II-4a PCI-DSS Technical Standards

Overview

Version 1.0
Last Revision Date: March 29, 2019
Approval Date: April 11, 2019
Approval Authority: CWRU PCI Compliance Committee

Purpose

A standard approach to transmission of Payment Card Industry data from Technical controls are a integral part of the PCI compliance framework. In our current environment, the university can only be compliant with the university network is not in scope for compliance. Required technical controls are grouped into four difference categories depending on the method of payment, and the vendor relationship with the university.

Scope

This standard applies to all CWRU related merchant activity on the universtity campus that intends to use payment card technologies.

Standards

Card Present - University Merchant

This category is for university offices, departments, or schools who take credit cards in face-to-face transactions. Card processing is compliant with this policy under any of these circumstances:

  • The card is swiped on, inserted into, or tapped on a certified P2PE device working with a certified P2PE bank or provider. This type of device can be connected to any network, including the campus wired or wireless networks.
  • The card is swiped on, inserted into, or tapped on an end-to-end encryption device with a service provider that certifies that their solution is PCI compliant. This type of device can only be used with an external network connection, such as a cellular data connection, a dedicated internet connection that is physically distinct from the CWRU network, or is behind a router that creates a VPN connection to an off-campus service.
  • The card is swiped on a legacy device that is connected to an analog telephone line.

Examples of non-compliance:

  • Use of a non-P2PE device on the campus network.
  • University employees or representatives typing a credit card number directly into a web page

Documentation of current certification of devices and services must be XXXX.

Card Not Present - University Merchant

This category is for university offices, departments, or schools that accept card payments over the telephone or through the mail. Card processing is compliant with this policy under any of these circumstances:

  • The card number is entered directly on a certified P2PE device working with a certified P2PE bank or provider. This type of device can be connected to any network, including the campus wired or wireless networks.
  • The card number is entered directly on an end-to-end encryption device with a service provider that certifies that their solution is PCI compliant. This type of device can only be used with an external network connection, such as a cellular data connection, a dedicated internet connection that is physically distinct from the CWRU network, or is behind a router that creates a VPN connection to an off-campus service.
  • The card number is entered directly on a legacy device that is connected to an analog telephone line.
  • The card number is entered into a secure website using a SRED-certified protected transaction keypad.

Examples of non-compliance:

  • Use of a non-P2PE device on the campus network.
  • University employees or representatives typing a credit card number directly into a web page.
  • Accepting credit card information via electronic mail.
  • Storing the 3- or 4-digit security code in any manner.

Documentation of current certification of devices and services must be XXXX.

Online - University Merchant

This category is for university offices, departments, or schools that accept card payments over the telephone or through the mail. Card processing is compliant with this policy under any of these circumstances:

  • The website is hosted entirely by an external service provider that certifies that both their site and their processors service are PCI compliant.
  • The entire payment process is handled by a well-known third-party service for which we know PCI compliance (i.e. QuickPay, PayPal, Square). The originating website does not have access to any cardholder data.

Examples of non-compliance:

  • A non-PCI site or service that accepts or handles any unencrypted credit card information.
  • Accepting any credit card information directly on a server located on the campus network or under the control of a university office, department or school.

Documentation of current certification of sites and services must be XXXX. (Resubmit after expiration.)

Partner Merchant

To ensure all possible steps are taken to secure student, faculty, staff, and customer personal data, all in-person and e-commerce processing must be PCI compliant with the current PCI Data Security Standard. We recommend that vendors follow the same guidelines outlined for university merchants. Vendors must provide a statement acknowledging they are in compliance with the current PCI standards and shall continue to provide any PCI certification documentation that may be required annually.

Definitions:

Merchant - an entity collects funds by credit card and has a direct relationship with a bank or service that provides credit card processing services

University Merchant - a university office, program, department, or school where the name of the university appears on the buyer's credit card statement

Partner Merchant - a merchant that does business on campus or closely with the university online, but the name of the university does not appear on a credit card statement

Card Present - a face-to-face purchase that is made the physical card at the time of sale, and the card is inserted, tapped, or swiped at a terminal, either by the customer or cashier

Card Not Present - a purchase that is made indirectly with a customer providing the card number, expiration date and security code to a merchant representative, usually by phone or mail

Online - a purchase that is made with a customer providing the card number, expiration date, and security code to the merchant or a processing service via a web page

Standards Review Cycle

This standard will be reviewed every two years on the anniversary of the revision date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.