WMU > Security

Technical Response to Payment Card Industry's Data Security Standards

Purpose

The purpose of this document is to establish the technical guidelines for processing charges or credits on credit cards to protect against exposure and possible theft of account and personal cardholder information that has been provided to Western Michigan University. Also, to comply with the technical requirements associated with the Payment Card Industry's Data Security Standards (PCI-DSS) as relating to the transmitting, handling and storage of credit card information.

The current version of the PCI-DSS standard (1.2) specifies twelve requirements for compliance, organized into six logically related groups, which are called "control objectives".

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security

Although the primary focus of the PCI-DSS is on Web-based sales and processing credit card information via the Internet, there are other services that allow systems to be Internet accessible which may expose cardholder information. Therefore, all University credit card merchants, including merchants transmitting via terminal on a dedicated phone line, must comply with technical requirements referred to in the Payment Card Industry's Data Security Standards (PCI-DSS) document, including:

• perform hardware/network vulnerability scans regularly
• perform hardware/network penetration scans executed by an approved PCI vendor (Ambiron TrustWave)

Scope

The technical requirements referred to in this document apply to all Western Michigan University units with responsibilities for managing and/or maintaining technical configurations for credit card transactions. This applies to any unit within the University, or any University affiliate campus that is responsible for the technical requirements for processing, transmitting, or storing cardholder information in a physical or electronic format. This also applies to all vendors and contract agents who, on behalf of Western Michigan University, handle electronic or paper documents associated with credit card transactions. Western Michigan University reserves the right to require affiliate organizations to comply with technical requirements referenced in this document and/or any requirement imposed by the University's financial institution(s).

Oversight

All transactions (including electronic-based) that involve the transfer of credit card information must be performed on systems approved by the University's Chief Financial Officer, or his/her designate, after a compliance and security review by the Office of Information Technology. All specialized servers approved for this activity must be housed within the secured facility of the University Computing Center and administered in accordance with the requirements of University Cardholder Information Security Program, including, but not limited to, the OIT Server Management Agreement (refer to OIT Production/Operations Manager). Exceptions to the server storage requirements must be approved by the Chief Financial Officer in consultation with the Chief Information Office.

Western Michigan University is involved in PCI DSS compliance and is subject to examination of system security and configuration controls to ensure cardholder information is securely maintained. The Office of the Vice President for Business and Finance will be responsible for verifying compliance with industry best practices for conducting electronic payment transactions. The Office of Information Technology will compliment this through the use of network/server vulnerability scans and/or network/server penetration testing, as noted above.

Data access and manipulation is governed by the standards as defined in the University Data Classification document. Violations to these standards may be treated as a data security breach and investigated according to procedures as defined in the University Information Security Incident Response Policy.

For specific University procedures for credit/debit card handling, visit the Western Michigan University E-commerce Committee site.