PCI Compliance Is a Shared Responsibility
Everyone who works with payment card data, which is regulated by the Payment Card Industry Data Security Standard (PCI DSS), has a part to play in meeting the requirements of the standard. PCI compliance is a shared responsibility:
- U-M Treasurer's Office - Merchant Services. Oversees U-M's compliance with PCI DSS requirements.
- Information and Technology Services (ITS). Offers PCI-compliant services that merchants can choose to use.
- Information Assurance (IA). Works with ITS and the Treasurer's Office to ensure that the designated ITS services are PCI-compliant and appropriately secure.
- U-M Merchants (units that accept credit, debit, or other payment cards). Meet PCI-compliance requirements regardless of whether ITS services are used. Use services in ways that are compliant with PCI requirements.
ITS PCI-Compliant Services
ITS offers PCI-compliant services under the Payment Card Assurance (PCA) name. These services include storage, databases, workstations, and a Virtual Private Network (VPN). ITS has put in place appropriate administrative, physical, and technical safeguards to allow university merchants to process payment card transactions using the PCA services.
University merchants are responsible for their cardholder environment once ITS PCA services have been provided, including applications, data content, virtual machines, access credentials, auditing of access to systems, and compliance with PCI requirements applicable to their particular merchant classification. Merchants are ultimately responsible for ensuring their particular use of ITS services complies with PCI regulations.
PCI DSS Requirements
The PCI DSS is a set of requirements developed by the Payment Card Industry Security Standards Council (PCI SSC) to help ensure secure and trustworthy payment card transactions for the hundreds of millions of people worldwide who use their cards every day. The PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.
It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI Council.
PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
These are the primary PCI DSS requirements:
- Build and Maintain a Secure Network and System
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel