Ongoing threats that are associated with credit and debit card information keep the University of West Georgia on its toes in determining technological and procedural safeguards that will protect the campus community. To assist in these efforts, UWG is following the recommendations of the Payment Card Industry Data Security Standards (PCI DSS) in order to address potential threats and vulnerabilities on an ongoing basis.
Regulations for PCI DSS were first developed by the five major credit card companies and implemented on June 30, 2005.
PCI DSS compliance and validation protects vendors, employers and employees, and consumers from suffering financial and data loss because of unprotected network systems.
Annual audits have been conducted at UWG since 2013 and a committee was formed to review audit findings and make improvements towards compliance.
The objectives of the PCI DSS are to:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability-management program
- Implement strong access-control measures
- Regularly monitor and test networks
- Maintain a written Information Security Policy
- Jump to contentGuidelines
- Jump to contentRequired Procedures
- Jump to contentFAQs
- Jump to contentDocumentation
The new requirements introduced in PCI DSS 3.2 are considered best practices until January 31, 2018. Starting February 1, 2018 they are effective as requirements and must be used.
PCI DSS 12 Requirements
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and process
- Maintain a policy that addresses
- All employees and supervision that are involved in the processing of payment cards must receive annual required PCI training.
- All employees and supervision that are involved in maintaining the equipment or systems that are used for processing payment cards must receive annual required PCI training.
- Verification of employee training (with signature) must be accessible in each payment location.
- Due to technology variations, printed instructions for payment card processing must be accessible in each payment location.
- Maintain inventory of all physical hardware involved with payment card processing including device type, model number, serial number, location, and responsible employee(s.)
- Report any new PCI equipment to Compliance Analyst at (678) 839-3095.
- Segment payment card processing from normal, business use workstations - use separate physical devices.
- Lock down the process devices such that they are only permitted to run specific card processing applications.
What is cardholder data?
Credit/debit card number, cardholder name, expiration date, security code
May I use my work computer to process, store, or transmit cardholder data other than myself as a part of my UWG work?
No. UWG computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the UWG's Payment Card Oversight Committee, may be used for these tasks.
May I take cardholder data via email for a campus service or event?
No. Cardholder data should never be sent, received, or stored via email systems due to security concerns.
My department is considering a new software application that will accept credit cards as payment for an event or service. How should I proceed?
All new software applications being considered by campus departments must go through a technology evaluation and security review.
- PCI Application/Revision Form (opens new window)
- UWG Policy Number: UWG 5.3, Payment Card Industry Data Security (opens new window)
- PCI Procedures (opens new window)
- UWG Procedure Number: 5.3.1, PCI DSS Incident Response Plan (opens new window)
- UWG Work Instruction: 5.3.1, PCI DSS Security Responsibilities (opens new window)