PCI Policy Information

Table of Contents

Policy Scope

East Texas A&M University is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored. All members of the university community must adhere to these standards to protect our customers and maintain the ability to process payments using payment cards.

The university prohibits the retention of complete payment card primary account numbers (PAN) or sensitive authentication data in any university system, database, network, computer, tablet, cell phone, or paper file.

PCI Background

The PCI DSS is a mandated set of requirements agreed upon by the major credit card companies. The security requirements apply to all transactions surrounding the payment card industry and the merchants or organizations that accept these cards as a form of payment.

The university must comply with the PCI DSS in order to accept card payments and avoid penalties. This policy and additional supporting policies:

  • Provide the requirements for processing, transmission, storage, and disposal of cardholder data transactions
  • Reduce the institutional risk associated with the administration of payment cards
  • Promote proper internal control
  • Promote compliance with the PCI DSS

Roles and Responsibilities

This policy applies to those involved with payment card handling including employees, contractors, third-party vendors, individuals, systems, networks, and other parties with a relationship to the university including any unit using third-party software to process payment card transactions. This includes transmission, storage, and processing of payment card data, in any form (electronic or paper).

All Users

  • Safeguard cardholder data.
  • Report occurrences of possible incidents and data breaches to the Information Security Officer.
  • Review and comply with the following university policies:
    • Information Security Policy
    • Data Communication and Computer Use Policy

Business Office

  • Maintain an inventory of all areas that process payment card transactions using an approved merchant account, or other compliant methods.
  • Maintain the inventory of all devices, merchant ids, and terminal ids along with activation status.
  • Administer user access add and remove activities, including conducting annual user review of credit card provider access.
  • Assist with mandatory annual training sessions.
  • Assist with completion of the annual self-assessment documents (SAQs).
  • Evaluate compliance with PCI as part of scheduled cash handling reviews.

Departments (who accept payments)

  • Review and comply with the following Business Office procedures: University Money Handling Procedure
  • Maintain departmental Standard Operating Procedures (SOP) for PCI compliance and verify staff has an understanding of the procedures and their responsibilities.

Policy Standards

Training

Annual employee training programs are made available to train employees on PCI DSS and the importance of compliance. Employees with access to card data within their departments are assigned annual online PCI training through TrainTraq.

Transmission

All payment card transmission will utilize fully encrypted pathways from the card entry to the payment processing merchant.

Security Incident and Identification

Employees must be aware of their responsibilities in detecting security incidents. All employees have a responsibility to assist in the incident response within their departments. See the information for Security Incident Management.

Data Retention and Disposal

If it is necessary to retain cardholder data, make every effort to keep cardholder data to a minimum, and destroy when no longer needed.

Data retention and disposal procedures should limit the storage of cardholder data to that which is required for business, legal and/or regulatory purposes.

Electronic Records

For electronic cardholder data records:

  • Destroy (shred, crush, overwrite or degauss) any computer media (hard drives, portable storage) that contained cardholder data when those devices are retired, or the data are no longer needed.
  • Redact imaged documents to remove cardholder data information

Paper-Based Records

For paper-based cardholder data records:

  • Cross-cut shred, incinerate, or pulp paper documents containing cardholder data when no longer needed.

Sensitive Data

Do not store sensitive authentication data in any form after authorization, even if the data is encrypted. Sensitive authentication data includes:

  • Primary credit card account number
  • Full contents of the magnetic stripe
  • Card Verification Code or Card Verification Value (CVC/CVC2/CVV/CVV2/CID)
  • Personal Identification Number (PIN) or the encrypted PIN block

Applicable TAMU University Procedures

  • 21.01.02.R0.02 Credit Card Information Receipt, Custody, and Security Procedure
  • 29.01.03.R0.02 Electronic Information Security
Navigate This Page