Michigan State University
Controller's Office

Administration Bldg
426 Auditorium Rd, Rm 305
East Lansing, MI 48824
517 355-5020

SECTION 13:  Onboarding and Renewing Service Providers for Payment Card Services

Last updated:  August 2022

I. Policy

Purpose
MSU is contractually required to ensure that all card processing activity be compliant with the Payment Card Industry Data Security Standard (PCI DSS or PCI). PCI compliance applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data or could impact the security of the cardholder data environment (CDE). The CDE includes all entities involved in payment card processing. Note that some PCI requirements may also apply to entities that do not store, process, or transmit CHD – for example, entities that outsource payment operations or management. Entities that outsource their payment environments or payment operations to third parties remain responsible for ensuring that the account data is protected by the third party per applicable PCI requirements. The scope of the card processing activity includes people, processes, systems, applications, hardware, software, and anything connected to the card processing environment. To the extent a Third-Party Service Provider (TPSP) meets this definition, the requesting department must comply with this policy.

Scope
Applies to all MSU employees, faculty, staff, students, organizations, service providers, third-party merchants, individuals, processes, applications, systems, and networks involved with the processing, transmitting, or storing of payment card data, or any other entity or process that could impact the security thereof.

Financial Accuracy
Proper accounting of revenue and expenses is a critical byproduct of card processing. The Office of the Controller’s Cashier’s Office is responsible for ensuring entries are posted timely and accurately. Centrally supported vended solutions (e.g., Transact eMarket, PNC Merchant Accounts) have an automated or structured process for recording revenue and expense. All other vendors require customized manual posting which is prone to error, inefficient, less timely, and not sustainable in the long-term without additional resources

Security & Compliance
The volume and variety of systems and technologies that have a payment card component is continually increasing as departments find more ways to bring in revenue. Having a formalized process will help minimize MSU’s risk of a security incident and ensure MSU maintains its own PCI compliance and overall Data Security by only partnering with PCI compliant service providers per requirement 12.8 of the PCI DSS.

Stakeholders
Office of the Controller, MSU IT, Procurement, General Counsel, Departments, Customers.


II. Proceedure

  1. Evaluate Existing Vendors
    1. Review Manual of Business Procedures, Section 17.
    2. Review the Before Getting Started page on the ecommerce.msu.edu site.
    3. Contact the Office of the Controller’s Cashier’s Office as early as possible regarding intent and business need to accept payment cards at pcidss@ctlr.msu.edu or 517-355-5023.
    4. The process can take up to several months depending on several factors, such as solution complexity, vendor’s PCI awareness, and vendor’s responsiveness.
    5. Cashier’s Office will advise regarding systems/providers currently under contract that may meet the stated business needs. Centrally supported solutions such as Transact eMarket for ecommerce and our primary card processor are required to be used if possible. The rationale for this is:
      1. Timing Centrally supported services have been previously approved as meeting the PCI requirements, so approval and implementation can happen more quickly.
      2. Financial Accuracy The process to record revenue and expenses for centrally supported services is either automated or centrally managed to ensure accurate and timely posting according to proper accounting requirements.
      3. Cost In most cases, the contractual pricing is more favorable as it has been negotiated on larger volume.
      4. Help & Support Each vended solution has its own login process, access management, routine patches, security updates, change management procedures, functionality, and support process. Staying current with these requires time, industry awareness, and overall awareness regarding any potential impact to inter-related university processes, such as data security, access management, network management, and financial accuracy
    6. Cashier’s Office will assist the requesting department to evaluate whether an existing solution will meet their needs. If the existing solutions are deemed to be completely insufficient for a justifiable business need, the department must submit documentation to the Cashier’s Office for formal approval to pursue other options. Required documentation will be evaluated on a case-by-case basis. Once the documentation is accepted, the department may consider investigating other alternatives.
  2. Approval to Consider Existing or New Vendors
    1. If the Cashier’s Office accepts that an existing centrally supported solution will not meet the department’s business needs, the department is allowed to investigate other vendors for consideration. Preference will be given to existing vendors. The department must contact Procurement to discuss what solutions might be available. Any new alternatives must be able to provide evidence of being validated as a Level 1 PCI service provider and will be subject to a full review by Procurement, MSU IT’s Governance, Risk and Compliance Team, Cashier’s Office, and if appropriate, General Counsel before a contract will be signed.
    2. Please reference MBP Section 17 for allowable methods of card acceptance. Cashier’s Office staff must participate on RFPs as available and will advise as to acceptable features, software, and hardware.
  3. Overview of the Onboarding Process
    1. All vendors are subject to a security review whenever a contract is initiated or renewed. Note that PCI compliance requires the vendor to submit PCI documentation at least annually and as requested.
    2. Department initiates process
      1. Submit IT Readiness Form
      2. Submit Purchase Requisition in KFS.
      3. University Procurement and Logistics will advise and create Purchase Order.
      4. MSU IT GRC team will conduct Service Provider Security Analysis (SPSA). This ensures the prospective vendor complies with all relevant laws, regulations, and policies. Vendor will be instructed to complete the full HECVAT (Higher Education Community Vendor Assessment Toolkit). Note: HECVAT-Lite is not acceptable when cardholder data is involved.
      5. All contracts are subject to approval by the Office of the General Counsel.
      6. All payment card solutions are subject to approval by the Cashier’s Office.