Merchant Card Services

Job Aids & Training Materials | Forms | FAQs | Glossary | Who To Ask

PCI DSS Policy

Payment Card Industry Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. This includes technical and operational system components connected to cardholder data. The standards apply to all business entities that store, process or transmit cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI requirement standards are enforced by the founding members council, American Express, Discover Financial Services, Visa and MasterCard. All department merchants who accept or process payment cards must comply with the PCI DSS.

OBFS-Merchant Card Services is responsible for the administrative oversight for PCI DSS compliance of the University's merchant card processing units. A unit must undergo periodic reviews of its processing environment by Merchant Card Services to ensure that all policies and procedures are being followed. As always, any business operation is subject to formal review by the Office of University Audits. It is the responsibility of the unit to follow all policies and procedures, and in accordance with the agreements put in place by the University and PCI DSS.

The University will follow the Payment Card Industry Data Security Standards (PCI DSS) for payment card security. Merchant units that do not follow these guidelines may be limited to cash or check transactions. Employees who retain or share cardholder account data for misuse are subject to investigation, disciplinary action, and/or termination of employment, and may also be subject to criminal prosecution.

Compliance

To comply with the PCI DSS standards all units that accept payment cards must follow the 12 requirements in PCI DSS Standard v 2.0:

Build and Maintain a Secure Network

Requirement 1:       Install and maintain a firewall configuration to protect cardholder data
Requirement 2:       Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3:       Protect stored cardholder data
Requirement 4:       Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5:       Use and regularly update anti-virus software
Requirement 6:       Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7:       Restrict access to cardholder data by business need-to-know
Requirement 8:       Assign a unique ID to each person with computer access
Requirement 9:       Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10:      Track and monitor all access to network resources and cardholder data
Requirement 11:      Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12:      Maintain a policy that addresses information security

PCI Data Security Standard

• PCI DSS Standard v 2.0 (PDF)
• PCI DSS Glossary

• PCI DSS Self Assessment Questionnaires (SAQ)
• PCI DSS Security Standards Council

Training

• Payment Card Data Security Training
• PCI DSS Quick Reference Guide (PDF)

For PCI DSS compliance questions and department consulting, please contact Merchant Card Services.

Last Updated: May 3, 2010