...
PCI DSS is divided into 6 areas with 12 requirements.
Areas | Requirements | Responsible Party |
---|---|---|
Build and maintain a secure network and systems | Install and maintain a firewall configuration to protect cardholder data. |
N/A - SPU does not allow unencrypted cardholder data to traverse the SPU network. | ||
Do not use vendor-supplied defaults for system passwords and other security parameters. | SPU merchant
| |
Protect cardholder data | Protect stored cardholder data. | SPU merchant |
Encrypt transmission of cardholder data across open, public networks. | SPU merchant via using existing Payment Gateway Service Providers or P2PE hardware solutions. | |
Maintain a vulnerability management program | Protect all systems against malware and regularly update anti-virus software or programs. | CIS |
Develop and maintain secure systems and applications. | CIS | |
Implement strong access control measures | Restrict access to cardholder data by business need-to-know. | SPU merchant |
Identify and authenticate access to system components. | CIS / SPU merchant | |
Restrict physical access to cardholder data. | SPU merchant | |
Regularly monitor and test networks | Track and monitor all access to network resources and cardholder data. |
SPU merchant / CIS | ||
Regularly test security systems and processes. | CIS | |
Maintain an information security policy | Maintain a policy that addresses information security for all personnel. | CIS |
Key Roles and Responsibilities in PCI Compliance
...
A manager is required to approve refunds.
CIS
CIS staff are to be involved in the designimplementation, development, maintenance, and administration of any systems that involve payment card transactions.
...
To inquire about P2PE or Payment Gateway Service Provider solutions, contact Finance.
In person payments
Card Present Transactions
Card swipe or chip-insert at point of sale using a P2PE device. This must occur in view of the customer. CVVs must not be copied or stored.
...
Never process payment cards by entering the card numbers directly on your computer’s keyboard. Only the use of approved PCI validated point-to-point encrypted ( P2PE ) devices are allowed to type in card numbers. The only exception to this rule is for approved users of Converge.
Card-Not-Present Transactions
SPU prohibits the acceptance of credit card information by fax, email or instant messenger. As a best practice, the University strongly discourages the acceptance of credit card information via mail or phone.
...
If your department accepts paper forms with credit card information via mail, take precautions to protect the information.
Store information in a secure location inaccessible to unauthorized personnel, such as a safe in a locked room.
Clearly mark documents as containing sensitive information, for example, in a folder labeled “Confidential.”
After you have processed the payments, immediately shred the paper records using a cross-cut shredder. Do not tear paper by hand or use a straight-cut shredder.
The use of a virtual terminal with a PCI validated P2PE device is the only permitted method of accepting card payments over the phone. The only The only exception to this rule is for approved users of Converge.
When accepting payments over the phone, it is critical that you do not enter in credit card numbers into your computer using your computer keyboard.
Never write down card holder cardholder information for processing at a later time.
Self-service payments
Online payments, or e-commerce payments, are a very popular way for customers to make donations, purchase tickets and other items.
...
If a customer calls and wants help with an online payment page, you cannot go onto that page and complete the transaction for them over the phone. You must use a PCI validated P2PE device to take payments over the phone on campus (the only exception to this rule is for approved users of Converge).
Never recommend a customer uses public/shared systems for financial transactions i.e. do not direct customers to an SPU computer lab, classroom, or kiosk computer to enter their card information. Provide the URL where they can select a device of their choice to complete the transaction.
Internal Software
Many software systems are built to accept payments online. If you are a user of the software system and can access the customer database, be sure to immediately alert your supervisor if you are able to see cardholder information.
Password Management
PCI Security Standards Council requires you to update your software password at least every 90 days. Use complex passwords and never reuse passwords. Also, never use default passwords that sometimes come with software systems initially. Remember to keep your account log-in information secure, and don’t share it with others. If you provide someone else with access to your log-in information and that person violates the PCI DSS requirements or even causes a security breach, you may be held responsible.
P2PE devices
Device Inventory
Managers are responsible for keeping an accurate inventory of all devices that accept credit card payments in your department. Include each device’s make and model, location (for example, the address of the site or facility where the device is located), and the serial number or other method of unique identification. Be sure to update this list each time you dispose of a device or get a new one.
Device Disposal
Be careful when disposing of old equipment.
Return old payment card terminals to Finance for proper disposal.
“Wipe” or remove all information from hard drives before replacing, selling, or discarding workstations.
FAQs
What if cardholder data is sent to you unsolicited via email? Immediately notify the customer that the University does not accept cardholder data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any cardholder data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items after the customer has been notified.
What cardholder data needs to be protected?
Account data or cardholder data that you need to protect includes—but is not limited to—the following:
card number, known as the Primary Account Number (PAN)
cardholder name
expiration date
customer’s payment address.
...
.