PCI DSS Overview:

The founding payment brands of the PCI Security Standards Council (VISA, MasterCard, Discover, JCB, and American Express) developed a uniform set of data security standards that ALL merchants must comply with in connection with the acceptance of payment cards. These standards are called Payment Card Industry Data Security Standards or PCI DSS, and the aforementioned Council is tasked with enhancing the standards from time to time as needed. These standards have placed additional responsibilities on each campus in connection with the acceptance of payment cards. PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

All Minnsota State colleges and universities must comply in order to be approved and continue to accept payment cards. Maintaining compliance is no easy task. Compliance is further complicated with the increased use of web-initiated transactions and third party vendors. Almost daily there are articles regarding data security breaches. We do not want to see a Minnesota State institution in the headlines. Compliance is a challenge, but it is one that we are meeting and will continue to meet.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

PCI DSS Resources:

One-On-One Strategic Review Assistance (Advice) (provided by Office of the Chancellor). Campuses can request one-on-one meetings for a more detailed review of their existing compliance category and for help identifying the strategies and remedial steps necessary to bring the campus into compliance and improve the security environment. There is no charge to campuses for this assistance, which is available through June 2010. For more information, contact John Ladwig (john.ladwig@csu.mnscu.edu)

Extension of Contract with Qualified External Vendor for Scanning and Hands-on Technical Services. A contract is in place through December 2010 for campuses to obtain PCI-related technical assistance on campus. Under this contract, a campus may arrange for the contractor to assist with necessary remediation. In addition, the contractor is a certified external vendor for scanning services. Campuses will be billed for on-campus assistance and scanning services. For more information, contact John Ladwig (john.ladwig@csu.mnscu.edu)

System Guidelines for Payment Card Acceptance, Processing and Security. In addition to a secure IT environment, PCI DSS compliance requires that merchants (campuses) have policies on:

  1. information security;
  2. payment card acceptance;
  3. PCI compliance; and
  4. cardholder data access.

Under PCI DSS, a policy/process for adding new merchants or expanding credit card access is recommended. In developing its policy or process, each college and university will need to address issues such as

  1. defining campus management for all payment card acceptance;
  2. exploring handling payments and cardholder data outside the network;
  3. creating an administrative e-commerce guide;
  4. defining merchant (or department) versus central campus management responsibilities; and
  5. adding PCI compliance language to all relevant contracts.

Development of system guidelines to help campuses address these issues is underway.