II-4 PCI-DSS Compliance

Overview

Version 2.0
Last Revision Date: November 20, 2018
Approval Date: November 30, 2018
Approval Authority: CWRU Office of the Treasurer

Purpose

A standard approach to transmission of Payment Card Industry data from on-campus merchants.

Scope

This policy applies to all campus users and external merchants performing credit card transactions which utilize the university IT infrastructure to perform payment card processing.

Cancellation

Not applicable.

Policy Statement

General

The university does not support payment card processing in university-owned systems. The strategy is to outsource all payment card processing to off-site, PCI-compliant vendors, thereby minimizing the PCI compliance scope for university owned business processes (where the University is the merchant). In particular cases, where merchants are on-campus facilities, or use IT infrastructure within the university’s scope, these standards apply.

All PCI-DSS processing merchant activity must be approved annually by the University Treasurer’s Office.

Standards

CWRU [U]Tech publishes technical standards approved by the University Treasurer's Office.  The standards described here are generalized to cover current and possible future Payment Card Industry security standards. 

  • All payment card transmission will utilize fully encrypted pathways from the card entry to the payment processing merchant.
  • Network transmission of payment card information must not occur on campus academic networks.
  • No storage, processing, or archival of payment card data in university academic or business IT environments is permitted. This process keeps any university academic networks out of scope for PCI compliance, and ensures customers and merchants using payment cards of the integrity of their payment card information.
  • Regular auditing using data loss prevention tools must be performed to ensure minimized risk of payment card data

Responsibility

Campus merchants: Ensure all credit card processing is performed in accordance with the PCI-DSS policy. Complete annual reporting of attestation of compliance to the CWRU Treasurer.

University Departments: When credit card processing is part of the department business process, perform an annual PCI-DSS self-assessment (SAQ) and submit the report the to the University Treasurer’s Office for approval.

CWRU Information Security Staff: Perform regular vulnerability scanning of the network devices where PCI payments are scanned, submitting risk reports to the University Treasurer’s Office. Support software for data loss prevention service for users to audit IT systems for presence of PCI data.

CWRU Network Management: Address and correct any deficiencies or risks found in the network security evaluations; deny network services to non-approved merchant activities.

Definitions

PCI-DSS- Payment Card Industry Data Security Standard, v3.2.1

SAQ- Security Assessment Questionnaire

References

CWRU Draft Policy: I - 3 Credit Card Management and PCI-DSS Policy

Payment Card Industry Data Security Standard, v.3.2.1 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf)

Standards Review Cycle

This policy will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.