PCI-DSS

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006, to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.

The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that serve those who work with payment cards. This includes: merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.

ALL RIT merchants (i.e. Business Units that process, store, or transmit cardholder data must adhere to the PCI DSS if they want to use cards from the major payment card brands that created and adopted the standard. Each business unit assigns one person to monitor, document, and manage credit card processes and security.

For a glossary of terms, abbreviations, and acronyms, click here.

If you have additional questions related to compliance with PCI DSS standards, please contact aaoiso@rit.edu for further information and assistance.

Responsibilities of employees who operate Point of Sale devices include, but are not limited to, the following

• Devices must be physically secured at all times
• Cashiers should visually inspect the terminal daily
• Annually, and upon hire, employees who accept payments via payment card (e.g., debit or credit) on behalf of RIT will complete the Payment Card Security Training [insert link] and review the PCI Security Standards Skimming Prevention Best Practices for Merchants
• Complete a Terminal Characteristic form [insert link] for each terminal annually and when there’s a significant change. Retain the completed form for one year from the date of the inspection.
• Complete a Terminal Inspection form [insert link] monthly. Retain the completed form for one year from the date of the inspection.
• To ensure compliance with PCI DSS, the Payment Card Steering Committee may request copies of the forms at any time.

Merchant level is determined by the number of credit card transactions a merchant accepts in a year. The amount of the transactions is irrelevant. Merchants who accept less than 20,000 transactions annually are considered a Level 4 merchant. Once a merchant accepts over 6 million transactions in a year they are considered a Level 1 merchant and must have a third-party assessment performed annually. All other merchant levels qualify for an internal or self-assessment. Rochester Institute Technology (RIT) processes over 20,000 transaction which makes it level 3.

Notify the PCI team as soon as possible. Your report will then be assigned to the ISO PCI Compliance team member for review and follow-up.

No, the use of personal devices to process credit cards is not allowed. This is because once any device is used to process a credit card, then it puts the device and the entire network into PCI scope. There are several technical controls that must be in place on devices used to process payment cards which will reduce the functionality of the device. You can use a P2PE SRED keypad that's attached to a RIT issued laptop.