Payment Card Industry (PCI)
What is PCI?
Visa, MasterCard, Discover, American Express and JCB have created a Payment Card Industry Data Security Standard (PCI DSS) to protect the cardholders and merchants from fraud.
The PCI DSS is a dynamic standard that adapts to changes in fraud trends in our card carrying world. This multifaceted security standard outlines requirements for “security management, policies, procedures, network architecture, software design and other critical protective measures” according to the PCI Security Standards Council.
PCI DSS is a required standard that all merchants, service providers and banks have to comply with to retain the credit card processing privileges. If a breach occurs, fines, loss of credit card privileges and damage to USU brand will occur.
12 PCI DSS Requirements
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
PCI Compliance is a collaborative effort between VP Business and Finance and the merchants. Each merchant that wishes to accept credit cards as a form of payment for USU business will participate in activites below.
- All merchants and departments accepting, storing or processing credit card data via phone, paper, electronic or face-to-face terminals need to comply with the PCI DSS requirements on an ongoing bases. The data security standards need to be as part of the best business procedures practiced daily.
- Each merchant will assist the PCI Compliance officer in completing the Attestation of Compliance and the Self-Assessment Questionnaires that will be submitted to the Merchant Services annually.
- Each merchant will submit documentation on business practices, system setup, hardware and software security certification, and any other documents as needed to the PCI Compliance officer on annual bases.
- Employees and volunteers at USU that have access to credit card data flow will participate in an annual Credit Card Security Training. Such access to credit card data flow could be, but not limited to POS cashiers, network access, storage areas, servers, mail services or device maintenance.
- All credit card software and hardware will need to provide a PCS DSS or PA DSS certification before it can be installed, upgraded, utilized, or purchased by USU.
- All hardware and software at USU needs to reside on the PCI network and be accessed by a dedicated device. Email and internet will be restricted to PCI network.
- All merchants need to fully comply with all PCI DSS standards, USU’s Credit Card Handling and Acceptance Policy & Procedures, and all other guidelines set forth by Utah State University.