Understanding Payment Card Industry Data Security Standard (PCI DSS)
This guide describes PCI DSS (Payment Card Industry Data Security Standard) 4.0 rules and guidelines designed to help organizations that handle credit card information keep that information safe and secure.
Key Concepts
Credit card fraud and identity theft are major concerns of the Credit Card Industry. The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
Compliance with PCI DSS is mandatory for all merchants globally and is enforced by the major card brands who established the PCI Security Standards Council. It is mandatory that all merchant locations within UCSF participate in all PCI DSS training and periodic testing procedures in order to maintain merchant status to avoid the risk of UCSF incurring financial, reputational, and operational penalties.
PCI Core Standards
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
- Publish, train, and maintain PCI DSS guidelines
Merchant IDs are restricted to the sole use of the assigned department/merchant only. They are not to be shared at any time with any other department. Departments not complying with this policy will forfeit their MIDs and lose the ability to take credit/debit cards as a form of payment.
Ramifications and Exceptions
In the event of a breach or other non-compliant incident, the Credit Card Industry penalties start at $100,000 and go up to $500,000; in addition to the initial penalty there is a per item penalty ranging from $15.00 to $25.00 per credit card number violation. These penalties will be assumed entirely by the department in violation, and that department will lose all privileges of accepting credit cards.
Therefore it is imperative that your department, in order to maintain credit card privileges, follows all policies established by both the UCSF Credit Card Coordinator and the Credit Card Industry. The UCSF Credit Card Coordinator has the ability and willingness to refuse or to close down an account where the UCSF department using that account is abusing the account or has committed a violation of either UCSF policy or the Credit Card Industry policy. After establishing credit card privileges, except with prior approval from UCSF Merchant Services, departments are NOT to independently add to their credit card operations, functions, services (e.g., eCheck), software, or hardware that is provided by any individual or company. Doing so may result in the termination of privileges.
PCI DSS 4.0 Operational Guidelines in Simple Terms
PCI DSS (Payment Card Industry Data Security Standard) 4.0 is a set of rules and guidelines designed to help organizations that handle credit card information keep that information safe and secure. These guidelines are essential to protect against data breaches and credit card fraud.
All staff who handle payments, apply payments, and/or process protected data related to payments hold responsibilities in protecting that data according the guidelines that the PCI Security Council determines. These guidelines are updated on a cyclical basis and require the University to stay current at all times.
Violation of these guidelines or a determination of negligence by the University can result in the removal of card processing privileges or the imposition of considerable fines against the University.
Here are some key points from PCI DSS 4.0:
Protect Card Data: You need to make sure that when people give you their credit card information, it's kept safe. This means keeping it secret and not letting just anyone access it. It should not be emailed, faxed, or written down to avoid risk of theft, duplication or phishing.
Passwords and Access Control: You should use strong and unique passwords for your computer systems and limit who can access sensitive card data. It's like locking the doors to your house and not giving the keys to just anyone. Passwords should never be shared or posted for shared used.
Regular Updates: Just like you update your phone or computer for security, you need to keep your software, security systems, and antivirus tools up to date. This helps protect against new threats.
Watch for Suspicious Activity: You should keep an eye out for any strange or suspicious activity on your computer systems or on your card processing equipment that might indicate someone is trying to steal card data.
Train Your Staff: Make sure your employees know how to handle card data securely. It's like teaching them how to handle precious jewelry with care.
Secure Networks: Computer networks need to be set up in a way that prevents unauthorized access. Think of it like a security fence around your home. Merchants need to ensure that they are not contracting with vendors that have not received prior review and approval from Risk Assessment and Data/Network Security teams.
Inspect and Secure your Payment Terminals: Get to know your payment terminals well. Train your staff to be familiar with not just the basic operations but also how to inspect terminals for tampering or loose or foreign parts and how to appropriately secure terminals when they are not being actively monitored.
Limit Data Storage: Don't keep card data longer than you need to. If you don't need it, get rid of it securely. This reduces the risk if there's a breach.
Regular Testing: You should regularly test your security measures to make sure they work effectively. It's similar to checking that the locks on your doors and windows are functioning properly.
Testing of knowledge, procedures, and data security at UCSF is managed in a three-pronged system:
- Annual PCI Security Certification & Recertification through the UC Learning Center for all authorized card payment handlers. Merchant managers hold the responsibility of ensuring that all authorized card handler staff are registered and complete annual certifications.
- Periodic Self Assessments of Merchants through Questionnaires (SAQs) that are deployed through the Total Compliance Tracking (TCT) tool as appropriate based on the payment technologies in used by each merchant. A detailed description of the SAQ types is available here.
- PCI Data Security Scans conducted within the IT Data Security and Network Security teams to ensure that networks, data retention and data security systems remain secure and up-to-date.
Have an Incidence Response Plan: Be prepared in case there is a security breach. UCSF has an Incident Response Plan in place to help handle it. Be sure your team knows how to use it.
In summary, PCI DSS 4.0 is all about ensuring that credit card information is treated with care and protected from theft, just like you would protect your valuable possessions or your home from intruders. By following these guidelines, the University can reduce the chances of card data getting into the wrong hands and protect our customers, students and patients from potential financial harm as well as reduce the risk of reputational and financial penalties to the University.