II-4a PCI-DSS Technical Standards

Overview

Version 1.1
Last Revision Date: July 22, 2019
Approval Date: April 11, 2019
Approval Authority: CWRU PCI Compliance Committee

Purpose

Technical controls are an integral part of the PCI-DSS (referred to as PCI) compliance framework. CWRU intends to maintain compliance to PCI in two ways. First, by restricting the scope of permitted networks where of PCI data may reside or be transmitted, and second, by ensuring sufficient technical controls are applied to all payment processes where permitted. University business units with the need to apply PCI-based workflows shall ensure their product or service provider addresses these technical controls as part of their request for approval to operate PCI compliant services.

Approval from the University Treasurer for PCI processing will be contingent on adherence to one or more (as applicable) of these standards.

Scope

This standard applies to all CWRU related merchant activity on the university campus that intends to use payment card technologies.

Standards

Required technical controls are grouped into four categories depending on the method of payment and the vendor relationship with the university.

Card Present - University Merchant

This category is for university offices, departments, or schools who take credit cards in face-to-face transactions. Card processing is compliant with this policy under any of these circumstances:

  • The card is swiped on, inserted into, or tapped on a certified point-to-point encryption (P2PE) device working with a certified P2PE bank or provider. This type of device can be connected to any network, including the campus wired or wireless networks.
  • The card is swiped on, inserted into, or tapped on a non-certified encrypted device with a service provider that certifies that their solution is PCI compliant. This type of device can only be used with an external network connection, such as a cellular data connection, a dedicated internet connection that is physically distinct from the CWRU network, or is behind a router that creates an encrypted virtual private network (VPN) connection to an off-campus service.
  • The card is swiped on a legacy device that is connected to an analog telephone line.
  • The departmental P2PE device has been inventoried and certified by the Treasurer's office.

Examples of non-compliance:

  • Use of a non-P2PE device on the campus network.
  • University employees or representatives typing a credit card number directly into a web page

Documentation of current certification of devices and services must be submitted to the Treasurer's office. Updated certification is required upon expiration.

Card Not Present - University Merchant

This category is for university offices, departments, or schools that accept card payments over the telephone or through the mail. Card processing is compliant with this policy under any of these circumstances:

  • The card number is entered directly on a certified P2PE device working with a certified P2PE bank or provider. This type of device can be connected to any network, including the campus wired or wireless networks.
  • The card number is entered directly on a non-certified encrypted device with a service provider that certifies that their solution is PCI compliant. This type of device can only be used with an external network connection, such as a cellular data connection, a dedicated internet connection that is physically distinct from the CWRU network, or is behind a router that creates an encrypted VPN connection to an off-campus service.
  • The card number is entered directly on a legacy device that is connected to an analog telephone line.
  • The card number is entered into a secure website using a SRED-certified protected transaction keypad.

Examples of non-compliance:

  • Use of a non-P2PE device on the campus network.
  • University employees or representatives typing a credit card number directly into a web page.
  • Accepting credit card information via electronic mail.
  • Storing the 3- or 4-digit security code in any manner.

Documentation of current certification of devices and services must be submitted to the Treasurer's office. Updated certification is required upon expiration.

Online - University Merchant

This category is for university offices, departments, or schools that accept card payments on a non-CWRU website where the customer enters the payment information themselves. Card processing is compliant with this policy under any of these circumstances:

  • The website is hosted entirely by an external service provider that certifies that both their site and their processors service are PCI compliant.
  • The entire payment process is handled by an authorized third-party service for which we have documented PCI compliance (i.e. QuikPAY, PayPal ) and the originating website does not have access to any cardholder data.

Examples of non-compliance:

  • A non-PCI site or service that accepts or handles any non-encrypted credit card information.
  • Accepting any credit card information directly on a server located on the campus network or under the control of a university office, department or school.

Documentation of current certification of sites and services must be submitted to the Treasurer's office. Updated certification is required upon expiration.

Partner Merchant

To ensure all possible steps are taken to secure student, faculty, staff, and customer personal data, all in-person and e-commerce processing must be PCI compliant with the current PCI Data Security Standard. We recommend that vendors follow the same guidelines outlined for university merchants. Vendors must provide a statement acknowledging they are in compliance with the current PCI standards and shall continue to provide any PCI certification documentation that may be required annually.

Definitions:

Merchant - an entity collects funds by credit card and has a direct relationship with a bank or service that provides credit card processing services

University Merchant - a university office, program, department, or school where the name of the university appears on the buyer's credit card statement

Partner Merchant - a merchant that does business on campus or closely with the university online, but the name of the university does not appear on a credit card statement

Card Present - a face-to-face purchase that is made the physical card at the time of sale, and the card is inserted, tapped, or swiped at a terminal, either by the customer or cashier

Card Not Present - a purchase that is made indirectly with a customer providing the card number, expiration date and security code to a merchant representative, usually by phone or mail

Online - a purchase that is made with a customer providing the card number, expiration date, and security code to the merchant or a processing service via a web page

Standards Review Cycle

This standard will be reviewed every two years on the anniversary of the revision date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.

References

II-4 PCI-DSS Compliance