PCI DSS and Data Security

Payment Card Industry (PCI) compliance can be daunting, particularly in institutions of higher education with a variety of complex commerce activities. In this presentation, you’ll learn how Notre Dame tackled PCI DSS. We chose a network within a network approach to simplify compliance through isolation and minimize integration issues.

"If you accept payment cards on campus, you need to comply with a standard designed for safe handling of sensitive consumer information. Indiana University’s compliance plans offer some guidance."

With all of the concern today about retailers inadequately protecting their credit card data, it's logical to assume that retail IT managers would have made themselves quite familiar with the ins-and-outs of the Payment Card Industry Data Security Standard (PCI DSS).

In 2004, Visa and MasterCard collaboratively developed the Payment Card Industry Data Security Standard (PCI DSS) to create common industry security requirements. This session will share the campus perspectives and approaches of Washington State University and the University of Washington in addressing the standard.

How do you know that your data exchange is secure? Our campuses exchange data daily, much of it critical and confidential. Is your banking relationship supporting secure data exchange? How secure are your retirement file feeds? Can anyone on campus initiate data exchange? If so, are they trained to make the exchange secure? Discuss challenges and solutions for making data exchanges secure.

Many of us are working within our institutions to achieve Payment Card Industry (PCI) compliance. We see a number of merchants on campuses with different business needs, systems, and vendor relationships in place. In many cases, achieving compliance with PCI DSS, the Data Security Standard, is proving difficult.

The presenters will share experiences and valuable lessons learned in implementing PCI DSS, including merchant levels (does it matter?), limiting the scope of the PCI effort (yes, it can be done), the Payment Applications Best Practices list (is it required?), and recent findings on information security breaches.

Welch and Conway will represent NACUBO and all of higher education at the first PCI Security Standards Council meeting of participating organizations to be held in Toronto next month. Bring your questions, suggestions, and observations to share with them in advance of that meeting.

Oakland University is subject to rules, regulations, and contractual provisions regarding the handling of Bankcards and Cardholder Information, as those terms are defined in this document.  This Policy provides mandatory security measures and procedures for University departments accepting Bankcards for payment.

This document outlines Duke University's expectations of departments accepting credit card payments as related to the Payment Card Industry Data Security Standard (http://www.visa.com/cisp), which has been designed to safeguard sensitive data for all card brands.

This table provides a high-level mapping between the security requirements of the Payment Card
Industry Data Security Standard and the information security policies found within ISPME V10. ISPME
also provides policy coverage for many areas not specifically mentioned in the high-level requirements,
but specified in the detailed requirements of the standard.