PCI

Ongoing threats that are associated with credit and debit card information keep the University of West Georgia on its toes in determining technological and procedural safeguards that will protect the campus community.  To assist in these efforts, UWG is following the recommendations of the Payment Card Industry Data Security Standards (PCI DSS) in order to address potential threats and vulnerabilities on an ongoing basis.

Regulations for PCI DSS were first developed by the five major credit card companies and implemented on June 30, 2005. 

Contact Us

Dan Lewis
Aycock Hall

(678) 839-4781

Mardel Shumake
Cobb Hall

(678) 839-4007

 

PCI DSS compliance and validation protects vendors, employers and employees, and consumers from suffering financial and data loss because of unprotected network systems.

Annual audits have been conducted at UWG since 2013 and a committee was formed to review audit findings and make improvements towards compliance.

The objectives of the PCI DSS are to:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability-management program
  • Implement strong access-control measures
  • Regularly monitor and test networks
  • Maintain a written Information Security Policy

 

  • Guidelines
  • Oversight Committee
  • Required Procedures
  • FAQs
  • Documentation
  • Guidelines

    Version 3.1 of the standard will be in effect until December 31, 2016.  Version 3.2 will be posted in January 2017.

    Payment Card Industry Data Security Standards Version 3.1

    PCI DSS 12 Requirements

    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters
    3. Protect stored cardholder data
    4. Encrypt transmission of cardholder data across open, public networks
    5. Protect all systems against malware and regularly update anti-virus software or programs
    6. Develop and maintain secure systems and applications
    7. Restrict access to cardholder data by business need to know
    8. Identify and authenticate access to system components
    9. Restrict physical access to cardholder data
    10. Track and monitor all access to network resources and cardholder data
    11. Regularly test security systems and process
    12. Maintain a policy that addresses
  • Oversight Committee

    UWG's Payment Card Oversight Committee is comprised of the following faculty and staff:

    Payment Card Oversight Committee
    Name Position
    Eddie Duffey Senior Associate Athletics Director for Development and Operations
    Robert Jennings Director - Townsend Center for the Performing Arts
    Kathy Kral Chief Information Officer
    Dan Lewis* Executive Director - Center for Business Excellence
    John Lyons Director - Campus Dining
    Alex Posivenko Financial Manager - Auxiliary Services
    Mark Reeves Assistant Vice President of Auxiliary Services
    Ron Richards Director - Internal Audit
    Rick Sears Assistant Vice President and Controller
    Mardel Shumake* Information Security Officer 

    Payment Card Oversight Committee

    • Name: Eddie Duffey

      Position: Senior Associate Athletics Director for Development and Operations

    • Name: Robert Jennings

      Position: Director - Townsend Center for the Performing Arts

    • Name: Kathy Kral

      Position: Chief Information Officer

    • Name: Dan Lewis*

      Position: Executive Director - Center for Business Excellence

    • Name: John Lyons

      Position: Director - Campus Dining

    • Name: Alex Posivenko

      Position: Financial Manager - Auxiliary Services

    • Name: Mark Reeves

      Position: Assistant Vice President of Auxiliary Services

    • Name: Ron Richards

      Position: Director - Internal Audit

    • Name: Rick Sears

      Position: Assistant Vice President and Controller

    • Name: Mardel Shumake*

      Position: Information Security Officer 


    * Committee Co-Chairs

    Note all correspondences should go to the following email address:   pci-request@westga.edu

  • Required Procedures

    Training

    1. All employees and supervision that are involved in the processing of payment cards must receive annual required PCI training
    2. All employees and supervision that are involved in maintaining the equipment or systems that are used for processing payment cards must receive annual required PCI training
    3. Verification of employee training (with signature) must be accessible in each payment location

    Procedures

    1. Due to technology variations, printed instructions for payment card processing must be accessible in each payment location
    2. Maintain inventory of all physical hardware involved with payment card processing including device type, model number, serial number, location, and responsible employee(s)
    3. Segment payment card processing from normal, business use workstations - use separate physical devices
    4. Lock down the process devices such that they are only permitted to run specific card processing applications
  • FAQs
    What is cardholder data?

    Credit/debit card number, cardholder name, expiration date, security code

    May I use my work computer to process, store, or transmit cardholder data other than myself as a part of my UWG work?

    No.  UWG computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services. Only University-approved PCI-compliant hardware, as defined by the UWG's Payment Card Oversight Committee, may be used for these tasks.

    May I take cardholder data via email for a campus service or event?

    No. Cardholder data should never be sent, received, or stored via email systems due to security concerns.

    My department is considering a new software application that will accept credit cards as payment for an event or service. How should I proceed?

    All new software applications being considered by campus departments must go through a technology evaluation and security review.

  • Documentation