May 14, 2025  
Employee Handbook 
    
Catalog Navigation
  Publication Home
  Table of Contents
  About Howard College
  Former and Current Trustees Years of Service
  Membership Associations
  Guiding Principles
  Organizational Structure
  Institutional Effectiveness and Advancement
  Business and Operating Policies and Procedures
  Relationship of Full-Time Employee to College
  Relationship of Faculty to College
  Relationship of Non-Exempt Employee to College
  Relationship of Exempt Employee to College
  Relationship of Part-Time Employee to College
  Appendix
  My Portfolio
HELP
Employee Handbook

Policy: 4.17 Credit Card Processing and Handling Security

Business and Operating Policies and Procedures  

Policy: 4.17 Credit Card Processing and Handling Security

Adoption Date: August 22, 2019  Reaffirmed

Effective Date:

A.   Purpose

The purpose of the Credit Card Processing and Handling Security Policy is to outline Howard County Junior College District “Howard College” credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program. Howard College is committed to these security policies to protect credit card information received by authorized Howard College employees and will take all appropriate measures to protect credit card data used to make payments to Howard College.

Howard College employees in a position to receive and process credit card transactions are required to review and sign this policy. 

 

B.   Procedures                                                                                                                

Protect Stored Cardholder Data

  • The full contents of any track data from the magnetic stripe (located on the back of a card, equivalent data contained in a chip, or elsewhere) are not stored under any circumstance.
  • The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) are not stored under any circumstance.
  • The personal identification number (PIN) or the encrypted PIN Block are not stored under any circumstance.
  • Howard College will mask the primary account.  A properly masked number will show no more than the first six and last four digits of the primary account number.

Encrypt Transmission of Cardholder Data Across Open, Public Networks

  • Sending unencrypted credit card information by end user messaging technologies (email, instant messaging, chat, etc.) is prohibited.

Restrict Access to Cardholder Data by Business (Need to Know)

  • Access to cardholder information and data is limited to only those individuals whose job require such access.
  • Only authorized employees may process credit card transactions.
  • Employees with such authorization are based on job classification and function.
  • A signed acknowledgement of this security policy shall be maintained in authorized individual’s employee file.

Restrict Physical Access to Cardholder Data

Physically Secure All Media Containing Cardholder Data

  • Hard copies of transaction documentation (paper, receipts, reports, etc.) are stored in a separate, secure room within the Student Accounting office in Big Spring.
  • Hard copies of transaction documentation (paper, receipts, reports, etc.) from the Lamesa and San Angelo sites are sent to Big Spring where they are stored in a separate, secure room.
  • Credit card terminals are only accessible to employees who require entrance into the area in order to perform functions of their jobs.
  • Other security safeguards used include doors that only open with a keypad code, security cameras and multiple entry doors that are locked when the office is closed.

Destruction of Data

  • Credit card payments may be accepted via telephone, physical mail, or in person. 
  • All hard copy materials must be destroyed when no longer needed.
  • Never hand write information unless unable to process a transaction immediately. Once   the payment is processed and confirmed, immediately shred any written data.​​

Protection of Payment Devices

  • Swipe readers and any other payment terminals must be protected. This protection must include preventing the devices from being tampered with or substituted.
  • Howard College maintains an up-to-date list of devices. Employees must maintain the integrity and accuracy of the inventory.

The inventory list includes:

  •  Make and model of all devices
  •  Location of each device
  •  Device serial number or other method of unique identification
  •  The inventory list is updated by the Chief Fiscal Officer/Controller or District Director of Financial Accounting/Assistant Controller when device locations change, devices are added, or existing ones removed.
  • The devices must be periodically inspected to check for tampering or detect substituting.
  •  Employees whose job functions include interacting with the payment devices are provided training that enables them to be aware of attempted tampering or replacement  devices.
  • Employees must verify the identity of third-party persons claiming to be repair or maintenance personnel prior to granting them access.
  • Employees must not install, replace, or return devices without verification from management.
  • Employees must be aware of suspicious behavior.
  • Employees must report suspicious behavior to the Chief Fiscal Officer/Controller, or designee.

Maintain a Policy that Addresses Information Security for Employees and Contractors

  • Howard College employees in a position to receive and process credit card transactions are required to review and sign an acknowledgement of this policy. 
  • The policy is reviewed annually.
  • The Chief Fiscal Officer/Controller or designee should be notified immediately of any suspected or real security incidents involving cardholder data.
  • In the event a breach or compromise to card holder data or processing terminals, the Chief Fiscal Officer/Controller, the District Director of Financial Accounting/Assistant Controller or the District Director of Student Accounting shall notify applicable card associations, merchant service providers, and appropriate law enforcement.