Sacramento State Payment Card Industry (PCI) Information on Compliance
If you process credit cards at Sacramento State and have not meet or spoken with the ISO, please fill out the following form so we may setup a appointment to perform a PCI self assessment. PCI Identification form here:
The University Chief Financial Officer and his/her designee, the University Bursar, are responsible for the process and enforcement of this policy. University auxiliaries accepting credit cards for payments are responsible for complying with the PCI Data Security Standard. This policy applies to any University department or auxiliary wanting to accept credit cards for goods or services provided. University departments may request authorization to accept credit cards via the Procedures hyperlink below. Auxiliary organizations of the University may establish their own procedures, so long as they remain in compliance with the PCI Data Security Standard.
The primary reasons why PCI was created are to protect cardholder information, reduce fraud and identify common security issues/vulnerabilities which could be then exploited for malicious use if the risk is not managed appropriately. Businesses and merchants that process, store and transmit transaction information must comply with the controls.
PCI ensures that compliance with the following standards for American Express, Discover, MasterCard, and Visa security standards.
Who is Affected by PCI?
Any type of business that processes, stores and transmits cardholder and transaction data must comply to PCI in order maintain membership status. If a business fails to comply with PCI then any breach of cardholder or transaction data may result in substantial fines, resulting in the privilege to accept credit card payments being revoked.
Achieving PCI Compliance
In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity theft and other misuse. Visa outlined key security requirements, along with a program for validation and auditing.
In December of 2004, Visa and MasterCard joined forces to simplify compliance for merchants and payment processors with the jointly-developed, 12-point PCI standard. The scope of these requirements is quite broad, incorporating best practices for perimeter security, data privacy, and layered security. The 6 core areas and 12 requirements are listed below:
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security for employees and contractors
Resources and references for PCI DSS Compliance.
Chancellor’s Office presentation on PCI security and standards. PCI overview training and presentation.
PCI Website for standards and documentation. https://www.pcisecuritystandards.org
Information Security Office PCI news article in the Hornet.
See the article from the Hornet Newspaper on Vendor security and credit card safety at Sacramento State: Article