Differences between revisions 10 and 11
Revision 10 as of 2017-11-02 11:32:32
Size: 3057
Editor: bolton
Comment:
Revision 11 as of 2017-11-02 11:34:19
Size: 3014
Editor: bolton
Comment:
Deletions are marked like this. Additions are marked like this.
Line 9: Line 9:
 The Payment Card Industry Data Security Standard (PCI DSS) is a global standard created to help organizations accept credit cards in a manner the helps prevent fraud.  . The Payment Card Industry Data Security Standard (PCI DSS) is a global standard created to help organizations accept credit cards in a manner the helps prevent fraud.
Line 17: Line 17:
 As a general rule PCI standards will apply whenever a credit card is involved. Specifically compliance is required whenever a credit card number is stored, processed, or transmitted. This is often referred to as "being in scope".  . As a general rule PCI standards will apply whenever a credit card is involved. Specifically compliance is required whenever a credit card number is stored, processed, or transmitted. This is often referred to as "being in scope".

'''Is compliance optional?'''

 No, maintaining payment security is required for all entities that accept credit cards Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is introduced.

Line 21: Line 27:
'''Why does a card processing solution have to demonstrate and maintain compliance?'''

Maintaining payment security is required for all entities that accept credit cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is introduced. Failure to comply with PCI standards can result in fines and/or the inability for the University to accept credit card payments.
 Failure to comply with PCI standards can result in fines and/or the inability for the University to accept credit card payments.

PCI COMPLIANCE FAQ

What is PCI?

  • The Payment Card Industry Data Security Standard (PCI DSS) is a global standard created to help organizations accept credit cards in a manner the helps prevent fraud.

What is PCI Compliance?

  • PCI compliance is the process of demonstrating alignment and conformance to PCI-DSS standards. More information on PCI standards is available from the PCI Security Standards Council's website https://www.pcisecuritystandards.org/

When does PCI Compliance Apply?

  • As a general rule PCI standards will apply whenever a credit card is involved. Specifically compliance is required whenever a credit card number is stored, processed, or transmitted. This is often referred to as "being in scope".

Is compliance optional?

  • No, maintaining payment security is required for all entities that accept credit cards Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is introduced.

Why does a card processing solution have to demonstrate and maintain compliance?

  • Failure to comply with PCI standards can result in fines and/or the inability for the University to accept credit card payments.

My vendor states they are PCI compliant, is that sufficient?

No. A vendor may indicate their product is compliant, this is referred to as Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS appliacations must also be implemnted in a manner that statisfies PCI-DSS standards.

When I'm selecting a solution that accepts, stores, processes, or transmits cardholder data, what do I put in the Request for Proposal or look for in the software agreement?

The awarded Vendor is required to provide their own payment card processing and network connection, and accept the University’s PCI Compliance contract language. The Vendor must also supply all of their own network connectivity, from ISP to port level, to test equipment, if needed. Compliance with Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/ Required for Service Provider solutions that involve payment card processing. The awarded Vendor is required to periodically demonstrate compliance with the Payment Card Industry Data Security Standard, “PCI DSS”, and will achieve and maintain PCI DSS compliance against the current version of PCI DSS published on the PCI Security Standards Council “PCI SSC” website. The Vendor will create and maintain reasonable detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure their CHD. Such documentation will conform to the most current version of PCI DSS. Refer to Exhibit C.