Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment

Environment

FERPA

GLB/Security

Harassment

HIPAA

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar       Compliance Partners        Links

 

Relevant Industry Standards                          

Compliance Partners

Associate General Counsel for Policy and Compliance

Director of Student Accounts

Director of Academic Technology Services

Related Policy

Information Assurance

                               

Payment Card Industry (PCI) Data Security Standard

Effective June 30th, 2005 VISA and Master Card put into effect a data security standard for any organization that processes credit card transactions accepting their card brand. Currently this program has expanded to include all major credit card brands.  The credit card companies require that all members, service providers and merchants who store, process, or transmit cardholder data remain compliant with the PCI Standard.

Member financial institutions (banks) are subject to fines of up to $500,000 per incident if there is a compromise on their network resulting in the loss or theft of cardholder information and the network is subsequently found to be non-compliant at the time of the compromise.  The fines can increase up to $100,000 per incident if the member fails to inform the credit card companies of the suspected loss or theft. These fines can be passed on to the merchants pursuant to contract. Many institutions of higher education will be required by contract to comply with these standards. When acceptance of credit cards at the institution is decentralized, there will be difficulty in meeting the standard.

 

The current PCI Standard consists of 12 requirements which support six goals as follows:

 

Building and Maintaining a Secure Network

  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor supplied defaults for system passwords and other security parameters.

Protecting Cardholder Data

    3. Protect stored Data
    4.  Encrypt transmission of cardholder data and sensitive information across public

          networks.

 

Maintaining a Vulnerability Management Program

    5. Use and regularly update anti-virus software
    6. Develop and maintain secure systems and applications

 

Implementing Strong Access Control Measures
    7. Restrict access to data by business need to know
    8. Assign a unique ID to each person with computer access

    9. Restrict physical access to cardholder data

 

Regularly Monitoring and Testing Networks

    10. Track and monitor all access to network resources and cardholder data

    11. Regularly test security systems and processes

 

Maintaining an Information Security Policy

    12. Maintain a policy that addresses information security

 

(NB: Source of the 12 requirements and 6 goals is the first resource listed below)

 

There are four levels of PCI Compliance, with level 1 being the most stringent and level 4 being the least stringent. It is generally the acquiring bank's responsibilty to identify the university's merchant level. If a merchant suffers an attack that has caused account data to be compromised, the merchant level requirement goes up to level one automatically.


A glance at the actual standard (17 pages) and the accompanying procedures (50 pages) shows that the great detail is gone into in how specifically the goals are to be accomplished.

 

While the requirements of the PCI standard are specific, and the requirements of a written information security program under Gramm Leach Bliley (GLB) more general, the federal regulation and the PCI standard are complementary. Compliance with a comprehensive  Information Security Plan (or "Information Assurance" Plan) would take probably take a good deal of the way towards PCI Compliance.

 

Resources:

Higher Education and PCI Compliance: Definitions, Challenges, and Actions (2006)

 

PCI Compliance for Higher Education: Best Practices Checklist 

 

PCI audit procedures   

 

E-Commerce and the Cardholder Information Security Program (CISP)
This Educause Effective Practice Detail provides basic information important for universities that sell products or services online and collect fees via credit card. The approach is meant to help institutions of higher education get started in assessing their responsibilities with regard to cardholder data that they may process or otherwise come in contact with, and help institutions determine whether there are regulatory obligations, what those obligations are, and some steps to take to help meet those obligations.

 

 

NCSU PCI Compliance Summary

 

 

University of Pennsylvania PCI Compliance Policy

 

 

US Treasury Institute PCI DSS News and Information Blog

 

New page created by mlo 6/12/07
updated 3/4/08
links updated 6/20/08 rab
compliance box links updated 6/10/09 rab

updated to add Treasury Institute blog

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Last Revised 02-Jul-09 03:24 PM.