What is PCI?

The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card.

What does it mean to USU?

• All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards.
• USU files compliance annually with Wells Fargo Merchant Services for each of our merchant accounts and our PCI network has to pass the quarterly vulnerability scans from Trustwave.

PCI 2.0 clarifies a definition for defining the scope of the PCI environment, which requires a recorded, repeatable process for discovering and documenting the Card Holder Data lifecycle in the environment.

What does that mean to USU?

USU needs to search all Window and Mac computers, servers, shared files, and external media to verifying that no electronic credit card data exists outside of the defined PCI scope.

How will USU achieve this requirement?

• A client will be installed on all Window and Mac computers, servers, shared files, and external media. The software will be installed and managed by the support technicians who have ongoing HR job responsibilities for those resources, in compliance with the Computer Management Policy (#551).
• Clients will report back to a central database for review, remediation, and reporting purposes.
• All devices in the USU IP address space will be registered in IPAM annually to identify the various devices and for auditing purposes.
• Unit Administrators are responsible for ensuring that their areas are scanned and in compliance.

When does USU needs to achieve this requirement?

December 20, 2011 is the first time, and then annually after this.

What happens if USU does not meet compliance standards?

Failure to meet compliance standards result in fines from credit card companies and banks and even the loss of the ability to process credit cards.

Who will supervise this effort?

Since this requirement is driven by the PCI requirements, the PCI Compliance Officer will outline the timeline for scans and deadlines.

Other objectives?

In conjunction to this effort, the client has the ability to search for other types of sensitive information such as SSN, HIPAA, and other Personally Identifiable information. USU will take this opportunity to identify and secure all sensitive data to ensure that we are meeting our obligations of securing sensitive information.