Compliance Requirements for Payment Card Transactions

To: All Departments that Accept Payment Cards
From: MaryFrances McCourt, Treasurer
Dennis W. Reedy, Managing Director
Subject: Compliance Requirements for Payment Card Transactions
Date: February 6, 2007

Indiana University has always adhered to the highest standards when it comes to protecting sensitive data. President Herbert notified all University staff in July of 2006 of new Indiana State laws that place additional responsibilities on Indiana University staff for safeguarding sensitive data. Payment card data is highly sensitive and therefore must meet these compliance standards.

Within the past 2 years the major credit card companies (VISA, MasterCard, Discover and American Express) came together and published a uniform set of data security standards that ALL merchants (i.e. IU Departments) must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on your department in connection with your acceptance of payment cards.

Complying with PCI DSS is not an option. Indiana University must comply in order to be approved and continue to accept payment cards.

Non compliance with these standards puts Indiana University at risk for:

  • Large monetary fines assessed to your department and/or Indiana University
  • Loss of merchant status for department
  • Loss of merchant status for Indiana University
  • Loss of faith in Indiana University name

Maintaining compliance is no easy task for a rapidly growing, complex, decentralized organization like Indiana University. Compliance is further complicated with Indiana University’s increased use of web-initiated transactions and third party vendors.

Almost daily there are articles regarding data security breaches, many at colleges and universities. We do not want to see Indiana University or your department name in the headlines. To assure that Indiana University does not incur a breach and become a headline, your department must do a number of things. These are outlined in the appendix.

Compliance is a challenge, but it is one that we are meeting and will continue to meet. If you have any questions or feel you may have some compliance issues, please do not hesitate to contact Ruth Harpool via phone (812) 855-3910 or email. Ruth will be happy to meet with you and address any concerns you may have. I also recommend that you visit the Office of the Treasurer website to find additional information on PCI DSS.

Appendix - PCI DSS Compliance Requirments / Guidelines

  • It is against University Policy VI-110 to store credit card numbers on any computer, server, or database. This includes Excel spreadsheets.
  • Treat payment card receipts like you would cash.
  • Keep payment card data secure and confidential.
  • Restrict access to card data to “those who need to know".
  • Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.).
  • Cardholder data must be transmitted securely (i.e. encrypted).
  • Email is not an approved way to transmit credit card numbers.
  • Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment.
  • Credit card receipts and supporting documentation containing card numbers should be kept for two years, but no longer.
  • “Sanitize” account numbers on paper documents.
  • Paper receipts should be destroyed so that account information is unreadable and can not be reconstructed.
  • Manual swipers or imprinters are not authorized for use.
  • Technology changes that affect payment card systems are required to be approved by the Office of the Treasurer prior to being implemented.
  • Any new systems/software that process payment cards are required to be approved by the Office of the Treasurer prior to being purchased.
  • Computer systems that process payment cards must be behind a firewall.
  • Use and regularly update anti-virus software.
  • Do not use vendor-supplied defaults for systems passwords and other security parameters.
  • Assign a unique ID to each person with computer access.
  • Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.
  • Report all suspected or known security breaches to the Treasurer’s Office and the IT Security and Policy Office.

Please call (812-855-6465) or email Treasury Operations if you have any questions.