Fort Hays State University > About FHSU > Academic Divisions > Office of the Provost > Faculty and Unclassified Handbook > Ch 6 Credit Card Security
Office of the Provost
SummaryThe Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. PCI DSS compliance is mandatory for any organization that collects, processes, or stores credit card information.
PurposeThe purpose of this policy is to establish requirements for collecting, storing, processing and transmitting credit card data to facilitate compliance with the PCI DSS requirements.
Groups Covered This policy applies to all Fort Hays State University faculty, staff, students, temporary employees and any other persons who collect, process, transmit or store credit card information physically or electronically. Any other entity or individual using FHSU servers or the FHSU network must also abide by this policy. Hereinafter, all applicable persons will be referred to as “Department” for the purposes of this policy.
To help protect against exposure and possible theft of sensitive credit card data and to comply with the PCI DSS requirements, Departments must follow the policies and procedures outlined in this document.
Policy Requirements Fort Hays State University is required to establish, publish, maintain and disseminate a security policy that addresses all PCI DSS requirements. Each of the 6 goals and 12 requirements as outlined in the PCI DSS are addressed in this document.
Section 1 - Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Section 2 - Protect Cardholder DataRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks
Section 3 - Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications
Section 4 - Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data
Section 5 - Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processes
Section 6 - Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security
1. Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Web Based Requirements
Hard Copy Requirements
Requirement 4: Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
6. Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Risk of Non-Compliance
PCI Security Standards Councilhttps://www.pcisecuritystandards.org/
FHSU Electronic Information Security Policyhttp://www.fhsu.edu/computing/computer-policies/
Policies and Procedure Relating to Criminal Background Checks for Employeeshttp://www.fhsu.edu/policies/
Adopted by President’s Cabinet (05/06/09).
Back to Chapter 6