Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PCI DSS is divided into 6 areas with 12 requirements.

Areas

Requirements

Responsible Party

Build and maintain a secure network and systems

Install and maintain a firewall configuration to protect cardholder data.

CIS

N/A - SPU does not allow unencrypted cardholder data to traverse the SPU network.

Do not use vendor-supplied defaults for system passwords and other security parameters.

SPU merchant

 

Protect cardholder data

Protect stored cardholder data.

SPU merchant

Encrypt transmission of cardholder data across open, public networks.

SPU merchant via using existing Payment Gateway Service Providers or P2PE hardware solutions.

Maintain a vulnerability management program

Protect all systems against malware and regularly update anti-virus software or programs.

CIS

Develop and maintain secure systems and applications.

CIS

Implement strong access control measures

Restrict access to cardholder data by business need-to-know.

SPU merchant

Identify and authenticate access to system components.

CIS / SPU merchant

Restrict physical access to cardholder data.

SPU merchant

Regularly monitor and test networks

Track and monitor all access to network resources and cardholder data.

CIS /

SPU merchant / CIS

Regularly test security systems and processes.

CIS

Maintain an information security policy

Maintain a policy that addresses information security for all personnel.

CIS

Key Roles and Responsibilities in PCI Compliance

...

A manager is required to approve refunds.

CIS

CIS staff are to be involved in the designimplementation, development, maintenance, and administration of any systems that involve payment card transactions.

...

Never process payment cards by entering the card numbers directly on your computer’s keyboard. Only the P2PE devices are allowed to type in card numbers. The only exception to this rule is for approved users of Converge.

Card-Not-Present Transactions

...

  • If your department accepts paper forms with credit card information via mail, take precautions to protect the information.

  • Store information in a secure location inaccessible to unauthorized personnel, such as a safe in a locked room.

  • Clearly mark documents as containing sensitive information, for example, in a folder labeled “Confidential.”

  • After you have processed the payments, immediately shred the paper records using a cross-cut shredder. Do not tear paper by hand or use a straight-cut shredder. 

  • The use of a virtual terminal with a PCI validated P2PE device is the only permitted method of accepting card payments over the phone. The only exception to this rule is for approved users of Converge.

    • When accepting payments over the phone, it is critical that you do not enter in credit card numbers into your computer using your computer keyboard.

    • Never write down cardholder information for processing at a later time.

...

If a customer calls and wants help with an online payment page, you cannot go onto that page and complete the transaction for them over the phone. You must use a PCI validated P2PE device to take payments over the phone on campus (the only exception to this rule is for approved users of Converge).

Never recommend a customer uses public/shared systems for financial transactions i.e. do not direct customers to an SPU computer lab, classroom, or kiosk computer to enter their card information. Provide the URL where they can select a device of their choice to complete the transaction.

...