»Æ¹ÏÊÓƵ

Policy

Purpose

As an organization accepting card payments, »Æ¹ÏÊÓƵmust maintain the highest standards of data security to protect cardholders and reduce exposure to financial and reputational risk. Failure to safeguard cardholder data (CHD) may result in financial loss for customers, suspension of payment card processing privileges, fines and/or reputational damage.

This policy details mandatory requirements for securely handling payment card data and ensuring institutional compliance with the Payment Card Industry Data Security Standard (PCI DSS).

This policy applies to all people, processes, and technologies that process, transmit, store, or otherwise interact with cardholder data (CHD), on behalf of the college. This includes any system or activity that could affect the security of CHD, whether managed by college personnel or via approved third-party service providers.

Payment Card Industry Security Standard (PCI DSS) Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory set of security requirements established by the major credit card brands. These security requirements apply to all transactions where the college accepts credit and/or debit cards (payment cards) as forms of payment.  

All college departments that accept payment cards must:

• Maintain continuous compliance with the current PCI DSS standard.
• Complete and attest to an annual Self Assessment Questionnaire (SAQ) appropriate to their payment method(s).
• Treat each payment channel separately (e.g., hosted website, virtual terminal, P2PE terminal), as each channel may require a different SAQ type.

Failure to complete required PCI compliance activities may result in the suspension of card processing privileges.

Roles and Responsibilities

Clear responsibilities ensure that CHD is handled consistently and securely across all college units.

Information Technology Services (ITS)

• ITS is responsible for ensuring the security, integrity, and availability of the College’s environments that store, process, or transmit CHD. It:
  • Maintains a secure network architecture and enforces Network Security Controls (NSCs) designed to protect CHD.
  • Ensures strong authentication practices, including:
    • Passphrases of at least 12 characters with appropriate complexity requirements;
    • Periodic passphrase changes in accordance with security standards; and
    • Removal or replacement of all vendor-supplied default passwords prior to system deployment.
  • Requires Multi-Factor-Authentication (MFA) for access to systems that store, process, or transmit CHD.
  • Documents, implements, and maintains PCI-compliant network segmentation to ensure CHD systems are logically isolated from academic, residential, and guest networks.
  • Requires encryption for any wireless network that transmits or provides access to CHD.
  • Enforces the use of current, industry-accepted encryption standards and keyed cryptographic hashing where applicable. Full-disk encryption alone is not permitted as the sole method for rendering CHD unreadable.
  • Maintains a vulnerability management program that includes, at a minimum:
    • Timely patching of systems;
    • Deployment and maintenance of anti-malware controls; and
    • Annual penetration testing, as required by PCI DSS.
  • Applies secure systems development and configuration practices consistent with regulatory and industry standards to safeguard sensitive customer information.
  • Conducts regular testing of security systems and processes, including:
    • Quarterly internal vulnerability scans;
    • External vulnerability scans by a PCI‑approved scanning vendor as required; and
    • Continuous logging and monitoring of CHD environments, including:
      • All access to CHD
      • Administrative actions
      • Log access and modification
      • Log retention and tamper protection
      • Automated log review and correlation
      • Malware solution audit logging

All logs are retained and managed within an approved log-management and correlation system.

• • Ensures staff members with access to CHD complete Cyber Security Awareness training, including quarterly phishing simulations, in accordance with the College’s Cyber Awareness Training Policy.
  • Partners with the Finance Office to investigate, contain, eradicate, and recover from any PCI-related security incidents including coordination of evidence preservation and forensic activities.
  • Partners with the Finance Office to maintain, test, and update the PCI Incident Response Plan on at least an annual basis.

Finance Office

• The Finance Office plays a central role in ensuring that all college payment processes comply with PCI DSS requirements and that departments maintain secure, consistent, and approved methods of accepting payment cards:
  • Governance, Oversight & Policy Management
    • Maintains the college’s PCI Compliance Program, including policy updates, annual reviews, and coordination with the Cabinet for approval.
    • Serves as the primary liaison with the college’s merchant services bank, and other PCI related external partners.
    • Ensures that departmental payment activities align with institutional standards, merchant agreements, and legal/regulatory requirements.

