Additional Resources

The purpose of this procedure is to define the steps business units must complete when using paper or other physical media to store a credit cardholder data (CHD). Digital transmission and storage of CHD is NOT permitted at RIT.

Associated File(s)

• RIT Data Retention Procedure

The purpose of this policy is to define requirements for RIT Business Units who want to collect credit and/or debit card payments online. All Business Units who own or administer a website that redirects an online payment form must adhere to this policy.

Associated File(s)

Reach out to treasury@rit.edu for more information.

The purpose of this policy is to define RIT Business Unit requirements for maintaining an inventory of and inspecting point-of-interaction (POI) devices that process payment card transactions. This policy applies to all RIT Business Units that use POI devices to capture credit and debit card data.

Associated File(s)

• RIT PCI Device Inventory and Inspection Policy

Before engaging with a Third Party Service Provider (TSPS), merchants should review the Third Party Service Provider Policy available on the RIT ISO website and then complete the following steps:

1. Review the Third Party Service Provider Policy on the ISO website.
2. Complete and submit an IAPQ (new or revised).
3. The IAPQ will be reviewed by ISO.
4. Request an Attestation of Compliance (AoC) or Record of Compliance (RoC) from the third party.
5. Additional documentation may be requested as needed.

Associated File(s)

• Third Party Service Provider Policy

• RIT PCI Responsibility Matrix

Have more questions? Visit our FAQs on the PCI DSS page, or feel free to contact us at aaoiso@rit.edu and/or treasury@rit.edu.