PCI General Information

What is PCI?

PCI Team

How Can RIT Business Units Accept Payment Cards?

PCI DSS Payment Card Processing Guidelines

 

What is PCI?

PCI stands for Payment Card Industry. Major payment card companies such as Visa, Mastercard, and American Express make up the PCI, and they define standards for merchants must adhere to in order to securely process credit and debit card payments.

PCI compliance rules change as different threats emerge and different requirements apply based on how merchants process payment cards (e.g. one time transactions vs. recurring payments; over the phone vs. in-person, etc.).

All merchants who accept payment card payments are required to maintain an ongoing understanding of their PCI requirements. RIT Business Units meet annually with the RIT PCI Team to ensure PCI requirements are understood and met.

Failure to comply with PCI standards could result in fines and/or all of RIT losing the ability to process debit and credit card payments.

More information about the PCI council is available on the Official PCI Security Standards Council website.

 

RIT PCI Team

The RIT PCI Team is made up of individuals from ITS, Student Financial Services, and the Controller’s Office. The RIT PCI Team is responsible for the following:

  • Defining how RIT Business Units can process payment card transactions
  • Helping RIT Business Units understand and meet PCI requirements
  • Defining and enforcing PCI policies and procedures for RIT
  • Submitting annual PCI validation materials to M&T Bank for all RIT Business Units
  • Helping RIT Business Units change or setup payment channels
  • Order and decommission payment devices

The RIT PCI Team can be contacted by sending an email to commerce@rit.edu.

 

How Can RIT Business Units Accept Payment Cards?

PCI requirements vary by merchant depending on how payment card data is processed and stored.

RIT has a targeted PCI scope that keeps the number of requirements as low as possible while allowing for payment options that meet RIT’s business needs.

The following payment options are available for RIT Business Units to accept payment cards:

  • Analog point-of-interaction (POI) devices
    • Analog POI devices can be used for face-to-face (F2F) and mail/telephone orders (MOTO)
    • Analog POI devices connect to analog phone lines only
    • Analog devices do not integrate with point-of-sales (POS) software

 

  • Point-to-point Encrypted POI Devices (P2PE)
    • P2PE devices can be used for F2F and MOTO
    • P2PE devices connect to RIT’s network only
    • Payment card data is encrypted on the device at the time of swipe/dip/tap/manual entry
    • P2PE devices integrate with POS software

 

  • NOTE: RIT Business units who manually enter payment card data into an analog or P2PE payment device (e.g. for a mail or telephone order) must have a PCI Data Retention Procedure on file. The RIT PCI Team can provide a template and will work with RIT Business Units to ensure this requirement is met.

 

  • Online
    • Credit and debit cards can be accepted online using online order pages hosted by RIT PCI Team-approved third party service providers (e.g. Nelnet, AudienceView).
    • RIT Business Units must redirect users from RIT websites to the third party service provider website for payment processing.
      1. This includes websites hosted at RIT as well as websites hosted by another third party (e.g. CampusGroups, Slate, T2Systems all redirect to Nelnet to collect payment card data for RIT).

NOTE: Because of RIT’s targeted PCI scope, RIT Business Units who accept credit and debit card payments online must never use nor allow anyone to use the keyboard of RIT-issued computers, smartphones, or tablets to manually enter payment card data into a website for their business. P2PE or Analog payment devices must be used to manually enter payment card data.