The Catholic University of America

 Relevant Industry Standards

Compliance Partners

Associate General Counsel for Policy and Compliance
Assistant Vice President for Operations

Director of Enrollment Services, Business Systems

Director of Information Security

Related Policy

Information Security and Assurance

Payment Card Industry (PCI) Data Security Standard

Effective June 30th, 2005 VISA and Master Card put into effect a data security standard for any organization that processes credit card transactions accepting their card brand. Currently this program has expanded to include all major credit card brands. The credit card companies require that all members, service providers and merchants who store, process, or transmit cardholder data remain compliant with the PCI Standard.

Member financial institutions (banks) are subject to fines of up to $500,000 per incident if there is a compromise on their network resulting in the loss or theft of cardholder information and the network is subsequently found to be non-compliant at the time of the compromise. The fines can increase up to $100,000 per incident if the member fails to inform the credit card companies of the suspected loss or theft. These fines can be passed on to the merchants pursuant to contract. Many institutions of higher education will be required by contract to comply with these standards. When acceptance of credit cards at the institution is decentralized, there will be difficulty in meeting the standard.

The current PCI Standard consists of 12 requirements which support six goals as follows:

Building and Maintaining a Secure Network

  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor supplied defaults for system passwords and other security parameters.

Protecting Cardholder Data

3. Protect stored Data
4. Encrypt transmission of cardholder data and sensitive information across public

networks.

Maintaining a Vulnerability Management Program

5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implementing Strong Access Control Measures
7. Restrict access to data by business need to know
8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitoring and Testing Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintaining an Information Security Policy

12. Maintain a policy that addresses information security

(NB: Source of the 12 requirements and 6 goals is the first resource listed below)

There are four levels of PCI Compliance, with level 1 being the most stringent and level 4 being the least stringent. It is generally the acquiring bank's responsibilty to identify the university's merchant level. If a merchant suffers an attack that has caused account data to be compromised, the merchant level requirement goes up to level one automatically.

A glance at the actual standard (17 pages) and the accompanying procedures (50 pages) shows that the great detail is gone into in how specifically the goals are to be accomplished.

While the requirements of the PCI standard are specific, and the requirements of a written information security program under Gramm Leach Bliley (GLB) more general, the federal regulation and the PCI standard are complementary. Compliance with a comprehensive Information Security Plan (or "Information Assurance" Plan) would take probably take a good deal of the way towards PCI Compliance.

Resources

Northwestern University August 2011 PCI DSS Security Awareness Power Point

Payment Card Industry (PCI) Data Security Standard Self Assessment Questionnaire

University of Pennsylvania PCI Compliance Policy


 

updated 10/24/13 CCR