Differences between revisions 28 and 29
Revision 28 as of 2017-11-21 08:21:02
Size: 4970
Editor: tfbuntin
Comment:
Revision 29 as of 2017-11-21 08:22:07
Size: 4934
Editor: tfbuntin
Comment:
Deletions are marked like this. Additions are marked like this.
Line 15: Line 15:
 . PCI compliance is the process of demonstrating alignment and conformance to PCI-DSS standards. More information on these standards is available from the PCI Security Standards Council's website https://www.pcisecuritystandards.org/  * PCI compliance is the process of demonstrating alignment and conformance to PCI-DSS standards. More information on these standards is available from the PCI Security Standards Council's website https://www.pcisecuritystandards.org/
Line 18: Line 18:
 . As a general rule PCI standards apply whenever a credit card is involved. Specifically compliance is required whenever a credit card number is stored, processed, or transmitted. This is commonly referred to as "being in scope".  * As a general rule PCI standards apply whenever a credit card is involved. Specifically compliance is required whenever a credit card number is stored, processed, or transmitted. This is commonly referred to as "being in scope".
Line 21: Line 21:
 . No, maintaining payment security is required for all entities that accept credit cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is implemented.  * No, maintaining payment security is required for all entities that accept credit cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is implemented.
Line 24: Line 24:
 . Failure to comply with PCI standards can result in fines issued to the University and/or the University's ability to accept payments via credit card being revoked.  * Failure to comply with PCI standards can result in fines issued to the University and/or the University's ability to accept payments via credit card being revoked.
Line 27: Line 27:
 . No. While a vendor may indicate their product is compliant, they are referring to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to meet all PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for the University to remain PCI-DSS compliant.  * No. While a vendor may indicate their product is compliant, they are referring to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to meet all PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for the University to remain PCI-DSS compliant.
Line 30: Line 30:
 . Suggested Contract Language for Service Providers PCI DSS Requirement 12.8 requires merchants to maintain and implement policies and procedures to manage Service Providers if cardholder data is shared. Requirement 12.8.2 states further “maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.”  * Suggested Contract Language for Service Providers PCI DSS Requirement 12.8 requires merchants to maintain and implement policies and procedures to manage Service Providers if cardholder data is shared. Requirement 12.8.2 states further “maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.”
Line 32: Line 32:
 . Vendor acknowledges and agrees that it is responsible for the security of all {INSTITUTION NAME} customer cardholder data in its possession. Vendor represents and warrants that for the life of the contract and/or while Vendor has involvement with {INSTITUTION NAME} customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/). Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.  * Vendor acknowledges and agrees that it is responsible for the security of all {INSTITUTION NAME} customer cardholder data in its possession. Vendor represents and warrants that for the life of the contract and/or while Vendor has involvement with {INSTITUTION NAME} customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/). Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.
Line 34: Line 34:
 .  * Vendor agrees to provide to {INSTITUTION NAME} a current and complete copy of their Attestation of Compliance (AOC). Further, Vendor agrees to provide to {INSTITUTION NAME} a proof of a recent (no more than 3 months old) passing quarterly external vulnerability scan as submitted by an Approved Scanning Vendor (ASV). {INSTITUTION NAME} reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website.
Line 36: Line 36:
 .  * Vendor will inform {INSTITUTION NAME} within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. Vendor agrees to indemnify and hold {INSTITUTION NAME}, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of {INSTITUTION NAME} customer credit card or identity information managed, retained, or maintained by Vendor, including but not limited to fraudulent or unapproved use of such credit card or identify information.
Line 38: Line 38:
 . Vendor agrees to provide to {INSTITUTION NAME} a current and complete copy of their Attestation of Compliance (AOC). Further, Vendor agrees to provide to {INSTITUTION NAME} a proof of a recent (no more than 3 months old) passing quarterly external vulnerability scan as submitted by an Approved Scanning Vendor (ASV). {INSTITUTION NAME} reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website.

 .

 .

 . Vendor will inform {INSTITUTION NAME} within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. Vendor agrees to indemnify and hold {INSTITUTION NAME}, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of {INSTITUTION NAME} customer credit card or identity information managed, retained, or maintained by Vendor, including but not limited to fraudulent or unapproved use of such credit card or identify information.

 .

 .

 . Vendor agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, {INSTITUTION NAME} may terminate the Agreement immediately without penalty upon notice to the Vendor in the event Vendor fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.
 * Vendor agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, {INSTITUTION NAME} may terminate the Agreement immediately without penalty upon notice to the Vendor in the event Vendor fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.

logo.png UTS.png

PCI COMPLIANCE FAQ


What is PCI?

  • The Payment Card Industry Data Security Standard (PCI DSS) is a global standard created to help organizations accept credit cards in a manner the helps prevent fraud.

What is PCI Compliance?

  • PCI compliance is the process of demonstrating alignment and conformance to PCI-DSS standards. More information on these standards is available from the PCI Security Standards Council's website https://www.pcisecuritystandards.org/

When does PCI Compliance Apply?

  • As a general rule PCI standards apply whenever a credit card is involved. Specifically compliance is required whenever a credit card number is stored, processed, or transmitted. This is commonly referred to as "being in scope".

Is compliance optional?

  • No, maintaining payment security is required for all entities that accept credit cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is implemented.

Why does a card processing solution have to demonstrate and maintain compliance?

  • Failure to comply with PCI standards can result in fines issued to the University and/or the University's ability to accept payments via credit card being revoked.

My vendor states they are PCI compliant, is that sufficient?

  • No. While a vendor may indicate their product is compliant, they are referring to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to meet all PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for the University to remain PCI-DSS compliant.

When I'm selecting a solution that accepts, stores, processes, or transmits cardholder data, what do I put in the Request for Proposal or look for in the software agreement?

  • Suggested Contract Language for Service Providers PCI DSS Requirement 12.8 requires merchants to maintain and implement policies and procedures to manage Service Providers if cardholder data is shared. Requirement 12.8.2 states further “maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.”
  • Vendor acknowledges and agrees that it is responsible for the security of all {INSTITUTION NAME} customer cardholder data in its possession. Vendor represents and warrants that for the life of the contract and/or while Vendor has involvement with {INSTITUTION NAME} customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/). Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.

  • Vendor agrees to provide to {INSTITUTION NAME} a current and complete copy of their Attestation of Compliance (AOC). Further, Vendor agrees to provide to {INSTITUTION NAME} a proof of a recent (no more than 3 months old) passing quarterly external vulnerability scan as submitted by an Approved Scanning Vendor (ASV). {INSTITUTION NAME} reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website.
  • Vendor will inform {INSTITUTION NAME} within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. Vendor agrees to indemnify and hold {INSTITUTION NAME}, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of {INSTITUTION NAME} customer credit card or identity information managed, retained, or maintained by Vendor, including but not limited to fraudulent or unapproved use of such credit card or identify information.
  • Vendor agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, {INSTITUTION NAME} may terminate the Agreement immediately without penalty upon notice to the Vendor in the event Vendor fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.