Body
What is PCI?
PCI DSS stands for payment card industry data security standard, it is a set of rules and guidelines designed to help anyone who handles credit card information keep that information safe and secure.
Who is responsible for PCI compliance?
If your department processes credit card payments, then you have a merchant account for processing those payments. Each department is the custodian of their merchant(s) and PCI compliance falls to them. CITE's responsibility in PCI is to review and ensure compliance with network security. Bad actors are most likely to find inroads to our systems through non-technical methods and people.
Why does it matter?
PCI compliance is important on multiple levels and non-compliance can lead to excessive fees, terminations and broken trust with customers as well as business partners.
Quarterly Reviews
To help ensure merchants are in PCI compliance, campus merchants are required to complete a quarterly review of their PCI environment and compliance. The review schedule is as follows:
- Spring (March)
- Summer (June)
- Fall (September)
- Winter (December)
Each quarter, the department members identified as the main PCI contact for each merchant in Campus Guard will receive an email from CITE containing instructions and documents for review. The user will need to review the following:
- Review Campus Guard personnel – Each merchant must list the responsible parties for compliance, please review and let us know if there are any updates.
- Review training requirements & personnel compliance – Merchants are required to provide information on security documentation that identifies personnel responsibilities related to procedures and training. Please review and confirm everyone in your area that processes cardholder data have reviewed these documents and completed any identified training.
- Review device inventory for changes – CITE will provide a copy of the most recent device inventory on file for each department, please review, document any updates, and provide us an updated copy for our records. CITE will review inventory for operating system and antivirus/malware security patching during each review.
- Examine device inventory for tampering – While confirming inventory you should check your equipment for signs of tampering, let CITE know if you would like us to help you assess and learn what to look for with your department's specific equipment used. The odds are low, but if any tampering is detected, or you suspect equipment is compromised, discontinue use and reach out to CITE.
- Review service provider’s AOC for expiration – AOC stands for attestation of compliance and is a form that certifies a service provider has completed their PCI assessment. We will also provide a copy of your last provided AOC(s) for your review to ensure they are not out of date. If any are found to be outdated, you should be able to reach out to your service provider for a current copy of their AOC.