Payment Card Industry (PCI) Standard

What is Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a mandatory requirement for all organizations that process any form of card payments (credit, debit or pre-paid cards), develop products for payment card transactions or store card details on their networks. PCI DSS compliance is only required when an organization processes payment cards itself, rather than just accepting card payments through a Point of Sale Terminal and passing the transactions directly (untouched) to a Merchant Acquirer.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security

Why was PCI DSS created?

PCI DSS was created by the major credit card companies (VISA and MasterCard) to combat the large number of attacks on organizations' computer networks that have resulted in the theft or misuse of large blocks of cardholder information. Often the information stolen could also facilitate identity theft attacks on the information owners.

CCData

The Payment Card Industry Data Security Standard (PCI DSS) has been introduced to provide reassurance to customers and to help organizations proactively protect customer account data. The PCI DSS is a comprehensive standard that establishes common processes and procedures for handling, processing, storing and transmitting credit card data.

Information Source: https://www.pcisecuritystandards.org

Merchant Level Scope

Merchant LevelMerchant DefinitionCompliance
 1 More than six million V/MC transactions annually across all channels, including e-commerce
  • Annual Onsite PCI Data
  • Security Assessment
  • Quarterly Network Scans
 2  1,000,000 – 5,999,999 V/MC transactions annually
  •  Annual Self-Assessment
  • Quarterly Network Scans
 3  20,000 – 1,000,000 V/MC e-commerce transactions annually
  •  Annual Self-Assessment
  • Quarterly Network Scans
 4  Less than 20,000 V/MC e-commerce transactions annually, and all merchants across channel up 1,000,000 VISA transactions annually
  • Annual Self-Assessment
  • Annual Network Scans

*** All rows highlighted in yellow are the current scope of Tennessee Technological University.

Self Assessment Scope

  • Self Assessment Questionnaire (SAQ): PCI Data Security Standard Self‐Assessment Questionnaire is a validation tool intended to assist merchants andservice providers in self‐evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios. This document has been developed to help organizations determine which SAQ best applies to them. These questionnaires range from level A to level D with A being the least complex and increasing in complexity up to level D.
DescriptionSAQ: V2.0
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A
Imprint-only merchants with no electronic cardholder data storage. 

Stand-alone terminal merchants, no electronic cardholder data storage

B
Merchants using only web-based virtual terminals, no electronic cardholder data storage. C-VT
Merchants with POS systems connected to the Internet, no electronic cardholder data storage C
All other merchants (not included in Types A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ. D

    *** All rows highlighted in yellow are the current scope of Tennessee Technological University.

    University (TTU) Scope

    The PCI Data Security Standard s applies to all TTU departments and units storing, processing, and transferring payment card information.

    TTU Departments in ScopeSAQ: V 2.0
    Athletics B, C
    Business Office A, B, C
    Craft Center B
    Eagle Card Office B
    Extended Education B
    Fitness Center B
    Health Services B
    Photo Services B
    University Advancement C

    Certificate of Compliance & Attestation of Compliance

    Merchant IDDescription

    Certificate PDF

    FY 2012

    Trustwave Validation
    xxxxxx6900 TTU Loan Accounting CCM pdf_icon_sm

    xxxxxx6901 TTU Market Place General

    pdf_icon_sm

    xxxxxx6903 TTU Athletics CCM pdf_icon_sm

    xxxxxx6904 TTU Craft Center Gallery CCM pdf_icon_sm

    xxxxxx6905 TTU Craft Center Office CCM pdf_icon_sm

    xxxxxx6907 TTU Photo Services CCM pdf_icon_sm

    xxxxxx6908 TTU Fitness Center CCM pdf_icon_sm

    xxxxxx6909 TTU Touchnet

    pdf_icon_sm

    xxxxxx6910 TTU Business Office Core N/A

    xxxxxx6911 TTU Business Office Core N/A

    xxxxxx6912 TTU Business Office Core N/A

    xxxxxx3555 TTU Eagle Card CCM pdf_icon_sm

    xxxxxx9024 TTU Extended Education CCM pdf_icon_sm

    xxxxxx3345 TTU Health Services CCM pdf_icon_sm

    xxxxxx6080 TTU Advancement Online N/A

    xxxxxx9530 TTU Market Place App Fee

    pdf_icon_sm

    xxxxxx1169 TTU Athletics Online N/A

    xxxxxx8650 TTU Market Place Res Life

    pdf_icon_sm

    Training

    PCI DSS Requirement 12.6 requires credit card merchants provide a formal security awareness program to make employees aware of the importance of cardholder data security.

    Important Websites

    PCI Standard & Requirements

    Photo of Matt Smith

    Matt Smith, Associate Bursar
    This e-mail address is being protected from spambots, you need JavaScript enabled to view it
    (931) 372-6592
    Derryberry Hall (DBRY) 100

    Photo of Carolyn Gernt

    Carolyn Gernt
    This e-mail address is being protected from spambots, you need JavaScript enabled to view it
    (931) 372-3716
    Derryberry Hall (DBRY) 100

     

    Credit Card Terminals & Credit Card Receipts

    Photo of Stephaine Hargis

    Stephaine Hargis, Financial Associate 4
    This e-mail address is being protected from spambots, you need JavaScript enabled to view it
    (931) 372-3018
    Derryberry Hall (DBRY) 100

     

    PCI ITS Policies & Requirements

      Photo of Stephen Emert

      Stephen Emert, Academic Computing Specialist
      This e-mail address is being protected from spambots, you need JavaScript enabled to view it
      (931) 372-6315
      Clement Hall (CLEM) 216

      Photo of Dennis Hood

      Dennis Hood, Systems Support Manager/Asst. Dir. I.T.S.
      This e-mail address is being protected from spambots, you need JavaScript enabled to view it
      (931) 372-3972
      Clement Hall (CLEM) 224

      Photo of Dwight Hutson

      Dwight Hutson, Systems Programmer
      This e-mail address is being protected from spambots, you need JavaScript enabled to view it
      (931) 372-3989
      Clement Hall (CLEM) 227