Payment Card Industry (PCI) Standard
What is Payment Card Industry Data Securty Standard (PCI DSS)
PCI DSS is a mandatory requirement for all organizations that process any form of card payments (credit, debit or pre-paid cards), develop products for payment card transactions or store card details on their networks. PCI DSS compliance is only required when an organization processes payment cards itself, rather than just accepting card payments through a Point of Sale Terminal and passing the transactions directly (untouched) to a Merchant Acquirer.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
Why was PCI DSS created?
PCI DSS was created by the major credit card companies (VISA and MasterCard) to combat the large number of attacks on organizations' computer networks that have resulted in the theft or misuse of large blocks of cardholder information. Often the information stolen could also facilitate identity theft attacks on the information owners.
The Payment Card Industry Data Security Standard (PCI DSS) has been introduced to provide reassurance to customers and to help organizations proactively protect customer account data. The PCI DSS is a comprehensive standard that establishes common processes and procedures for handling, processing, storing and transmitting credit card data.
Information Source: https://www.pcisecuritystandards.org
Merchant Level Scope
| Merchant Level | Merchant Definition | Compliance |
|---|---|---|
| 1 | More than six million V/MC transactions annually across all channels, including e-commerce |
|
| 2 | 1,000,000 – 5,999,999 V/MC transactions annually |
|
| 3 | 20,000 – 1,000,000 V/MC e-commerce transactions annually |
|
| 4 | Less than 20,000 V/MC e-commerce transactions annually, and all merchants across channel up 1,000,000 VISA transactions annually |
|
*** All rows highlighted in yellow are the current scope of Tennessee Technological University.
Self Assessment Scope
- Self Assessment Questionnaire (SAQ): PCI Data Security Standard Self‐Assessment Questionnaire is a validation tool intended to assist merchants andservice providers in self‐evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios. This document has been developed to help organizations determine which SAQ best applies to them. These questionnaires range from level A to level D with A being the least complex and increasing in complexity up to level D.
| Description | SAQ: V2.0 |
|---|---|
| Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. | A |
| Imprint-only merchants with no electronic cardholder data storage.
Stand-alone terminal merchants, no electronic cardholder data storage |
B |
| Merchants using only web-based virtual terminals, no electronic cardholder data storage. | C-VT |
| Merchants with POS systems connected to the Internet, no electronic cardholder data storage | C |
| All other merchants (not included in Types A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ. | D |
*** All rows highlighted in yellow are the current scope of Tennessee Technological University.
University (TTU) Scope
The PCI Data Security Standard s applies to all TTU departments and units storing, processing, and transferring payment card information.
| TTU Departments in Scope | SAQ: V 2.0 |
|---|---|
| Athletics | B, C |
| Business Office | A, B, C |
| Craft Center | B |
| Eagle Card Office | B |
| Extended Education | B |
| Fitness Center | B |
| Health Sevices | B |
| Photo Services | B |
| University Advancement | C |
Certificate of Compliance & Attestation of Compliance
| Merchant ID | Description |
Certificate PDF FY 2012 | Trustwave Validation |
|---|---|---|---|
| xxxxxx6900 | TTU Loan Accounting CCM |  |
|
| xxxxxx6901 | TTU Market Place General |
|
 |
| xxxxxx6903 | TTU Athletics CCM | |
|
| xxxxxx6904 | TTU Craft Center Gallery CCM | |
|
| xxxxxx6905 | TTU Craft Center Office CCM | |
|
| xxxxxx6907 | TTU Photo Services CCM | |
|
| xxxxxx6908 | TTU Fitness Center CCM | |
|
| xxxxxx6909 | TTU Touchnet |
|
|
| xxxxxx6910 | TTU Business Office Core | N/A |
|
| xxxxxx6911 | TTU Business Office Core | N/A |
|
| xxxxxx6912 | TTU Business Office Core | N/A |
|
| xxxxxx3555 | TTU Eagle Card CCM | |
|
| xxxxxx9024 | TTU Extended Education CCM | |
|
| xxxxxx3345 | TTU Health Services CCM | |
|
| xxxxxx6080 | TTU Advancement Online | N/A |
|
| xxxxxx9530 | TTU Market Place App Fee |
|
|
| xxxxxx1169 | TTU Athletics Online | N/A |
|
| xxxxxx8650 | TTU Market Place Res Life |
|
|
TTU PCI Policy
- Accounting Policies and Procedures (Sesction 6 "Collection, Receipting, and Reconciliation Policies")
- ITS Data Security Policy
- Red Flags Identity Theft Prevention Program (Responding To And Preventing And Mitigating Identity Theft)
- TTU PCI Policy
PCI Authorized Remote Access Support Log
PCI Credit Card Processing Authorization
PCI Critical Technologies Listing
Training
PCI DSS Requirement 12.6 requires credit card merchants provide a formal security awareness program to make employees aware of the importance of carholder data security.
Important Websites
- PCI Security Council
- TTU's Merchant Sevices Provider - Elavon
- Trustkeeper
PCI Standard & Requirements
Matt Smith, Systems Support Specialist
This e-mail address is being protected from spambots, you need JavaScript enabled to view it
(931) 372-6592
Derryberry Hall (DBRY) 100
Carolyn Gernt
This e-mail address is being protected from spambots, you need JavaScript enabled to view it
(931) 372-3716
Derryberry Hall (DBRY) 100
Credit Card Terminals & Credit Card Receipts
Stephaine Hargis, Financial Associate 4
This e-mail address is being protected from spambots, you need JavaScript enabled to view it
(931) 372-3018
Derryberry Hall (DBRY) 100
PCI ITS Policies & Requirements
Stephen Emert, Academic Computing Specialist
This e-mail address is being protected from spambots, you need JavaScript enabled to view it
(931) 372-6315
Clement Hall (CLEM) 216
Dennis Hood, Systems Support Manager/Asst. Dir. I.T.S.
This e-mail address is being protected from spambots, you need JavaScript enabled to view it
(931) 372-3972
Clement Hall (CLEM) 224
Dwight Hutson, Systems Programmer
This e-mail address is being protected from spambots, you need JavaScript enabled to view it
(931) 372-3989
Clement Hall (CLEM) 227