My Urban Toddler Data Security Policy

I. PURPOSE

The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to protect against exposure and possible theft of account and personal cardholder information that has been provided to the My Urban Toddler; and to comply with the Payment Card Industry's Data Security Standards (PCI) requirements for transferring, handling and storage of credit card information.

II. DEFINITIONS

1. Cardholder Information Security Program (CISP): Visa's Cardholder Information Security Program (CISP) is designed to ensure that all merchants that store, process, or transmit Visa cardholder data, protect it properly. To achieve CISP compliance, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard.
    
2. PCI:The PCI Standard is the result of collaboration between the four major credit card brands to develop a single approach to safeguarding sensitive data. The PCI standard defines a series of best practices for handling, transmitting and storing sensitive data.
   
   
3. Cardholder Data: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, Card Validation Code CVC 2 (MasterCard), Card Verification Value CVV2 (VISA), Cardmember ID (Discover) or CID  - Card Identification Number (American Express) (e.g., three- or four-digit value printed on the front or back of a payment card.
   
   
4. System Administrator / Data Custodian: An individual who performs network/system administration duties and/or technical support of network/systems that are accessed by other people, systems, or services. Only full-time and permanent part-time employees of the University and/or third party vendors approved by IT and/or Treasury Operations may function as system/network administrators and/or data custodians.

III. SCOPE

This policy applies to all My Urban Toddler employees, contractors, consultants, temporaries, and other workers. This policy is applicable to any unit that processes, transmits, or handles cardholder information in a physical or electronic format. Affiliated corporations are encouraged to comply.

IV. POLICY

All transactions (including electronic based) that involve the transfer of credit card information are performed on systems approved by My Urban Toddler, after a prior compliance and security review from Information Technology. All specialized servers approved for this activity are housed within a secure Tier 4 data center and administered in accordance with the requirements of all My Urban Toddler policies and the Cardholder Information Security Program (CISP). My Urban Toddler is involved in PCI DSS compliance and is subject to examination of system security and configuration to ensure cardholder information is securely maintained. In addition:

1. No electronic credit card numbers should be transmitted or stored in any other system, personal computer, or e-mail account.
   
   
2. Physical cardholder data must be locked in a secure area, and limited to only those individuals that require access to that data. In addition, restrict access to data on a "need to know" basis.
   
   
3. Store only essential information. Do not store the Card Validation Code, or the PIN Number. Do not store the full contents of any track from the magnetic stripe (on the back of the card, in a chip, etc.)
   
   
4. Stored credit card information will be retained for a maximum of 60 days. All media used for credit cards must be destroyed when retired from use. All hardcopy must be shredded prior to disposal.
   
   
5. Departments must comply with the PCI Data Security Standard Payment Card Industry Data Security Standard
   
   
6. Exceptions to this policy may be granted only after a written request from the unit has been reviewed and approved by the University Office of the Treasurer.
   
   

V. PROCEDURES

Confidentiality and Security of Account Information

My Urban Toddler employees are governed by various policies that include Code of Conduct, Acceptable Use, Information Security policies. These policies include the responsibility to protect the confidentiality of individual's personal information.

All credit card & debit card transactions, including web based procurement of the same, must be initiated and controlled through My Urban Toddler. Questionable sales should be reviewed by My Urban Toddler, and or General Counsel.

The practice of least privilege will be utilized to restrict access to sensitive data. This practice involves assigning individual access on a "need-to-know" basis. Positions requiring specific levels of data access will be provided with approval by the department head and IT. For employees without a "need to know", credit card account numbers will be masked to protect account information. The first six and last four digits are the maximum number of digits to be displayed.

Under no circumstances will it be permissible to obtain credit card information or transmit credit card information by e-mail.

Any changes to systems housing account information must only be performed when:

• Thorough testing has taken place to ensure adequacies of controls;
  
  
• Functionality testing with clients has taken place;
  
  
• Required client training is completed;
  
  
• Change control processes have been followed.
  
  

Enforcement by Information Technology

System Administrators:

• Responsible for granting permission to sensitive areas based on the principle of least privilege.

• Responsible for configuring the masking of account numbers based on a user's access.
  

Data Storage and Destruction

The following processes must be followed for all data storage and destruction:

• Hardcopy containing cardholder data will be destroyed immediately after processing.
  
  
• All electronic media containing cardholder information should be labeled and identified as confidential if required.
  
  

VI.SANCTIONS

Violations that constitute criminal offenses under local, state, and federal laws shall be carried out and punishable to the fullest extent of the law.

Violations of the policy will be addressed by respective disciplinary policies and procedures. All known and/or suspected violations will be reported to the applicable authorities.