The purpose of this document is to establish technical guidelines for processing charges or credits on credit cards to protect against exposure and possible theft of account and personal cardholder information that has been provided to Western Michigan University. Also, to comply with the technical requirements associated with the payment card industry's data security standards as relating to the transmitting, handling and storage of credit card information.
These standard (version 1.2) specify twelve requirements for compliance, organized into six related groups called control objectives.
Build and maintain a secure network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly monitor and test networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an information security policy
- Requirement 12: Maintain a policy that addresses information security
The primary focus of the payment card industry data security standards is on Web-based sales and processing credit card information over the Internet. There are however, other services that allow systems to be Internet accessible which may expose cardholder information. Therefore, all University credit card merchants, including merchants transmitting via terminal on a dedicated phone line, must comply with technical requirements referred to in the standards document, including:
- Perform hardware/network vulnerability scans regularly.
- Perform hardware/network penetration scans executed by an approved PCI vendor (Ambiron TrustWave).
The technical requirements referred to in this document apply to all Western Michigan University units with responsibilities for managing and/or maintaining technical configurations for credit card transactions. This applies to any unit within the University, or any University affiliate campus that is responsible for the technical requirements for processing, transmitting, or storing cardholder information in a physical or electronic format. This also applies to all vendors and contract agents who, on behalf of Western Michigan University, handle electronic or paper documents associated with credit card transactions. Western Michigan University reserves the right to require affiliate organizations to comply with technical requirements referenced in this document and/or any requirement imposed by the University's financial institution(s).
All transactions (including electronic-based) that involve the transfer of credit card information must be performed on systems approved by the University's Chief Financial Officer, or his/her designate, after a compliance and security review by the Office of Information Technology. All specialized servers approved for this activity must be housed within the secured facility of the University Computing Center and administered in accordance with the requirements of University Cardholder Information Security Program, including, but not limited to, the Information technology's server management agreement. Exceptions to the server storage requirements must be approved by the Chief Financial Officer in consultation with the Chief Information Officer.
Western Michigan University is involved in payment card industry data security standards compliance and is subject to examination of system security and configuration controls to ensure cardholder information is securely maintained. The Office of the Vice President for Business and Finance will be responsible for verifying compliance with industry best practices for conducting electronic payment transactions. The Office of Information Technology will compliment this through the use of network/server vulnerability scans and/or network/server penetration testing, as noted above.
Data access and manipulation is governed by the standards as defined in the University data classification document. Violations to these standards may be treated as a data security breach and investigated according to procedures as defined in the University information security incident response policy.
For specific University procedures for credit/debit card handling, see the WMU E-commerce website.