Compliance Requirements

PCI DSS Requirements

RIT is committed to conducting its academic and administrative activities ethically and in compliance with applicable laws and regulations. When the University accepts payment for goods or services by means of a credit or debit card (collectively, payment cards), it has a responsibility to protect the personal financial information of the individual making the payment.

Members of the payment card industry (PCI) have developed data security standards (DSS) for any organization that accepts, captures, stores, transmits, or processes payment card information either manually or through an automated system. The PCI DSS are designed to reduce losses related to credit or debit card fraud and improve card payment account data security. The requirements were developed by the founders of the PCI Security Standards Council which include American Express, Visa International Inc., MasterCard Worldwide and Discover Financial Services.

Compliance with PCI DSS is not optional; RIT must comply with the standards in order to continue to accept payment cards. In addition, any supplier/contractor with whom RIT engages to accept, capture, store, transmit or process payment card information must also be compliant with the security standards. Any unauthorized exposure of credit or debit card information could subject the University to significant financial penalties and reputational damage. It is therefore the responsibility of all RIT departments who accept, capture, store, transmit, or process credit or debit card payments, to ensure compliance with PCI DSS, to ensure that employees accepting such payments are sufficiently trained in appropriate payment card handling procedures, and to certify such compliance on an annual basis.

Payment Card Industry Data Security Standards (PCI DSS) requirements include twelve (12) security controls that all businesses, including RIT, are required to implement to protect payment card data and comply with PCI DSS. These requirements were developed and are maintained by the Payment Card Industry (PCI) Security Standards Council.

Goals
PCI DSS Requirements

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update antivirus software programs

6. Develop and maintain secure systems applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

 

Dos

Don'ts
  • Take your annual PCI Training
  • Make sure all payment card documents are secured
  • Make sure POS devices are not tampered with
  • Store any sensitive or personally identifying information on any computer
  • Write down or transmit payment card numbers via fax, email, instant messaging, or social networking sites
  • Do not acquire or disclose a cardholder's payment card number without the cardholder's consent

  • Keep payment card data secure and confidential
  • Use and regularly update anti-virus software
  • Isolate the POS system from other networks
  • Have store personnel monitor self-checkout terminals/kiosks to prevent thieves from installing card skimmers which takes a second to install but still payment card data and PIN information directly off the card’s magnetic stripe
  • Ensure that both POS and OS software is up-to-date
  • Limit access to system components and cardholder data to only those individuals whose job requires such access
  • Cardholder data should be destroyed when it is no longer needed so that account information is unreadable and cannot be reconstructed
  • Technology changes that affect payment card systems are required to be approved by the Controller and the Treasury office prior to being implemented
  • Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as email, unsecured fax, or through campus mail
  • Report all suspected or known security breaches to Incident Response Team
  • Monitor your data – Set up alerts for security incidents involving cardholder data or anything that could compromise your cardholder environment

Additional Resources

For more details on topics like the Data Retention Procedure, E-Commerce Policy, PCI Device Inventory and Inspection Policy, and more, please visit our Additional Resources page.

Have more questions? Visit our FAQs on the PCI DSS page, or feel free to contact us at aaoiso@rit.edu and/or treasury@rit.edu.