PCI-DSS Card Security

PCI-DSS Stands for the Payment Card Industry Data Security Standard. This is the worldwide security standard for credit card data security, and adherence is required by the card brands, state law, and university policy. The security standard can be found at  pcisecuritystandards.org.

The links below skip directly to the corresponding section on this page:

  • Where to Start
  • Understanding the Scope
  • How to Comply
  • Required Training
  • Consequences of Non-Compliance
Where to Start

The PCI-DSS applies to every merchant who accepts credit cards—regardless of the acceptance method.

Training on PCI-DSS can be found in KnowBe4.

 

Understanding the Scope

The PCI-DSS is a very broad standard of more than 200 security requirements covering every scenario from mom-and-pop shops to e-commerce giants, so clearly not every requirement applies in every setting. Luckily, the PCI Security Standards Council has done some of the legwork of figuring out which requirements may apply in various circumstances. The PCI Self-Assessment Questionnaires (SAQs) are documents which list the relevant security requirements for the most common card acceptance configurations. For example, there are different SAQs for e-commerce, countertop card readers, or complex point of sale systems.

Merchants are required to perform an annual security self-assessment using the SAQs, so new merchants should immediately familiarize themselves with the security requirements particular to their SAQ. University Accounting Services (UAS), who is already familiar with your merchant account and processing environment, can quickly help you determine which SAQ to complete.

SAQs are completed online through a third-party portal. Merchants are notified annually through the pci-merchants listserv when it is time to complete the SAQs, along with additional instructions. Video walk-throughs on how to complete the most common SAQs, including additional context behind some of the questions, can be found in TrainTraq.

  

How to Comply

Before a merchant may receive credit card payments, it must develop and implement adequate security and internal controls meeting PCI-DSS requirements and University OP 14.08. All equipment, software, and business processes must comply with current PCI security standards. Adequate security often involves the combined efforts of business and information technology functions.

PCI compliance is not an annual checkbox exercise but something to adopt with a “business as usual” approach to all people, processes, and technology involved in the acceptance of cards for payment.

After having worked with the Business Office to identify the scope of your card processing environment, the next step is to complete the PCI Self-Assessment Questionnaire (SAQ). This is an annual requirement, and results are reported to the institution’s Vice President for Administration and Finance and to the Chief Information Security Officer. The questionnaire lists every potential security requirement for the identified card processing environment. In very broad terms, the security requirements can be broken down into requirements around technology, business processes, or policy. As part of the security self-assessment, merchants attest to having documented their processes and policies in writing and ensured employees are aware of them.

As described above, the PCI-DSS is an extensive document covering all sort of card acceptance scenarios, but here are just a few of the many take-aways:

  • Credit card numbers should only be stored electronically as a last resort, and then only in full compliance with the most recent PCI-DSS requirements.
  • Card data should never be transmitted over end user technologies such as email, texting, instant messenger, and so on.
  • Assign university PCI training upon hire to individuals authorized to have access to cardholder data.
  • Ensure that the storage of printed cardholder data is in a location with access limited to those with legitimate business need. Record retention rules dictate that signed payment receipts records be kept 180 days for chargeback disputes.
  • Before engaging with third party vendors who support the transaction process (through software, equipment, hosting, personnel, etc.), they must prove PCI compliance, contractually take responsibility for cardholder security to the extent of their control, and commit to ongoing PCI security compliance. Ask the Contracts office to include the university-approved PCI addendum when contracting with e-commerce or point of sale vendors.
    • The design and architecture of computer systems and networks associated with credit card processing, as well as the protocols used to transmit such data, must be approved by the Midwestern State University IT Security team prior to implementation. Subsequent changes must be approved prior to implementation.
    • Midwestern State University IT Security will perform periodic reviews of computer and/or computer networks to ensure that security features are in place and are adequate to protect credit card data. UAS will periodically perform reviews of business procedures to help merchants identify ways to better protect cardholder information. Reviews are also available upon request.
 
Required Training

Merchant staff who answer questions on the annual PCI questionnaire or who have access to cardholder data, including IT staff who support payment systems, are required to complete an online PCI Security training course. Annual refresher courses are also required. The department is responsible for providing sufficient training to volunteers based on the types of transactions volunteers may process. To have employees assigned annual recurring training, supervisors should complete the online PCI Training request form.

 

Consequences of Non-Compliance

Compliance with the PCI-DSS is mandatory. A single merchant’s non-compliance makes the entire institution non-compliant in the eyes of the card brands.

Merchants found to be out of compliance with security standards will be given a reasonable amount of time to correct the problem and be re-audited. If PCI-DSS non-compliance is due to documentation, procedure, or training, the merchant will be given 30 days from notification to reach compliance. If the non-compliance is related to IT security, a compliance date will be established by mutual agreement between the merchant and IT Security. Failure to reach compliance by deadline may result in the suspension of the merchant's account. Requests for deadline extensions must be approved by the Vice President for Administration and Finance.

Individuals who fail to complete the mandatory annual PCI training by the deadline should be suspended from accessing cardholder data or systems that support the processing of such data until such time as they complete their training. Merchants with < 20% overall training compliance will be given 5 business days to complete online training. Failure to reach minimum compliance will result in the suspension of the merchant's account.