CREDIT CARD SECURITY CONTROL PROCESSES *

Effective Date: 
Thu, 11/02/2017
Reviewed: 
Mon, 03/29/2021
Revised: 
Mon, 03/29/2021
Policy: 

The UCSC Student Health Center Pharmacy manages cash handling, including credit card acceptance and processing for the UCSC Student Health Center.  All campus financial security controls are maintained and followed per UCSC policy.

These controls may be classified as follows:

  • Administrative (A)
  • Physical (P)
  • Technical (T)

CONTROLS - EVIDENCE THAT THE UCSC STUDENT HEALTH CENTER PHARMACY CREDIT CARD HANDLING COMPLIES WITH RULE 4.2b

NOTE: Controls are categorized as A - Administrative, P - Physical, T - Technical

 

Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? (4.2b)

Our Answer

A - We only use the credit card machine for credit card transactions

A - Credit card numbers are not to be stored in any way

T - Point to point Ethernet line (out of scope due to P2PE encryption)

 

Is access to privileged user IDs restricted as follows: (7.1.2) to least privileges necessary to perform job responsibilities?And assigned only to roles that specifically require that privileged access?

Current evidence: UC-FO-00-0370_bus49.pdf

Our answer

A - Job descriptions that include cash handling

 

Is access assigned based on individual personnel’s job classification and function? (7.1.3)

Our answer

A - Job descriptions that include cash handling

 

Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (9.5) For purposes of Requirement 9, "media” refers to all paper and electronic media containing cardholder data.

Our answer:

P - Machine is locked down at night behind alarmed locked door

P - During the day it's behind a desk and only available to staff

P - Receipts from card machine go into locked cash drawer

 

Is media classified so the sensitivity of the data can be determined? (9.6.1)

Our Answer

https://its.ucsc.edu/security/restricted.html

NOTE: The only thing with PCI is the actual machine

 

Is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (9.6.3)

Our Answer:

A - Management approval is required prior to moving the Credit Card Machine

 

Is strict control maintained over the storage and accessibility of media? (9.7)

Our Answer

P - locked down at night and alarmed

P - secure and attended during the day

 

Is all media destroyed when it is no longer needed for business or legal reasons? (9.8a)

Our answer:

A - When a device is no longer needed we securely decommission it

 

Do policies and procedures require that a list of such devices be maintained? (9.9a)

Our answer:

A - There is an inventory with serial numbers and pictures of our device(s) - See Inventory (linked - updated 08/19)

A - The inventory must be kept up to date after any changes to the inventory

 

Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9b)

Our answer

A - Daily review of device to make sure no tampering

A - If any change to device noted, then activate incident process

 

Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? (9.9c)

Our answer

A - Security policy that exists with procedures to protect devices

A - Annual cash handling training

A - Annual credit card training

 

Does the list of devices include the following? (9.9.1a)

  • Make, model of device
  • Location of device (for example, the address of the site or facility where the device is located)
  • Device serial number or other method of unique identification

Our answer:

A P T - See Inventory (linked)

 

Is the list accurate and up to date? (9.9.1b)

Our answer:

A - Check inventory annually

A - Make changes to inventory on any change in inventory

 

Is the list of devices updated when devices are added, relocated, decommissioned, etc.? (9.9.1c)

Our answer

- See Inventory (linked)

 

Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? (9.9.2a)

Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.

Our answer

A - See daily check procedure

 

Are personnel aware of procedures for inspecting devices? (9.9.2b)

Our answer:

A - Procedures / policies reviewed on hire and annually, see Training log

 

Do training materials for personnel at point-of-sale locations include the following? (9.9.3a)

  • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
  • Do not install, replace, or return devices without verification.
  • Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
  • Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

Our answer:

A - Visitor log and policy

A - Inventory policy / procedure

A - On install / replacement / return of devices - department works with campus credit card staff to verify

A - Annual training on credit card machine usage (PCI training)

 

Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? (9.9.3b)

Our answer:

A - Incident response process

A - Training log

A - Training procedures

 

Is a security policy established, published, maintained, and disseminated to all relevant personnel? (12.1)

UC-IT-12-0107_is3.pdf

Our answer

A - Training log

A - Training procedure

 

Is the security policy reviewed at least annually and updated when the environment changes? (12.1.1)

Our answer

A - The security policy is reviewed annually and documented

A - The security policy is updated when the environment changes

 

Explicit approval by authorized parties to use the technologies? (12.3.1)

Our answer

A - Only staff who have cash handling duties shall use the credit card machine

 

A list of all such devices and personnel with access? (12.3.3)

Our answer

A - Training log documents staff members who are fully trained

A - Only fully trained people can use machine

A - Personnel roles delineate who can use the credit card machine (role based access matrix) - in security policy (and an individual user is listed under training log) to include:

  • Pharmacists
  • Pharmacy technicians
  • Cashier temporary staff as needed

 

Acceptable uses of the technologies? (12.3.5)

Our answer

A - The machine is only used as outlined in cash handling policies

 

Do security policy and procedures clearly define information security responsibilities for all personnel? (12.4)

Our answer

A - Everyone behind the counter in pharmacy is accountable to keep machine safe and to know about the security policy

A - Everyone reviews security policy annually

A - Security responsibilities

  • Employees - review policy, do training, follow policy
  • Manager - update/review policy annually, update inventory, review logs, maintain logs
  • PCI coordinator - work on the machines, troubleshoot, update department with new information as required

 

Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (12.5.3)

Our Answer

Incident Response Process including if tampering is suspected or confirmed:

  • Notify management
  • Notification numbers / emails (daytime and nighttime)
  • Create RL Datix incident
  • Stop using the machine and store it in a locked drawer or safe
  • Notify campus Cashier's Office Compliance staff by emailing merchantservices@ucsc.edu and calling 831-459-1686
  • Numbers / emails outside of department
  • Campus PCI Coordinator will contact BlueFin and coordinate next steps

 

Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? (12.6a)

Our Answer

A- Via the training and documented in the training log

A - Staff annually review security policy and cash handling and PCI trainings

 

FORMAL ATTESTATION

LIST OF EVIDENCE - Training Logs

This document

Campus policies

 

see: Payment Card Coordinator and Cash Control Specialist, UC Santa Cruz - Student Business Services for assistance