PCI DSS Requirements
PCI DSS compliance
What is PCI DSS?
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006, to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.
The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that serve those who work with payment cards. This includes: merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.
Who must be PCI DSS compliant?
ALL RIT merchants (i.e. Business Units that process, store, or transmit cardholder data must adhere to the PCI DSS if they want to use cards from the major payment card brands that created and adopted the standard.
In other words, for RIT to be approved for financial transactions and to be able to accept credit cards, being compliant with PCI DSS is not an option.
At RIT, PCI DSS compliance is taken seriously. Each business unit assigns one person to monitor, document, and manage credit card processes and security.
Merchant (Business Unit) obligations
For RIT to be compliant, each business unit has a role to play. Documentation is very essential when it comes to compliance. There are various forms and templates to be filled during the attestation period and each business unit must ensure all these documents are available for auditor/assessor review when requested. The following documents must be available for annual attestation:
- PCI Annual Business Unit Agreement
- PCI DSS Terminal Characteristics Form
- Inventory and Inspection Log
- Secure Document Storage Review Log
- Security Awareness Training and Training log
- Third-Party PCI and Security Validations (TPSPs AoC)
Check the link below to see what an Attestation of Compliance (AoC) looks like. Third-Party Service Providers are expected to provide this document with the necessary information filled out. This is completed annually. It must have the assessor's name with their signature and date
Employee dos and don'ts
As an employee, you must always:
- Take your annual PCI Training
- Make sure all payment card documents are secured
- Make sure POS devices are not tampered with
As an employee, do not:
- Store any sensitive or personally identifying information on any computer
- Write down or transmit payment card numbers via fax, email, instant messaging, or social networking sites
- Do not acquire or disclose a cardholder's payment card number without the cardholder's consent
Please contact aaoiso@rit.edu for further information and assistance.
PCI DSS compliance best practices
- Keep payment card data secure and confidential
- Use and regularly update anti-virus software
- Isolate the POS system from other networks
- Have store personnel monitor self-checkout terminals/kiosks to prevent thieves from installing card skimmers which takes a second to install but still payment card data and PIN information directly off the card’s magnetic stripe
- Ensure that both POS and OS software is up-to-date
- Limit access to system components and cardholder data to only those individuals whose job requires such access
- Cardholder data should be destroyed when it is no longer needed so that account information is unreadable and cannot be reconstructed
- Technology changes that affect payment card systems are required to be approved by the Controller and the Treasury office prior to being implemented
- Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as email, unsecured fax, or through campus mail
- Report all suspected or known security breaches to Incident Response Team
- Monitor your data – Set up alerts for security incidents involving cardholder data or anything that could compromise your cardholder environment
Protecting your credit card information
- Keep your card(s) information private. No one needs to know you card number(s)
- Never lend your card to someone else. It can be improperly used or stolen
- Never give your card details over the phone unless you initiated the call
- Do not save your credit card details in your browser when you shop online: If your system ever gets hacked or someone snoops on your machine, your card(s) information stored on there can be a nightmare
- Only shop on secure networks, if you don’t see the lock on your browser, beware
- Remember to activate and sign any new cards when you receive them before someone steals your card
- When using a card, be sure you get it back and take your receipt
- Never sign a blank charge receipt. Make sure the receipt has your transactional details on it
- Keep a list of your credit card numbers and issuing companies’ numbers in a secure place where you can easily get access when needed