Johns Hopkins University Policy and Procedure

POLICY
This policy applies to all entities within the Johns Hopkins Institutions.
Purpose
Johns Hopkins University
Policy and Procedure
The purpose of this policy is to establish a framework from which to ensure that all credit card data
received by the Johns Hopkins Institutions is processed in compliance with current Payment Card
Industry Data Security Standards (PCI-DSS) standards. The Payment Card Industry (Master Card, VISA,
American Express, Discover and other major card issuers) has established important and stringent
security requirements to protect credit card data. Compliance with PCI-DSS standards is mandatory.
Without compliance, the Johns Hopkins Institutions would be subject to financial liability and reputational
risk.
Oversight Committee
An Oversight Committee will be established. Membership is to include representatives of the Treasury
Offices of the Johns Hopkins University and the Johns Hopkins Health System, Data the Chief the Chief
Information Security Officer and end users. Chairmanship of the committee will rotate between the
Treasury offices of the Johns Hopkins University and the Johns Hopkins Health System on an annual
basis. The Oversight Committee will provide for an efficient coordination of policies and resources to
ensure that procedures and practices within the Johns Hopkins Institutions are in compliance with PCI-
DSS standards. The Oversight Committee will meet regularly.
Authority and Responsibility
The Treasury Office of each institution is responsible for maintaining a relationship with an approved
merchant bank. Each Treasury Office is responsible for securing credit card merchant accounts when a
requester demonstrates a business need. Unused merchant accounts should be closed.
An authorized person within each affiliate or university department is responsible for completing an
annual PCI Self Assessment Questionnaire and must certify that their organization is PCI-DSS compliant.
A current version of the SAQ is posted at pcisecuritystandards.org/saq/index.shtml. The appropriate
Treasury Office will provide assistance as requested. The Treasury Office will collect the assessments
and submit an annual Report on Compliance to the Oversight Committee.
The Data Security OfficeChief Information Security Officer (CISO) or designee will provide guidance in the
area of network security as it pertains to credit card information transmitted or stored on a Johns Hopkins
network. When it is appropriate, the Data Security OfficeCISO, with the agreement of each Treasury
Office, may engage the services of a consultant with expertise in network security and PCI-DSS
Standards.
Scope
This policy applies to each person who comes in contact with credit card information. It also applies to all
computing and network software or equipment, whether it is owned or leased by the Johns Hopkins
Institutions, which is used to process or store credit card data.

Internal Compliance Requirements
Johns Hopkins University
Policy and Procedure
1) All credit card merchant accounts must be approved by the Treasury Office.
2) Management and employees are familiar with and adhering to PCI standards.
3) Each affiliate or department (as determined by the Treasury Office) must complete the annual self
assessment questionnaire.
4) Any proposal for a new process (electronic or paper) must be approved by the Treasury Office
and the Data Security OfficeCISO or designee.
5) Approved methods of processing credit card payments are:
a-Point of Sale processing using dedicated phone lines.
b-Web-based processing using a PCI compliant service approved by the Treasury Office.
c-Alternate methods approved on a case by case basis by the Treasury Office and the
Data Security OfficeCISO.
6) Cardholder data is considered “restricted Information” under Johns Hopkins Institution Information
Technology policies (located at http://it.jhu.edu/policies/itpolicies.html) and is subject to the
controls described in the policies including technical and security controls.
7) If a workforce member observes the unauthorized or inappropriate use of restricted information
such as cardholder information, it is the responsibility of that person to notify a supervisor, an
institutional officer or the Compliance Hotline 1-877-932-6675.
8) Any breach of network security involving credit card information must be reported to the CISO.
PCI - DSS Requirements
1) Maintain a firewall configuration to protect cardholder data.
2) Vendor-supplied defaults for passwords or other security should not be used.
3) Protect cardholder data.
4) Encrypt transmission of cardholder data.
5) Maintain and update anti-virus software.
6) Develop and maintain security systems and applications.
7) Restrict access to cardholder data to a “need to know” basis.
8) Assign a unique user ID to each computer user.
9) Restrict physical access to cardholder data.
10) Track and monitor all access to network resources and cardholder data.
11) Regularly test systems and processes.
12) Maintain and update policies that address security for employees and contractors.
PCI – DSS System Validation Requirements
For purposes of selecting a compliance level, it is assumed that the Johns Hopkins Institutions are at a
Merchant Level 2. Accordingly, an annual self assessment questionnaire must be completed and a
quarterly Network scan must be performed by an approved consultant. The oversight committee will
review data concerning payment card transactions at the Johns Hopkins institutions. A determination
based on that review will be made to identify the institution’s “Merchant Level” as defined by the Payment
Card Institute. The actions taken to validate compliance with PCI DSS will be appropriate to the Merchant
Level.
Definition of Terms
Merchant Account A relationship established by the Treasury Office with a bank to process credit
cards.

Johns Hopkins University
Policy and Procedure
Credit Card Data Full magnetic stripe or the PAN (primary account number) plus a cardholder
name, card expiration date or service code.
PCI-DSS Payment Card Industry Data Security Standard
The PCI-DSS is a comprehensive set of requirements established by the PCI
Security Standards Council for enhancing payment account data security. It is a
multifaceted standard that included requirements for security management,
policies, procedures, network architecture, software design and other critical
protective measures.
PCI Security This organization defines credentials and qualifications for assessors and
Standards Council vendors as well as maintaining the PCI-DSS.