Ongoing threats that are associated with credit and debit card information keep the University of West Georgia on its toes in determining technological and procedural safeguards that will protect the campus community. To assist in these efforts, UWG is following the recommendations of the Payment Card Industry Data Security Standards (PCI DSS) in order to address potential threats and vulnerabilities on an ongoing basis.
Regulations for PCI DSS were first developed by the five major credit card companies and implemented on June 30, 2005.
PCI DSS compliance and validation protects vendors, employers and employees, and consumers from suffering financial and data loss because of unprotected network systems.
Annual audits have been conducted at UWG since 2013 and a committee was formed to review audit findings and make improvements towards compliance.
The objectives of the PCI DSS are to:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability-management program
- Implement strong access-control measures
- Regularly monitor and test networks
- Maintain a written Information Security Policy
The new requirements introduced in PCI DSS 3.2 are considered best practices until January 31, 2018. Starting February 1, 2018 they are effective as requirements and must be used.
PCI DSS 12 Requirements
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and process
- Maintain a policy that addresses
UWG's Payment Card Oversight Committee is comprised of the following faculty and staff:
Payment Card Oversight Committee Name Position Eddie Duffey Senior Associate Athletics Director for Development and Operations Robert Jennings Director - Townsend Center for the Performing Arts Kathy Kral Chief Information Officer Dan Lewis* Executive Director - Center for Business Excellence John Lyons Director - Campus Dining Alex Posivenko Financial Manager - Auxiliary Services Mark Reeves Assistant Vice President of Auxiliary Services Ron Richards Director - Internal Audit Rick Sears Assistant Vice President and Controller Mardel Shumake* Information Security Officer
Payment Card Oversight Committee
Name: Eddie Duffey
Position: Senior Associate Athletics Director for Development and Operations
Name: Robert Jennings
Position: Director - Townsend Center for the Performing Arts
Name: Kathy Kral
Position: Chief Information Officer
Name: Dan Lewis*
Position: Executive Director - Center for Business Excellence
Name: John Lyons
Position: Director - Campus Dining
Name: Alex Posivenko
Position: Financial Manager - Auxiliary Services
Name: Mark Reeves
Position: Assistant Vice President of Auxiliary Services
Name: Ron Richards
Position: Director - Internal Audit
Name: Rick Sears
Position: Assistant Vice President and Controller
Name: Mardel Shumake*
Position: Information Security Officer
* Committee Co-Chairs
Note all correspondences should go to the following email address: firstname.lastname@example.org
- All employees and supervision that are involved in the processing of payment cards must receive annual required PCI training
- All employees and supervision that are involved in maintaining the equipment or systems that are used for processing payment cards must receive annual required PCI training
- Verification of employee training (with signature) must be accessible in each payment location
- Due to technology variations, printed instructions for payment card processing must be accessible in each payment location
- Maintain inventory of all physical hardware involved with payment card processing including device type, model number, serial number, location, and responsible employee(s)
- Segment payment card processing from normal, business use workstations - use separate physical devices
- Lock down the process devices such that they are only permitted to run specific card processing applications
What is cardholder data?
Credit/debit card number, cardholder name, expiration date, security code
May I use my work computer to process, store, or transmit cardholder data other than myself as a part of my UWG work?
No. UWG computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the UWG's Payment Card Oversight Committee, may be used for these tasks.
May I take cardholder data via email for a campus service or event?
No. Cardholder data should never be sent, received, or stored via email systems due to security concerns.
My department is considering a new software application that will accept credit cards as payment for an event or service. How should I proceed?
All new software applications being considered by campus departments must go through a technology evaluation and security review.