PCI DSS Compliance Requirements

PCI DSS Compliance Requirements/Guidelines for Merchant Departments

  • It is a violation of University Policy to store credit card numbers on any computer, server, or database outside an approved credit card vault. This includes Excel spreadsheets, USB drives, and local or network shared drives.
  • Treat payment card forms and receipts like you would cash.
  • Keep payment card data secure and confidential.
  • Restrict access to card data to those who “need to know”.
  • Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.) with restricted access.
  • Cardholder data must be transmitted securely (i.e. encrypted). WiFi use is not permissible at any time.
  • Email, interoffice mail, and messaging systems are not approved channels to transmit credit card numbers. If cardholder data is received in such a manner, the merchant is not permitted to process the transaction and must take corrective action.
  • Accepting cardholder data over the phone is strongly discouraged at BU.
  • Discard account numbers on paper forms by cutting off credit card information and cross shredding immediately after transaction processing.
  • Any new systems/software and technology changes to current systems/software involved in payment card processing are required to be communicated to Revenue Accounting and ITS prior to being implemented.
  • Computer systems that process payment cards must be on the PCI vlan.
  • Use and regularly update anti-virus software.
  • Do not use vendor-supplied defaults for systems passwords and other security parameters.
  • Assign a unique ID to each person with computer access.
  • Report all suspected data compromises or known security breaches to the PCI DSS Incident Response Team.
  • All individuals (employees and non-employees) exposed to the card data environment are required to participate in annual PCI DSS compliance training.
  • All staff exposed to the cardholder data environment must sign a PCI confidentiality statement which can be found in the current version of the Agreement to Protect Confidential Information on the Human Resources website.
  • All merchant departments are responsible for completing and signing a self-assessment questionnaire (SAQ) on an annual basis.