Payment Card Industry
In September of 2006, a group of five leading payment brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Incorporated, launched the Payment Card Industry (PCI) Security Standards Council; an open global forum responsible for the development, management, education and awareness of the PCI Security Standards.
From the Council, came the Data Security Standard (PCI DSS) which provides a baseline of technical and operational requirements designed to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.
The PCI DSS requirements apply to all entities involved in payment card processing, including: merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. Additionally, the PCI DSS affects all credit card acceptance channels, including: retail, mail, telephone, fax, and e-commerce.
The common processes and precautions for handling, processing, storing and transmitting credit card data established by the PCI DSS, help to combat the unprecedented assaults on personal and financial data which impact cardholders, retailers, banks, service providers and credit card companies.
A high-level overview of the 12 PCI DSS requirements is outlined below:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
Loyola University Chicago is required to remain in compliance with the PCI DSS. Anyone at the University involved in the process of accepting credit card payments must undergo PCI training annually, and must adhere to the rules and regulations outlined by the council and the University.
Non-compliance penalties vary among major credit card networks and can be substantial; companies can be barred from processing credit card transactions altogether, higher processing fees can assessed, and, in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance. Several large, well-known institutions that lacked adequate protection have been responsible for exposing credit card payment data. Consequently, these companies were penalized with significant fines, and experienced backlash from the public resulting from the negative media coverage of the major data security breaches within their organizations.
All University departments that transmit, process, or store cardholder data are responsible and accountable for their PCI Compliance. All employees must do their part to protect credit card data and to mitigate the risks associated with processing credit card transactions.