The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006, to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.
The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that serve those who work with payment cards. This includes: merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.
Who must be PCI DSS compliant?
ALL RIT merchants (i.e. Business Units that process, store, or transmit cardholder data must adhere to the PCI DSS if they want to use cards from the major payment card brands that created and adopted the standard.
In other words, for RIT to be approved for financial transactions and to be able to accept credit cards, being compliant with PCI DSS is not an option.
At RIT, PCI DSS compliance is taken seriously. Each business unit assigns one person to monitor, document, and manage credit card processes and security.
Merchant (Business Unit) obligations
For RIT to be compliant, each business unit has a role to play. Documentation is very essential when it comes to compliance. There are various forms and templates to be filled during the attestation period and each business unit must ensure all these documents are available for auditor/assessor review when requested. The following documents must be available for annual attestation:
PCI Annual Business Unit Agreement
PCI DSS Terminal Characteristics Form
Inventory and Inspection Log
Secure Document Storage Review Log
Security Awareness Training and Training log
Third-Party PCI and Security Validations (TPSPs AoC)
Check the link below to see what an Attestation of Compliance (AoC) looks like. Third-Party Service Providers are expected to provide this document with the necessary information filled out. This is completed annually. It must have the assessor's name with their signature and date
Employee dos and don'ts
As an employee, you must always:
Take your annual PCI Training
Make sure all payment card documents are secured
Make sure POS devices are not tampered with
As an employee, do not:
Store any sensitive or personally identifying information on any computer
Write down or transmit payment card numbers via fax, email, instant messaging, or social networking sites
Do not acquire or disclose a cardholder's payment card number without the cardholder's consent
Have store personnel monitor self-checkout terminals/kiosks to prevent thieves from installing card skimmers which takes a second to install but still payment card data and PIN information directly off the card’s magnetic stripe
Ensure that both POS and OS software is up-to-date
Limit access to system components and cardholder data to only those individuals whose job requires such access
Cardholder data should be destroyed when it is no longer needed so that account information is unreadable and cannot be reconstructed
Technology changes that affect payment card systems are required to be approved by the Controller and the Treasury office prior to being implemented
Never send cardholder information via email. Credit card numbers must not be transmitted in an insecure manner, such as email, unsecured fax, or through campus mail
Report all suspected or known security breaches to Incident Response Team
Monitor your data – Set up alerts for security incidents involving cardholder data or anything that could compromise your cardholder environment
Protecting your credit card information
Keep your card(s) information private. No one needs to know you card number(s)
Never lend your card to someone else. It can be improperly used or stolen
Never give your card details over the phone unless you initiated the call
Do not save your credit card details in your browser when you shop online: If your system ever gets hacked or someone snoops on your machine, your card(s) information stored on there can be a nightmare
Only shop on secure networks, if you don’t see the lock on your browser, beware
Remember to activate and sign any new cards when you receive them before someone steals your card
When using a card, be sure you get it back and take your receipt
Never sign a blank charge receipt. Make sure the receipt has your transactional details on it
Keep a list of your credit card numbers and issuing companies’ numbers in a secure place where you can easily get access when needed