Finance Division

PCI Compliance

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. Clemson University has always adhered to the highest standards when it comes to protecting sensitive data. Payment card data is highly sensitive and therefore must meet these compliance standards.

The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that ALL merchants (i.e. CU Departments) must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on CU departments in connection with acceptance of payment cards.

Complying with PCI DSS is not an option. Clemson University must comply in order to be approved for financial transactions and continue to accept payment cards.

Noncompliance with these standards puts Clemson University at risk for:

  • Large monetary fines assessed to your department and/or Clemson University
     
  • Loss of merchant status for department
     
  • Loss of merchant status for Clemson University
     
  • Loss of faith in Clemson University name
     

For large organizations like Clemson University PCI compliance presents unique issues. With both online and offline card processing growing, a focus on PCI compliance is necessary. Clemson University is vigilant toward this focus.

Compliance is a challenge, but it is one that Clemson University is meeting and will continue to meet. If you have any questions or recognize you may have some compliance issues, please contact Cathy Freeman via phone: (864) 656-0530 or email: cdorfne@clemson.edu.  She will be able to meet with you and address any concerns you may have in-person or through means the department finds necessary. Also, visiting the PCI Compliance website (https://www.pcisecuritystandards.org/) is recommended to find additional information on PCI DSS.

Below are steps that each department must take to insure card processing safety at Clemson University. 

  • It is against University Policy to store credit card numbers and the security code on any computer, server, or database. This includes Excel spreadsheets.
     
  • Treat payment card receipts like you would cash.
     
  • Keep payment card data secure and confidential.
     
  • Limit access to system components and cardholder data to only those individuals whose job requires such access.
     
  • Assign all users a unique ID before allowing them to access system components or cardholder data.
     
  • Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.).
     
  • Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as email, unsecured fax or through campus mail.
     
  • Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment.
     
  • Render sensitive cardholder data unreadable anywhere it is stored.
     
  • Cardholder data should be destroyed when it is no longer needed so that account information is unreadable and cannot be reconstructed.
     
  • Manual swipes or imprinters are not authorized for use.
     
  • Technology changes that affect payment card systems are required to be approved by the Cash and Treasury office prior to being implemented.
     
  • Any new systems/software that process payment cards are required to be approved by the Cash and Treasury office prior to being purchased.
     
  • Any computer system hosting a credit card application must be housed in CCIT’s data centers due to security requirements.
     
  • Computer systems that process payment cards must be behind a firewall.
     
  • Use and regularly update anti-virus software.
     
  • Do not use vendor-supplied defaults for systems passwords and other security parameters.
     
  • Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.
     
  • Report all suspected or known security breaches to Cash and Treasury Services and CCIT’s Information Security & Privacy.
     

http://www.clemson.edu/ccit/help_support/safe_computing/report/index.html

Please call Cash and Treasury Services if you have any questions at 864-656-0530.