Search

PCI Guidelines

Information Security Office


Facts about Payment Card Industry (PCI-DSS) Compliance

  • Driven by the major credit card companies
  • “Enforced” by merchant suppliers and gateway providers as well as some banks
  • Applies to all organizations that process, transmit and/or store credit card information
  • Leverages general computer and information security best practices already applied in industry
  • It is *not* mandatory
  • Can carry hefty penalties to organizations that decide to remain non-compliant
  • Looks relatively simple on the surface but can be extremely complex and cost prohibiting to implement and maintain

 

Reasoning behind PCI Compliance

  • Prevent data breaches
  • Protect merchants and consumers
  • Minimize liability

 

PCI at the UofW - Best Practices

  • Due to the University's complex environment, we utilize the Self-Assessment Questionnaire D provided by PCI.  See link to questionnaire below
  • Do not store credit card data unless you absolutely have to – this applies to paper records, electronic records and voice recording
  • If you need to store credit card data, ensure there is a retention policy in place and that it is exercised across all methods of storage and disposal
  • Do not send (or receive) credit card data via Email or any other unsecured method of transfer
  • Use dedicated connections (a phone line) for stand-alone POS machines - do not utilize the campus network.  POS machines used for processing debit cards *only* can be connected to the network
  • If choosing an application that processes credit card information, ensure that it is compliant with PCI PA-DSS standards
  • Consult with your merchant services what options are available that would assist in achieving/remaining PCI compliance

Contact the Information Security Office for additional information and guidance.

PCI Document Library - https://www.pcisecuritystandards.org/security_standards/documents.php