
      • For page scripts that are loaded and executed in the consumer’s browser:
        • A method is implemented to confirm script is authorized and to assure the integrity of each script and
        • An inventory of all scripts is maintained with written justification
5. Implement and Maintain Strong Access Control Measures:
   1. User access to system components:
      • User access is managed through Brown University Office of Information Technology.
      • Access to systems components and data is assigned to users based on job classification and function with the least privileges necessary to perform job responsibilities; access is approved by authorized University personnel.
      • User access to system components is authenticated via at least a password/passphrase, token, or biometric element.
      • Passwords/passphrases must be set to a unique value for first time use and upon reset and user must be forced to change the password after first use.
      • Passwords/passphrases must be a minimum of 12 characters (or if the system does not support 12 characters, a minimum of eight characters) and contain both numeric and alphabetic characters.
      • Passwords/passphrases must be different than the last four used.
      • Passwords are changed every 90 days.
      • All users will be assigned a unique ID before access to system components or cardholder data is allowed.
      • Group, shared, or generic accounts, or other shared authentication credentials are not allowed.
      • Inactive user accounts will be removed or disabled within 90 days of inactivity and access for terminated users will be immediately revoked.
   2. Card payment (Point-of-interaction (POI)) devices are protected from tampering and unauthorized substitution:
      • An inventory of all card payment devices, including the make, model, location of device, and serial number is maintained by Financial Services.
      • Upon hire and/or before use of card payment devices, staff are trained to follow standards established by the PCI DSS Council, University policies, and the operational procedures. In addition, staff is also trained to be aware of methods in which devices can be tampered or replaced.
      • Routine inspection of card payment devices for tampering and substitution is completed according to the department’s standards and logged.
      • Do not alter or attempt to troubleshoot issues with card payment devices; support is provided by Financial Services.
      • Sharing or transfer of payment card terminals between departments is not allowed without proper prior approval from Financial Services.
      • Departments may rent card payment terminals on a temporary basis to accept in- person credit card payments at specified times as agreed upon via a rental agreement with Financial Services. Rented terminals will follow Financial Services standards.

6. Regularly Monitor and Test Networks:

   External vulnerability scans are performed by a PCI SSC Approved Scanning Vendor (ASV) quarterly. Scan results are reviewed by OIT Information Security Group and vulnerabilities are mitigated. Rescans are performed as needed to confirm that vulnerabilities are resolved and are performed after significant changes.

   For web servers that host a page that provides the URL of the TPSP’s payment page/form a change and tamper detection mechanism must be deployed to alert personnel to unauthorized modifications.

7. Maintain an Information Security Policy:
   1. Security Awareness education is ongoing: All personnel who utilize or support the processing of payment cards must have completed “Protecting Brown’s Information” security training and PCI DSS training prior to receiving access to system components that could impact the security of cardholder data. PCI DSS training is required on an annual basis.

   2. Risk to information assets associated with TPSP relationships is managed:

      Prior to implementation, third party service provider’s (TPSP’s) securities, processes, and procedures will be evaluated by the Commerce Committee, Financial Services, and the Office of Information Technology. A written agreement with each TPSP with which account data is shared or that could affect the security of the card data environment is required and agreements will include an acknowledgment from the TPSP that they are responsible for the security of account data that the TPSP’s possess or otherwise store, process, or transmit on behalf of the University or to the extent that the TPSP could impact the security of the University’s card data environment.

      A list, including descriptions of services provided, of all TPSP with which account data is shared or that could affect the security of account data is maintained by Financial Services.

      Each TPSP must meet and maintain PCI DSS compliance and be willing and able to provide a valid annual PCI DSS Attestation of Compliance (AOC) to Brown University Financial Services.

8. Suspected and confirmed security incidents that could impact cardholder data are responded to immediately: In the event of a security incident or suspected breach of security, the department must immediately follow the Brown University PCI DSS Incident Response Plan.

Any department that sells goods and services, irrespective of the method of payment, must evaluate whether the sale requires the collection of sales tax and/or the reporting of unrelated business income tax (UBIT).

The card payment processor/acquirer will notify Financial Services of a disputed charge. Financial Services reviews all disputes and then contacts the department for written authorization/documentation of the transaction. Failure to respond to these requests will result in a chargeback to the department’s account. Prompt attention to these matters is a priority. It is the department’s responsibility to develop appropriate internal controls to mitigate risks related to chargebacks.

The Commerce Committee is a standing committee composed of representatives from Finance and Administrative Services, Office of Information Technology, and Internal Audit.

The Committee will perform the following functions:

• Establish registration requirements for commerce approval;
• Review and approve/deny requests for establishment of commerce presence;
• Advise Senior Officers on commerce policy, process, vendors, dissemination/publication of commerce information, and commerce matters in general; and
• Evaluate and exercise due diligence of vendor relationships, including monitoring service providers’ PCI DSS compliance on an annual basis.

• PCI DSS Incident Response Plan
• University PCI IT Security Standards
• Contract Review Policies and Process
• Network Connection Policy
• Policy on the Handling of Brown Restricted Information

N/A

• New Merchant Request Form

N/A

N/A