PCI Compliance
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006, to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. Clemson University has always adhered to the highest standards when it comes to protecting sensitive data. Payment card data is highly sensitive and, therefore, must meet these compliance standards.
The major credit card companies (VISA, MasterCard, Discover and American Express) came together and published a uniform set of data security standards that ALL merchants (i.e., Clemson University departments) must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on University departments in connection with the acceptance of payment cards.
Compliance at Clemson
Complying with PCI DSS is not an option. Clemson University must comply to be approved for financial transactions and continue to accept payment cards.
Noncompliance with these standards puts Clemson University at risk for:
- Large monetary fines assessed to your department and/or Clemson University.
- Loss of merchant status for the department.
- Loss of merchant status for Clemson University.
- Loss of faith in Clemson University name.
For large organizations like Clemson University, PCI compliance presents unique issues. With both online and offline card processing growing, a focus on PCI compliance is necessary. Clemson University is vigilant toward this focus.
Compliance is a challenge, but it is one that Clemson University is meeting and will continue to meet. If you have any questions or recognize you may have some compliance issues, please email Cathy Freeman or call 864-656-0530. She will be able to meet with you and address any concerns you may have in person or through means the department finds necessary. Also, visiting the PCI Compliance website is recommended to find additional information on PCI DSS.
Steps for Departmental Compliance
Below are steps that each department must take to ensure card processing safety at Clemson University.
- It is against University policy to store cardholder data electronically or in paper format.
- Treat payment card receipts like you would cash.
- Keep payment card data secure and confidential.
- Limit access to system components and cardholder data to only those individuals whose job requires such access.
- Assign all users a unique ID before allowing them to access system components or cardholder data.
- Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as by email, unsecured fax or through campus mail.
- Fax transmittal of cardholder data is not permissible.
- Render sensitive cardholder data as unreadable anywhere it is stored.
- Cardholder data should be destroyed when it is no longer needed so that account information is unreadable and cannot be reconstructed.
- Manual swipes or imprinters are not authorized for use.
- Technology changes that affect payment card systems are required to be approved by Cash and Treasury Services prior to being implemented.
- Any new systems/software that process payment cards are required to be approved by Cash and Treasury Services prior to being purchased.
- Any computer system hosting a credit card application must be housed in CCIT’s data centers due to security requirements.
- Computer systems that process payment cards must be behind a firewall.
- Use and regularly update anti-virus software.
- Do not use vendor-supplied defaults for systems passwords and other security parameters.
- Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.
- Report all suspected or known security breaches to Cash and Treasury Services and CCIT’s Information Security and Privacy.
For additional guidance, please refer to the Payment Cardholder Data Processing and Handling Policy. Please call Cash and Treasury Services if you have any questions at 864-656-0530.