II-4 PCI Data Transmission Standard
Last Revision Date: July 2, 2012
Approval Date: September 28, 2012
Approval Authority: CWRU Chief Information Security Officer
A standard approach to transmission of Payment Card Industry data from on-campus merchants.
This Standard applies to all campus users and external merchants performing credit card transactions which utilize the university IT infrastructure to perform payment card processing.
The university does not support payment card processing in university-owned systems. The present strategy is to outsource all payment card processing to off-site, PCI-compliant vendors, thereby minimizing the PCI compliance scope for university owned business processes (where the University is the merchant). In particular cases, where merchants are on-campus facilities, or use IT infrastructure within the university’s scope, these standards apply.
All payment card transmission will utilize fully encrypted pathways from the card entry to the payment processing merchant. This process keeps any university academic networks out of scope for PCI compliance.
- Any payment card transactions performed for university merchant accounts shall utilize encrypted protocols to reach a virtual terminal (e.g. QuikPay).
- Any card-present pay terminals using university network infrastructure shall employ a device that:
- utilizes full end-to-end encryption methods to protect the payment card information from the point of sale terminal to the payment processing site.
- utilizes only the approved VoIP communications network, isolated from the campus network.
- Departments utilizing payment card processing shall perform an annual self-assessment using the appropriate PCI-DSS self-assessment questionnaire.
- All PCI-DSS processing must be approved annually by the University Controller’s Office, as defined in the Credit Card Management and PCI-DSS Policy.
Campus merchants: Ensure all credit card processing is performed in accordance with the PCI-DSS policy.
University Departments: When credit card processing is part of the department business process, perform an annual PCI-DSS self-assessment (SAQ) and submit the report the to the University Controller’s Office.
CWRU Information Security Staff: Perform regular vulnerability scanning of the VoIP network, submitting reports to the University Controller’s Office.
CWRU Network Management: Address and correct any deficiencies or risks found in the VoIP network security evaluations.
PCI-DSS- Payment Card Industry Data Security Standard, v2.0
SAQ- Security Assessment Questionnaire
CWRU Draft Policy: I - 3 Credit Card Management and PCI-DSS Policy
Standards Review Cycle
This procedure will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.