Payment Card Industry (PCI) Data Security Standard Compliance

Summary

This site provides guidance about the importance of protecting payment card data and customer information. Failure to protect this information may result in financial loss for customers, suspension of credit card processing privileges, fines, and damage to the reputation of the unit and the university.

Background

The PCI DSS is a mandated set of information security requirements set forth by the Payment Card Industry Security Standards Council. The PCI SCC was formed by the credit card industry to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands. The security requirements apply to all transactions surrounding the payment card industry and the merchants or organizations that accept these cards as a form of payment.

All merchants including the University must comply with the PCI DSS to accept card payments and avoid penalties. This document and additional supporting procedures shall provide guidance on roles and responsibilities for departments which accept card payments, as well as departments and individuals responsible for compliance activities.

Applicability

This guide applies to those involved with payment card handling on behalf of the University which may include faculty, staff, students. This includes transmission, storage, and processing of payment card data, in any form.

Responsibility

Below are the areas of responsibility for each unit or individual involved in PCI Compliance.

Risk Management and Compliance

• Maintain an inventory of all WT departments that process payment card transactions, which includes methods of payment accepted, and primary contact information for department PCI lead.
• Monitor compliance with annual PCI DSS training assignments.
• Coordinate completion of the annual self-assessment documents (SAQs).
• Collect departmental PCI procedures as part of the annual SAQs.
• Maintain the inventory of all card reader devices, merchant ids, and terminal ids along with activation status.
• Assure payments are accepted in compliance with any TAMUS policies, or contracts as well as state Treasury policies. (Shared responsibility with Business and Finance)

Information Security Office

• Implement and maintain security standards required by PCI DSS.
• Keep current with PCI DSS regulations and make changes to systems and processes, as appropriate.
• Approve all new merchants and any software or technology used to process, store, or transmit card holder data.
• Consult on technical PCI DSS issues.
• Approve all PCI SAQ documents.

Business and Finance

• Keep current with PCI DSS regulations and make changes to processes, as appropriate.
• Evaluate Departmental procedures and compliance with PCI as part of scheduled cash handling reviews.
• Assure payments are accepted in compliance with any TAMUS policies, or contracts as well as state Treasury policies. (Shared responsibility with Risk and Compliance)
• Approve all PCI SAQ documents.

Departments Accepting Payments

• Designate a PCI lead for the department who will be responsible for all PCI requirements of the department.
• Maintain departmental Standard Operating Procedures (SPO) for PCI compliance and verify staff understands the procedures and their responsibilities. Procedures shall be reviewed for needed changes at least annually and distributed to all departmental staff.
• Complete the required annual PCI self-assessment (SAQ).
• Manage departmental PCI training compliance via Train-Traq, including completion by new hires within 30 days and annual renewals for all other staff.
• Maintain up to date vendor documentation for any Point of Sale or online system used for payment processing.  Including: PCI certification, technical documents, and contact information for vendor fraud or information security team.

Payment Card Handlers and Processors

• Review department procedures regarding PCI compliance at least annually.
• Follow the established cash receipts and PCI procedure for their department.
• Complete the annual PCI training Train-Traq.
• Report occurrences of possible incidents and data breaches to your supervisor or Information Security Officer.

All Members of the University Community

• Safeguard cardholder data.
• Report occurrences of possible incidents and data breaches to your supervisor or Information Security Officer.

Third Party Vendors (Aramark, Imperial, etc)

• Provide confirmation of compliance.
• Maintain records of PCI training for all employees involved in card transactions.