Payment Card Industry Compliance
PCI DSS: Introduction to Payment Card Industry Data Security Standards
RIT is committed to conducting its academic and administrative activities ethically and in compliance with applicable laws and regulations. When the University accepts payment for goods or services by means of a credit or debit card (collectively, payment cards), it has a responsibility to protect the personal financial information of the individual making the payment.
Members of the payment card industry (PCI) have developed data security standards (DSS) for any organization that accepts, captures, stores, transmits, or processes payment card information either manually or through an automated system. The PCI DSS are designed to reduce losses related to credit or debit card fraud and improve card payment account data security. The requirements were developed by the founders of the PCI Security Standards Council which include American Express, Visa International Inc., MasterCard Worldwide and Discover Financial Services.
Compliance with PCI DSS is not optional; RIT must comply with the standards in order to continue to accept payment cards. In addition, any supplier/contractor with whom RIT engages to accept, capture, store, transmit or process payment card information must also be compliant with the security standards. Any unauthorized exposure of credit or debit card information could subject the University to significant financial penalties and reputational damage. It is therefore the responsibility of all RIT departments who accept, capture, store, transmit, or process credit or debit card payments, to ensure compliance with PCI DSS, to ensure that employees accepting such payments are sufficiently trained in appropriate payment card handling procedures, and to certify such compliance on an annual basis. Employees and students handling cardholder information must acknowledge an understanding of RIT’s Payment Card Processing Guidelines. All employees involved in payment card processing are required to complete Payment Card Security Training annually including the completion of a quiz and a certification.
Governance, Oversight and Training
The Payment Card Steering Committee (PCSC) is responsible for providing governance, oversight and training in connection with PCI DSS at the University. The PCSC meets regularly with representatives from the PCI DSS working group charged with ensuring compliance with PCI DSS across the University. Members of the PCSC include the AVP / Chief Information Officer, AVP / Chief Compliance & Ethics Officer, AVP / Controller, AVP / Global Risk Management, AVP / Institute Audit, Compliance & Advisement and AVP / Student Auxiliary Services. The PCSC also reviews and approves new applications from departments who would like to accept payment card transactions for goods or services offered for sale to faculty/staff, students, alumni and others outside of the University. The working group is comprised of staff from Information Technology Services, Student Auxiliary Services, Student Financial Services and Treasury/Cash Management.
All RIT departments / employees accepting payments for goods / services via credit or debit card share a responsbility to ensure compliance with PCI DDS. Go here for more information:
• Required Security Practices
• Payment Card Glossary of Terms
• Payment Card Processing Guidelines
• Payment Card Security Training
• Physical Security and Skimming Prevention of Point of Sale Devices