Background

The Payment Card Industry Data Security Standard (PCI DSS) Program is a mandated set of security requirements that were created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands.

The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The requirements apply to all methods of credit card processing, from manual to computerized; the most comprehensive and demanding of which apply to e-commerce websites, and retail POS systems that process credit cards over the Internet. This document addresses all the requirements of the Payment Card Industry Data Security Standard (PCI DSS).

For the most up-to-date information about this standard visit the official website at: https://www.pcisecuritystandards.org.

Policies, Roles and Incidents

All policies associated with transmitting, processing and storing credit card information will be reviewed annually and updated as appropriate by the PCI Compliance Committee.

The following roles are involved in compliance with PCI DSS:

  • The Executive Director of Finance and the Information Security Officer co-chair the PCI Compliance Committee and are responsible for reading, understanding and assessing that all University merchants comply with PCI standards.  They will also review PCI compliance of all third party service providers.
  • Merchant ID owners are responsible for reading, understanding and complying with PCI policy with assistance from the PCI Compliance Committee
  • System owners and system administrators involved in transmitting, processing and storing card holder information are responsible for reading, understanding and complying with PCI policy

Any incidents involving systems that transmit, process, or store card holder information must be reported to the Information Security Officer for investigation.  Standard incident response procedures and notifications will be followed in accordance to PCI DSS and any state or federal laws.

PCI DSS Compliance – Completion Steps

  1. Assess your environment for compliance with the PCI DSS (with assistance from the PCI Compliance Committee).
  2. Complete the appropriate Self-Assessment Questionnaire according to the instructions in the Self-Assessment Questionnaire Instructions and Guidelines.
  3. Complete the Attestation of Compliance in its entirety.
  4. Submit the SAQ and the Attestation of Compliance, along with any other requested documentation, to the University PCI Compliance Team.
  5. Each merchant owner will be provided access to a mechanized tool for completing the self-assessment questionnaire and attestation of compliance.

Self Assessment Questionnaires

All merchant ID’s are required to comply with the PCI DSS in its entirety. This is accomplished through self assessment questionnaires.  Visit the PCI website for more information.

Instructions for Completing the SAQ

  1. The PCI Compliance Team will assist you on the use the guidelines herein to determine which SAQ is appropriate for your merchant ID(s).
  2. Assess your environment for compliance with the PCI DSS base on the information above.
  3. Use the appropriate Self Assessment Questionnaire (SAQ) as a tool to validate compliance with the PCI DSS.
  4. You will be provided with access to a mechanized tool and detailed instructions to aid you in completing the Self Assessment Questionnaire for your merchant ID(s).