• Merchant Onboarding & Approval
  • Reviews and approves all requests to establish new payment channels, including evaluation of business need, risk, and PCI scope.
  • Requires completion of the college’s “New Merchant Application” before any department begins accepting payment cards.
  • Approves all third-party payment systems, software, or vendors in collaboration with ITS.
  • Verifies third-party payments systems’ PCI compliance documentation (AOCs/SAQs/responsibility matrices) prior to contracting and annually thereafter.
• Training & Departmental Support
  • Provides in-person training for all staff who will handle CHD before they begin accepting payments.
  • Delivers annual PCI DSS training for departmental personnel with payment responsibilities.
  • Maintains training records, including copies of annual user training acknowledgements, to support annual compliance validation.
• Payment Device & Process Management

• • • Issues and manages college approved P2PE payment terminals. Ensures vendor-supplied default passwords are changed before deployment.

• Coordinates with departments to ensure correct device setup, storage, inspection processes, and controls.
• Maintains an inventory of all payment devices and ensures any device changes follow documented approval processes.

• Monitoring & Annual Compliance
  • Supports departments in completing their required Self Assessment Questionnaire (SAQ) each year.
  • Reviews all departmental SAQs for completeness and accuracy and retains them for institutional records.
  • Tracks departmental compliance and notifies the CFO of noncompliance or risks.
• Incident Response & Escalation
  • In partnership with ITS, maintains the Incident Response Plan which is tested and updated annually.
  • Receives and triages all reports of suspected payment card data breaches.
  • Coordinates with ITS to initiate PCI compliant incident response procedures.
  • Notifies the merchant services bank, legal counsel, and other required parties in accordance with Colorado Revised Statutes § 6-1-716 (Notification of Security Breach).
  • Supports remediation and documentation after any PCI incident.
• Financial Controls & Settlement Oversight
  • Ensures that all payment card transactions are properly routed to approved college bank accounts.

»Æ¹ÏÊÓƵMerchant Requirements

• Departments acting as “merchants” must adhere to the following requirements:
  • Establishing a New Payment Channel
    • Submit a “New Merchant Application” (available on the Finance Office website).
    • Obtain approved college‑issued payment terminals (P2PE devices) from the Finance Office or receive written approval from both the Finance Office and ITS before engaging any third‑party payment provider.
    • Collect and maintain third-party payment systems PCI compliance documentation (annual AOC/SAQ/responsibility matrices) prior to contracting and annually thereafter.
    • Complete in‑person training from the Finance Office before processing payments.
  •  Ongoing Merchant Responsibilities

• Accept only payment cards authorized by the Finance Office and follow all merchant banking agreements and Nacha rules.
• Never accept CHD via email, SMS, chat, Teams, or other messaging platforms. Staff must follow departmental procedures to securely respond, redirect, and delete improperly received CHD.
• Never accept CHD via telephone unless explicitly authorized in writing by the Finance Office.
• Never process CHD using remote access, personal laptops, or wireless technologies unless explicitly approved and validated by ITS as PCI compliant.
• Manage the security of P2PE devices and workstations and perform daily device inspections. Daily inspections of devices must include serial number verification, tamper seal checks, and visual inspection for skimming devices. Devices must be secured when not in use. No troubleshooting may be performed outside IT oversight.
• Ensure all payments settle into the college’s approved bank accounts.
• Maintain annual documentation of the CHD environment, including service providers, payment devices, software, and dataflows.
• Complete the appropriate SAQ each year with Finance Office support and remediate any gaps promptly.
• Report suspected PCI incidents to Finance immediately; preserve any related materials for investigation.
• Ensure all staff handling CHD:
  • Complete in-person training before handling payments; and
  • Complete annual PCI training updates.
• Manage CHD securely by:
  • Limiting access to only those with a job-related business need;
  • Minimizing retention and documenting any storage requirements; and
  • Ensuring timely and secure destruction of CHD when no longer required.

