Credit Card Security Policy

Vision and Philosophy

Moore Public Schools Foundation puts securing our donors’ personal data as one of our highest priorities.  We understand that every time a donor provides us with credit card and bank account information, or other sensitive personally identifying information, they trust that we will protect it—and this policy is designed to ensure that this trust is not misplaced. The foundation of our information security program is a set of strong policies that are in balance with business operational needs.

Security Environment

Moore Public Schools Foundation utilizes patrol data to deliver products and services to our patrons.  Accordingly, all patron information to include cardholder data as well as other sensitive patron and company information, will be protected by all staff, contractors, partners and services providers in accordance with well defined policies and procedures.

Moore Public Schools Foundation will operate on the security principle of “that which is not explicitly allowed is explicitly denied.”  Attempts by anyone to access, monitor, use or share information that is not explicitly allowed to them by our security program will be considered a security violation.  Further, access to sensitive information will be permitted on a “need to know” basis, such that employees have access to only those data and systems required to perform their assigned jobs.  We will deploy systems, processes, policies and training to protect our mission critical data assets and patron privacy.  Most important, we will monitor and enforce compliance to our policies.

Vendor Management

Vendors, partners and other third parties will be required to comply with the same standards established for Moore Public Schools Foundation staff.  All vendors storing or otherwise accessing our patrons’ card holder data must provide proof of PCI DSS Compliance.

Information Classification, Storage and Destruction

All Moore Public Schools Foundation information is categorized into two main classifications: Public and Confidential.

Public information, such as advertising and marketing materials, is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to the Foundation.

Confidential comprises all other information such as sales data, patron addresses, employee files, etc, that should not be made available outside the company.  A subset of Confidential information is “Critical Confidential” information, which should be restricted to “need to know” access only, such as trade secrets, financial, technical, and personnel information, and other information integral to the success of the company. Customer sales authorizations containing credit card numbers and cvv2 codes or bank account numbers (PANs), and PANs provided to employees in the course of entering a telephone transaction, fall into the “Critical Confidential” information category.

Moore Public Schools Foundation personnel are encouraged to use common sense judgment in securing Confidential information to the proper extent.   “Critical Confidential” information will be stored in a limited access area (i.e. locked file drawer or safe), and only those employees with a “need to know” will be provided access to that information.  If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact the Foundation president.

Under no circumstances is a CVV2 code to be stored, even in paper format.  If provided on a paper authorization form, after the transaction is successfully processed, it is to be redacted on all stored documents.

When “Critical Confidential” information in paper form need no longer be stored for any operational or regulatory reason, it must be disposed of shredding.  Any shredding bins that store “Critical Confidential” information prior to destruction will be kept locked at all times.  Any digital information in the “Critical Confidential” category, will not be stored on hard-drives but in password-protected, cloud-based formats only. (As the Foundation has contracted with a third party for all storage of PANs, none will be stored by the company in digital form.)  When feasible, non-critical “Confidential” information should be disposed of in the same manner.

Payment Processing System

Moore Public Schools Foundation utilizes a web-based SaaS system provided by WorldPay, a PCI DSS Certified payment processing service provider, for all payment processing functions.  All credit card and ACH transactions, whether authorized over the phone, in writing via mail, or online are transmitted, processed and stored via the WorldPay virtual system.  Telephone and online transactions are directly entered into the system.  Mailed transactions are entered into the system, and the paper authorization form is then stored in a secure locked cabinet or safe for only as long as required by business operational needs. In no circumstances are PANs stored electronically for any reason—secure storage is completely delegated to the WorldPay system.

Moore Public Schools Foundation employees and the treasurer have access to the WorldPay system for processing payments and reporting—but never have access to un-encrypted credit card or bank account numbers.  Each User is granted system access permissions based on the minimum functionality required to perform job responsibilities.

During the course of performing their job responsibilities, telephone sales representatives will have access to full credit card numbers, billing addresses, and CVV2 codes.  Telephone operators are expressly directed to enter this information directly into the WorldPay system—and are never to record any PANs or CVV2s on paper, or to repeat or otherwise transmit this information to any third parties.

Access Controls

Moore Public Schools Foundation employees will be granted access to sensitive company data and any archived authorizations or reports containing card data or other confidential patron information on a “need to know” basis.  Access to payment processing systems and other company applications will also be granted on the basis of the minimum level required to perform assigned job responsibilities.

Key Access Control Provisions

  • Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.
  • A payment processing system Administrator will be responsible for issuing user accounts, provisioning user account permissions and processing limits, and monitoring system usage
  • Access to the WorldPay payment processing system, and all other connected systems, will be by individual username and password only. User accounts are not to be shared for any reason. Group User accounts and Generic User Accounts are prohibited.
  • A system Administrator will be notified of all employees leaving the company, or contractors whose services have been terminated, and immediately revoke access to all systems and storage facilities, including but not limited to the WorldPay Payment Processing system.

Vendor Management

All vendors that will have access to “Critical Confidential” information, including patron Credit Card numbers and Bank Account numbers, must be covered by a formal contract that includes the following guarantees:

  • Service providers must comply with all PCI DSS requirements, and maintain and provide proof of PCI DSS certification as a service provider.
  • Service providers must acknowledge responsibility for security of the cardholder data they possess, including but not limited to:
  • Protect cardholder data as specified by the PCI DSS, if processing or storing payment card data on behalf of Moore Public Schools Foundation
  • Report any known or suspect compromise of that data to the company as soon as possible.
  • Allow for audits by VISA/MasterCard/American Express/Discover or VISA/MasterCard/American Express/Discover-approved entities in the event of a cardholder data compromise.
  • Ensure continued security of cardholder data retained during and after contract terminations.

As part of the Vendor Management program, Moore Public Schools Foundation will perform due diligence on each Vendor prior to signing any contract to confirm that the above guarantees have been adequately met.

Moore Public Schools Foundation will maintain an up-to-date list of all service providers with access to “Critical Confidential” information. At a minimum this list will include the service provider’s name, key contact information, they type of Moore Public Schools Foundation confidential information to which the service provider has access, and the type of PCI responsibilities allocated to the vendor.

On at least a yearly basis, Moore Public Schools Foundation will review the Service Provider List, and for all vendors that have access to “Critical Confidential” information to ensure that:

  • PCI DSS compliance certification is up-to-date
  • Other procedures in place to protect confidential information continue to adequately protect patrons and are being properly executed
  • Make any changes necessary to policies and procedures

Card Brand and Law Enforcement Contacts

Company Contact Person/Department Contact Information
Visa Visa Incident Response 650-432-2978

usfraudcontrol@visa.com

refer to Visa cisp what to do if compromised PDF

MasterCard MasterCard Compromised Account Team 636-722-4100

compromised_account_team@mastercard.com

American Express AMEX Security Breach Team 800-528-5200

Refer to AMEX DSOP service provider US document

Discover Discover Network Incident Response Team Merchants: 800-247-3083

Acquirers: 800-347-7052

US Secret Service Electronic Crimes Taskforce 305-863-5000
FBI Report Internet Crime www.ic3.gov/complaint