Last Revision Date: July 2, 2012
Approval Date: September 28, 2012
Approval Authority: CWRU Chief Information Security Officer
A standard approach to transmission of Payment Card Industry data from on-campus merchants.
This Standard applies to all campus users and external merchants performing credit card transactions which utilize the university IT infrastructure to perform payment card processing.
The university does not support payment card processing in university-owned systems. The present strategy is to outsource all payment card processing to off-site, PCI-compliant vendors, thereby minimizing the PCI compliance scope for university owned business processes (where the University is the merchant). In particular cases, where merchants are on-campus facilities, or use IT infrastructure within the university’s scope, these standards apply.
All payment card transmission will utilize fully encrypted pathways from the card entry to the payment processing merchant. This process keeps any university academic networks out of scope for PCI compliance.
Campus merchants: Ensure all credit card processing is performed in accordance with the PCI-DSS policy.
University Departments: When credit card processing is part of the department business process, perform an annual PCI-DSS self-assessment (SAQ) and submit the report the to the University Controller’s Office.
CWRU Information Security Staff: Perform regular vulnerability scanning of the VoIP network, submitting reports to the University Controller’s Office.
CWRU Network Management: Address and correct any deficiencies or risks found in the VoIP network security evaluations.
PCI-DSS- Payment Card Industry Data Security Standard, v2.0
SAQ- Security Assessment Questionnaire
CWRU Draft Policy: I - 3 Credit Card Management and PCI-DSS Policy
This procedure will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.