Authorized Payment Channels

The college permits only the following methods for accepting payment card transactions:

• College Issued P2PE Terminals
  • Departments may accept in-person card payments only through college issued, PCI validated, Point-to-point Encryption (P2PE) payment terminals. These devices must be obtained from the Finance Office and used in accordance with established departmental procedures and the P2PE instruction manual provided by the solution provider.
• Approved Third Party Hosted Payment Pages / Gateways
  • Online or electronic payments may only be accepted through third-party hosted platforms that have been vetted and approved in writing by both the Finance Office and ITS.
  • The vendor must provide current PCI DSS Attestation of Compliance (AOC) or equivalent documentation and responsibility matrices annually.
  • Departments must retain this documentation as part of their annual PCI review process.

Any exceptions to these authorized payment channels must be requested in writing and be approved by the Finance Office and ITS. Exceptions are time-bounded and reviewed periodically.

Prohibited Practices

The college prohibits:

• Storing CHD electronically in any college system or tool.
• Storing CVV/CVC, PINs, or full magnetic stripe/chip data under any circumstance.
• Accepting CHD via email, chat/IM, SMS, Teams, screenshots, or unencrypted webforms.
• Using unapproved vendors, personal accounts, or department created tools for payment acceptance.
• Processing payments over unsecured wireless networks, or on personal devices, or through remote access without written approval and validated PCI controls.
• Retaining paper CHD beyond the minimum needed for reconciliations.

Violations may lead to immediate suspension of card processing privileges and departmental liability for costs and fines (see Enforcement).

Incident Response (PCI)

The Finance Office and ITS will maintain a PCI Incident Response Plan which is tested and updated annually.

Departments should inform the Finance Office about any suspected loss, exposure, or compromise of CHD immediately. Preserve any related materials for investigation.

The Finance Office will coordinate with ITS to initiate PCI compliant incident response procedures and notify the merchant services bank, legal counsel, and other required parties in accordance with Colorado Revised Statutes § 6-1-716 (Notification of Security Breach).

The Finance Office and ITS will investigate, contain, eradicate, and recover from any PCI incidents including evidence preservation and forensics and support remediation and documentation following the incident.

Enforcement

Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability for the department. In the event of a breach or a PCI violation, any fines will be the responsibility of the impacted department.

Definitions

• Attestation of Compliance (AOC): A PCI DSS required document that must be completed and signed by third-party payment providers and provided to the college annually parties as evidence of PCI DSS compliance.
• Cardholder Data (CHD): At minimum, the primary account number (PAN). May also include cardholder name and expiration date.
• CC Community Member: Any person with a formal relationship with Colorado College. This includes all students, employees, volunteers, third-party contractors, or formally invited guests of the college. 
• Data Breach: An incident in which sensitive data may have been accessed, viewed, stolen, or used by an unauthorized party.
• External Community Member: A person, persons, or entity that has no employment, contractual, or educational/student ties to the institution who is attending, supporting, or has been invited onto campus grounds for a specific purpose or activity and is expected to adhere to institutional expectations, protocols, and policy. 
• Merchant: Any college department or unit accepting card payments for goods, services, or donations.
• Merchant Bank: Financial institution processing payment card transactions for merchants.
• Multi-factor Authentication (MFA): Authentication method that requires a user to present two or more independent authentication factors to verify their identity before access is granted to a system, application or data.
• Network Security Controls (NSCs): Hardware/software that restricts unauthorized network access according to defined rules, such as hardware firewalls.
• Nacha: The nonprofit organization that governs the U.S. Automated Clearing House (ACH) Network and establishes the operating rules and security standards for electronic bank‑to‑bank payments.
• P2PE: Point-to-point Encryption standard managed by the PCI Security Standards Council.
• Payment Terminal: Hardware used to accept card payments (e.g., POS (point of sale) terminal).
• PCI DSS Compliant: Meeting applicable requirements of the current PCI DSS version on a continuous, business as usual basis.
• Self-Assessment Questionnaire (SAQ): PCI's standardized assessment tool for validating compliance.
• Sensitive Authentication Data: Security data used for authentication (CVV, PIN, full track data), which must never be stored post authorization.
• Third-party Payment System/Provider: A vendor-provided payment solution that processes or facilitates card transactions for the college.