Last Revision Date: November 20, 2018
Approval Date: November 30, 2018
Approval Authority: CWRU Office of the Treasurer
A standard approach to transmission of Payment Card Industry data from on-campus merchants.
This policy applies to all campus users and external merchants performing credit card transactions which utilize the university IT infrastructure to perform payment card processing.
The university does not support payment card processing in university-owned systems. The strategy is to outsource all payment card processing to off-site, PCI-compliant vendors, thereby minimizing the PCI compliance scope for university owned business processes (where the University is the merchant). In particular cases, where merchants are on-campus facilities, or use IT infrastructure within the university’s scope, these standards apply.
All PCI-DSS processing merchant activity must be approved annually by the University Treasurer’s Office.
CWRU [U]Tech publishes technical standards approved by the University Treasurer's Office. The standards described here are generalized to cover current and possible future Payment Card Industry security standards.
- All payment card transmission will utilize fully encrypted pathways from the card entry to the payment processing merchant.
- Network transmission of payment card information must not occur on campus academic networks.
- No storage, processing, or archival of payment card data in university academic or business IT environments is permitted. This process keeps any university academic networks out of scope for PCI compliance, and ensures customers and merchants using payment cards of the integrity of their payment card information.
- Regular auditing using data loss prevention tools must be performed to ensure minimized risk of payment card data
Campus merchants: Ensure all credit card processing is performed in accordance with the PCI-DSS policy. Complete annual reporting of attestation of compliance to the CWRU Treasurer.
University Departments: When credit card processing is part of the department business process, perform an annual PCI-DSS self-assessment (SAQ) and submit the report the to the University Treasurer’s Office for approval.
CWRU Information Security Staff: Perform regular vulnerability scanning of the network devices where PCI payments are scanned, submitting risk reports to the University Treasurer’s Office. Support software for data loss prevention service for users to audit IT systems for presence of PCI data.
CWRU Network Management: Address and correct any deficiencies or risks found in the network security evaluations; deny network services to non-approved merchant activities.
PCI-DSS- Payment Card Industry Data Security Standard, v3.2.1
SAQ- Security Assessment Questionnaire
CWRU Draft Policy: I - 3 Credit Card Management and PCI-DSS Policy
Payment Card Industry Data Security Standard, v.3.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf)
Standards Review Cycle
This policy will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.