PCI Guidelines
Facts about Payment Card Industry (PCI-DSS) Compliance
- Driven by the major credit card companies
- “Enforced” by merchant suppliers and gateway providers as well as some banks
- Applies to all organizations that process, transmit and/or store credit card information
- Leverages general computer and information security best practices already applied in industry
- It is *not* mandatory
- Can carry hefty penalties to organizations that decide to remain non-compliant
- Looks relatively simple on the surface but can be extremely complex and cost prohibiting to implement and maintain
Reasoning behind PCI Compliance
- Prevent data breaches
- Protect merchants and consumers
- Minimize liability
PCI at the UofW - Best Practices
- Do not store credit card data unless you absolutely have to – this applies to paper records, electronic records and voice recording
- If you need to store credit card data, ensure there is a retention policy in place and that it is exercised across all methods of storage and disposal
- Do not send (or receive) credit card data via Email or any other unsecured method of transfer
- Use dedicated connections (a phone line) for stand-alone POS machines - do not utilize the campus network. POS machines used for processing debit cards *only* can be connected to the network
- If choosing an application that processes credit card information, ensure that it is compliant with PCI PA-DSS standards
- Consult with your merchant services what options are available that would assist in achieving/remaining PCI compliance
Contact the Information Security Office for additional information and guidance.
PCI Document Library -