PCI DSS is the result of a collaboration of the major credit card associations to establish a single data security standard designed to protect sensitive cardholder information. Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.
PCI DSS requirements are defined by the Payment Card Industry Security Standards Council (PCI SSC). Within the standards there are 12 basic requirements and over 180 specific tasks. Visit the PSCI SSC website at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml or request a copy by emailing firstname.lastname@example.org.
Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.
- Non-compliance can result in fines and remedial efforts that could easily exceed $1 million. Costs include fines, forensic exams, cardholder notifications, setup of a call center, credit monitoring and more costly compliance requirements. Such costs would be the responsibility of the merchant.
- Risk exposing customers (students, faculty/staff and general public) to fraud and identity theft
- Breach of cardholder information can result in negative publicity and damage to SIUÃ¢s reputation
- Non-compliance can result in the loss of credit card and debit card acceptance privileges
You may contact the BursarÃ¢s Office or if you are a department, please refer SIUC's Personal Information Protection Act Policy
Annual training is required for personnel involved in credit card processing in one of the following categories:
- Has access to cardholder data
- Fiscal officer of account in which credit card payments are credited and/or their delegate.
- Handles credit card payments as part of their regular job duties. Personnel who handle credit card payments on a one time or temporary basis are recommended to attend training, but not required. Personnel whose only contact with credit card information is to swipe cards through a credit card acceptance device, e.g., POS terminal, are not required to attend training.
When required for business purposes, the following information may be stored:
- Primary Account Number (PAN)
- Cardholder Name*
- Service Code*
- Expiration Date*
*Any of these elements being stored in conjunction with the primary account number must be protected in accordance with PCI DSS requirements
The following information may never be stored subsequent to authorization:
- Full Magnetic Stripe
- Card Validation Code (CVC2/CVV2)
- PIN/PIN Block
Note: If storage of cardholder information is necessary, whether in electronic or hard copy form, contact your PCI DSS Campus Committee Representative to discuss acceptable storage methods.