600.00 Safeguarding Customer Information
Introduction and Purpose
This policy is being introduced as required by the Federal Trade Commission under the Gramm-Leach Bliley (GLB) Act.
At Montana State University, safeguarding the privacy and confidentiality of personal
information is important. As an institution of higher education, we collect, retain,
and use personal non-public information about individual students and staff members.
We may collect personal information from such sources as hard copy applications, electronic
forms, background checks, or over the Internet. The objectives of our information
security program are to ensure the security and confidentiality of such personal information;
to protect against any anticipated threats to its security or integrity; and to guard
it against unauthorized access to or use.
Any sharing of nonpublic personal information about our students or employees must be done in strict adherence to the Federal Family Educational Rights and Privacy Act (FERPA) guidelines. The University may exchange such information with certain nonaffiliated third parties (under limited circumstances) to the extent permissible under law. Examples may include (but are not limited to) medical insurance institutions or credit card processing software companies.
We restrict access to student and employee information only to those employees who have business reasons to know such information, and we educate our employees and contract service providers about the importance of confidentiality and privacy.
In order to provide adequate safeguards over customers' credit card data and electronic addresses as they are received over the Web, the university will adhere to the following minimum technical specifications:
- Any server on the University network that makes non-personal public information available
must be certified secure. A copy of the security certificate must be forwarded to
UIT before any such server is connected to the network.
- Customer information, including credit card data, must be reasonably secured against
disclosure and modification.
- The University must oversee local and contracted service providers by taking steps
to select and retain providers that are PCI-DSS compliant.
- MSU will contractually require service providers to implement and maintain such safeguards;
- MSU will periodically evaluate, based on results of testing and monitoring, any material changes to the service providers' operations.
Departments may develop Web pages to accept payment by credit card under the following circumstances:
The department must complete the application for Authorization to Process Bankcard Transactions to apply to become an authorized merchant department and return it to University Business Services. (Request MSU startup procedures for processing credit cards from University Business Services). Procedures for timely deposit of credit card transactions and safe and proper handling of the data must be followed.
The department must also complete the application for Authorization to Process Bankcard Transactions Over the Internet, requesting approval from University Business Services, Institutional Audit & Advisory Services, and UIT before the Web page is approved to be put into production.
UIT will review, at the department's own expense, the department's hardware and software to ensure that the server is secure and the program requirements for a secure Internet site have been adhered to. (See Procedures below). Institutional Audit & Advisory Services will review the department's internal procedures to ensure that personal information is handled utilizing reasonable confidentiality security practices.
The following safeguards should be in place:
- Personal computers containing confidential information must be secure.
- Adequate internal controls regarding separation of duties must be in place.
- It is the merchant department's responsibility to maintain the customer's credit card or e-mail information in a confidential manner as shown in PCI-DSS Procedures Departmental Agreement Form.
- Any hard copy documents containing confidential information must be shredded in a timely manner.
- The merchant department must follow the MSU Business Procedures Manual Section 350.00 regarding procedures for safe handling of money deposits.
- Approvals - Obtain approvals from the UIT, Institutional Audit & Advisory Services,
and University Business Services by completing the required forms.
- Program Requirements - Follow these procedures to establish a secure Internet site.
a. Install and maintain an effective network firewall to protect data accessible via the Internet.
b. Keep operating system and application software security patches up-to-date.
c. Encrypt stored data.
d. Encrypt data sent across open networks.
e. Use and regularly update anti-virus software.
- Develop adequate office procedures for staff or contract service providers to maintain secure information as shown in PCI-DSS Procedures Departmental Agreement Form.
a. Restrict access to data by business "need-to-know".
b. Assign a unique ID to each person with computer access to data.
c. Do not use vendor-supplied defaults for system passwords and others security parameters.
d. Track access to data by unique ID.
e. Regularly test security systems and processes.
f. Maintain a policy that addresses information security for employees and contractors.
g. Restrict physical access to cardholder information.
Segregation of duties is important to protect against fraud and maintain confidentiality.
1. Individuals who collect monies and/or write receipts may not be the same individuals who account for deposits.
2. Different Individuals are to perform the following functions:
a. Collecting monies and preparing receipts
b. Depositing receipts
c. Accounting for receipts
3. Limit access to information such as ID and credit card numbers only to those individuals who need to know.
4. Protect and shred confidential information.
5. Small departments that do not have sufficient staff to meet ideal segregation of duties requirements must ensure that detailed supervisory review compensates for this weakness.
Effective Date and Review
These procedures are effective immediately.
University Business Services will review and update this policy annually.