Payment Card Industry Data Security Standard (PCI DSS)

This page is currently under development by the Information Security Office. Some links may not be active where materials are under development.

All UA credit card merchants must comply with the Payment Card Industry Data Security Standard (PCI DSS) to ensure the security of cardholder data processed via their merchant account. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other protective measures. For information about the PCI DSS, visit the following PCI Security Standards Council web pages:

• About the PCI Data Security Standard (to download the complete PCI DSS)
• Supporting Documents (including a glossary)

FSO Campus Banking & Merchant Services governs and enforces PCI DSS compliance. FSO Campus Banking & Merchant Services partners with Information Security to determine appropriate technical compliance strategies and to develop supporting materials to assist units with compliance. For assistance with credit card merchant questions, issues or concerns, please contact FSO Campus Banking & Merchant Services at 621-5781.

To determine what your unit must do to comply, review FRS Policy 8.14 and follow the suggested approach below.

1. Identify the current or proposed payment method and understand associated validation requirements.

2. Understand the technical and operational requirements and determine your unit's needs.

• Compliance Action Plan
• Handling E-Commerce Payments (OWASP)

4. Implement the technical requirements.

5. Implement the operational requirements.

• Guideline for Creating Data Security Policies and Procedures (pdf)
• Guideline for Creating Payment Card Incident Response Plan (pdf)
• Data Retention and Disposal Policy (pdf)
• Minimum Security for Networked Devices (pdf)
• Minimum Security for Networked Devices Implementation Guideline (pdf)
• Server Security Standard (pdf)
• Password Construction and Management Guidelines (pdf)
• Training Material
  • • Payment Cards at UA (pdf)
    • Information to satisfy the PCI DSS-specific training requirement
    • General computer security awareness information and training (in combination, satisfies the general computer security awareness training requirement)
• UA Information Security Tutorial (under development)
• PCI DSS Text for Third Party Vendor Proposals/Agreements

6. Review the applicable Self Assessment Questionnaire (see step 1).

• Overview, including Instructions and Guideline
• Questionnaires

7. Fill out the Self Assessment Questionnaire.

8. Sign up with FSO Campus Banking & Merchant Services for scans, if required (see step 1).

9. Maintain compliance as rules and systems change.

REPORT a payment card security problem. Please reference your department name and related details to ensure proper escalation.

PCI DSS Principles

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

Source: PCI Security Standards Council