Payment Card Industry (PCI) Compliance

The Payment Card Industry (PCI) Security Standards Council developed a set of financial and information technology standards to protect credit cardholder's data. These standards govern all merchants and organizations that collect, process, store, or transmit credit card information.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all University departments and organizations that accept payment cards for financial transactions. Adhering to the PCI DSS requirements provides critical protective measures to make sure that payment card data is being kept safe throughout every transaction.

General Guidelines

  • Department’s should consult with Business Affairs regarding their ability to comply with PCI requirements.
  • Notify Business Affairs and/or the Information Security group immediately in the event of suspected fraud or data breach.
  • Ensure that all business processes for accepting, processing, storing, and disposing of cardholder data are updated, documented and comply with the PCI DSS.
  • Identify positions that require access to payment card data and system components and limit access to only those employees whose job requires such access. Request Information Services deactivate/remove user’s application and access when they no longer require access to cardholder data environments.
  • Provide a proper control environment, including segregation of duties, for processing payment card transactions.
  • Maintain a departmental listing of all applicable card processing devices and computer systems.
  • Ensure that employees have reviewed and understand their responsibilities and have been properly trained on departmental business processes for handling cardholder data and conduct PCI Compliance Training on an annual basis.
  • Perform an annual PCI self-assessment.
  • Consult with Business Affairs prior to signing contracts with payment card service providers to ensure PCI contract language has been included in any new or renewed agreement.

Basic Requirements

Build and Maintain a Secure Network
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Use and regularly update anti-virus software and programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel
PCI Data Security Standard (DSS) Version 3.2.1

Reviewed: February 16, 2024