Payment Card Industry (PCI) Compliance
The Payment Card Industry (PCI) Security Standards Council developed a set of financial and information technology standards to protect credit cardholder's data. These standards govern all merchants and organizations that collect, process, store, or transmit credit card information.
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all University departments and organizations that accept payment cards for financial transactions. Adhering to the PCI DSS requirements provides critical protective measures to make sure that payment card data is being kept safe throughout every transaction.
- Department’s should consult with Business Affairs regarding their ability to comply with PCI requirements.
- Notify Business Affairs and/or the Information Security group immediately in the event of suspected fraud or data breach.
- Ensure that all business processes for accepting, processing, storing, and disposing of cardholder data are updated, documented and comply with the PCI DSS.
- Identify positions that require access to payment card data and system components and limit access to only those employees whose job requires such access. Request Information Services deactivate/remove user’s application and access when they no longer require access to cardholder data environments.
- Provide a proper control environment, including segregation of duties, for processing payment card transactions.
- Maintain a departmental listing of all applicable card processing devices and computer systems.
- Ensure that employees have reviewed and understand their responsibilities and have been properly trained on departmental business processes for handling cardholder data and conduct PCI Compliance Training on an annual basis.
- Perform an annual PCI self-assessment.
- Consult with Business Affairs prior to signing contracts with payment card service providers to ensure PCI contract language has been included in any new or renewed agreement.
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Reviewed: June 14, 2018