Differences between revisions 48 and 49
Revision 48 as of 2018-01-17 16:24:20
Size: 4860
Editor: rowe
Comment:
Revision 49 as of 2018-01-17 16:44:16
Size: 5567
Editor: rowe
Comment:
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
==== What is PCI? ====
 * The Payment Card Industry Data Security Standard (PCI DSS) is a global standard created to help organizations accept credit cards and payment cards in a manner the helps prevent fraud.
==== What is the Payment Card Industry Security Standards Council ? ====
 * The [[https://www.pcisecuritystandards.org/|Payment Card Industry Data Security Standards Council]] was originally formed by several payment card providers in 2006 with the goal of managing the evolution of the Payment Card Industry Data Security Standard.

'''What is the Payment Card Industry Data Security Standard (PCI''' '''DSS)?'''

 * The [[https://www.pcisecuritystandards.org/document_library|Payment Card Industry Data Security Standard (PCI DSS)]] is the global standard created by the Payment Card Industry Security Standards Council to help organizations accept payment cards in a manner that helps secure transactions and prevent fraud.

'''What is a payment card?'''

 * A payment card is part of a system that enables the cardholder to make a payment by electronic funds transfer. The most common payment cards are credit cards and debit cards.

Line 15: Line 25:
 * PCI Compliance is the process of demonstrating alignment and conformance to PCI DSS standards. More information on these standards is available at the PCI Security Standards Council's website.  * PCI Compliance is the process of demonstrating alignment and conformance to PCI DSS standards.
Line 18: Line 28:
 * As a general rule PCI standards apply whenever a credit card is involved. More specifically compliance is required whenever a credit card number is stored, processed, or transmitted. This is commonly referred to as "being in scope".  * As a general rule PCI tandards apply whenever a payment card transaction is involved. More specifically, PCI Compliance is required whenever a payment card number is stored, processed, or transmitted. This is commonly referred to as "being in scope".
Line 20: Line 30:
==== Is compliance optional? ====
 * No, maintaining payment security is required for all entities that accept credit cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is implemented.
==== Is PCI Compliance optional? ====
 * No, maintaining payment security is required for all entities that accept payment cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts payment cards is implemented.
Line 24: Line 34:
 * Failure to comply with PCI standards can result in fines issued to the University and/or the University's ability to accept payments via credit card being revoked.  * Failure to comply with PCI DSS standards can result in fines issued to the University and/or can result in revokation of the University's ability to accept payment cards for any payments.
Line 26: Line 36:
==== My vendor states they are PCI compliant, is that sufficient? ====
 * No. While a vendor may indicate their product is compliant, they are referring to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to fully meet PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for it and the University to be PCI-DSS compliant.
==== My vendor states they are PCI Compliant, is that sufficient? ====
 * No. While a vendor may indicate their product is compliant, they are referring to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to fully meet PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for both the application and the University to be PCI-DSS compliant.

logo.png UTS.png

PCI COMPLIANCE FAQ


What is the Payment Card Industry Security Standards Council ?

What is the Payment Card Industry Data Security Standard (PCI DSS)?

What is a payment card?

  • A payment card is part of a system that enables the cardholder to make a payment by electronic funds transfer. The most common payment cards are credit cards and debit cards.

What is PCI Compliance?

  • PCI Compliance is the process of demonstrating alignment and conformance to PCI DSS standards.

When does PCI Compliance Apply?

  • As a general rule PCI tandards apply whenever a payment card transaction is involved. More specifically, PCI Compliance is required whenever a payment card number is stored, processed, or transmitted. This is commonly referred to as "being in scope".

Is PCI Compliance optional?

  • No, maintaining payment security is required for all entities that accept payment cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts payment cards is implemented.

Why does a card processing solution have to demonstrate and maintain compliance?

  • Failure to comply with PCI DSS standards can result in fines issued to the University and/or can result in revokation of the University's ability to accept payment cards for any payments.

My vendor states they are PCI Compliant, is that sufficient?

  • No. While a vendor may indicate their product is compliant, they are referring to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to fully meet PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for both the application and the University to be PCI-DSS compliant.

When I'm selecting a solution that accepts, stores, processes, or transmits cardholder data, what do I put in the Request for Proposal or look for in the software agreement?

  • Suggested Contract Language for Service Providers PCI DSS Requirement 12.8 requires merchants to maintain and implement policies and procedures to manage Service Providers if cardholder data is shared. Requirement 12.8.2 states further “maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
  • Vendor acknowledges and agrees that it is responsible for the security of all {INSTITUTION NAME} customer cardholder data in its possession. Vendor represents and warrants that for the life of the contract and/or while Vendor has involvement with{INSTITUTION NAME} customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/).Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.

  • Vendor agrees to provide to {INSTITUTION NAME} a current and complete copy of their Attestation of Compliance (AOC). Further, Vendor agrees to provide to {INSTITUTION NAME} a proof of a recent (no more than 3 months old) passing quarterlyexternal vulnerability scan as submitted by an Approved Scanning Vendor (ASV). {INSTITUTION NAME} reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website.
  • Vendor will inform {INSTITUTION NAME} within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. Vendor agrees to indemnify and hold {INSTITUTION NAME}, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of {INSTITUTION NAME} customer credit card or identity information managed, retained, or maintained by Vendor, including but not limited to fraudulent or unapproved use of such credit card or identify information.
  • Vendor agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, {INSTITUTION NAME} may terminate the Agreement immediately without penalty upon notice to the Vendor in the event Vendor fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.