Loyola University Chicago

- Navigation -

Loyola University Chicago

Financial Services

PCI Training

In September of 2006, a group of five leading payment brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Incorporated, launched the Payment Card Industry (PCI) Security Standards Council; an open global forum responsible for the development, management, education and awareness of the PCI Security Standards.

From the Council, came the Data Security Standard (PCI DSS) which provides a baseline of technical and operational requirements designed to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally.

The PCI DSS requirements apply to all entities involved in payment card processing, including: merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. Additionally, the PCI DSS affects all credit card acceptance channels, including: retail, mail, telephone, fax, and e-commerce.

The common processes and precautions for handling, processing, storing and transmitting credit card data established by the PCI DSS, help to combat the unprecedented assaults on personal and financial data which impact cardholders, retailers, banks, service providers and credit card companies.

A high-level overview of the 12 PCI DSS requirements is outlined below:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel

Loyola University Chicago is required to remain in compliance with the PCI DSS. Anyone at the University involved in the process of accepting credit card payments must undergo PCI training annually, and must adhere to the rules and regulations outlined by the council and the University.

Non-compliance penalties vary among major credit card networks and can be substantial; companies can be barred from processing credit card transactions altogether, higher processing fees can assessed, and, in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance. Several large, well-known institutions that lacked adequate protection have been responsible for exposing credit card payment data. Consequently, these companies were penalized with significant fines, and experienced backlash from the public resulting from the negative media coverage of the major data security breaches within their organizations.

All University departments that transmit, process, or store cardholder data are responsible and accountable for their PCI Compliance. All employees must do their part to protect credit card data and to mitigate the risks associated with processing credit card transactions.

University Cash Management Services (CMS) works with your department to ensure that you are processing credit card payments or donations in accordance with these regulations. Maintaining PCI Compliance will prevent your department and the University from receiving unnecessary fines due to data exposure.

If the e-commerce needs of your department cannot be met by the TouchNet Marketplace product provided and maintained by CMS, you may request authorization to partner with a third party. However, the third party must provide documentation establishing their PCI compliance, must be on VISA’s list of acceptable service providers (if applicable), and must process via the TouchNet payment gateway and a University merchant account established by CMS.

To assist in maintaining the University’s PCI compliance, Loyola departments must adhere to the rules and business procedures below: 

Please note: These rules are subject to change and may not address every PCI DSS requirement. Additional controls and practices may also apply.

The following Loyola policies must also be reviewed:

Credit Card PolicyResponsibilities of Credit Card Handlers and Processors (This document must be signed and submitted to CMS to complete this training.  This form is required to be reviewed and signed annually.)

Security Awareness Policy

Data Breach Response Policy

 

 Updated: July 1, 2014



Loyola

Loyola University Chicago Financial Services ยท 820 N. Michigan Ave. LT-1300, Chicago, IL 60611

Notice of Non-discriminatory Policy