Mobile device card swipe solutions are attractive to UNL departments. The following requirements must be followed in order to incorporate such devices into payment option processes and remain in PCI DSS compliance:
- Mobile device must be owned by UNL and documented with the UNL Bursar’s office by providing make, model, serial number, the location of where the device will be stored when not in use and identity of person/s monitoring activity and usage.
- Mobile device must be securely managed by UNL using prescribed ITS lockdown technology.
- Mobile device must utilize the approved secure card reader Ingenico iCMP in conjunction with Converge Mobile for card processing.
- A cellular data plan must be utilized; do not use a wireless network
- All users, and those managing the device, must sign the Mobile Device User Agreement. Agreements must be kept on file and included in annual PCI documentation.
- Any security controls regarding a password or PIN to access the device must be changed every 90 days.
- The mobile device can ONLY be utilized for processing card payments (e.g., no email, no other apps).
- If the device is available for use by multiple users, documentation must be maintained to log:
- who has access to the device,
- start/end date of use,
- activity or event it is being used for,
- where it will be stored when loaned out or when not in use.
- When the device is not in use, it should be physically secured from unauthorized access.
- All users must follow all UNL PCIDSS policies, including Security Awareness Training.