How does PCI DSS apply at the University of South Carolina?
Since the university processes payment card data from credit and debit cards, we must adhere to the Payment Card Industry’s Data Security Standard (PCI DSS).
Cardholder data includes the payment card number (known as a Primary Account Number or PAN) and any associated account information, including;
- the cardholder’s name
- the payment card’s expiration date
- the three or four digit verification code
- any other authentication data related to the cardholder.
The following tips may be useful when dealing with PCI data, though these tips alone do not ensure compliance.
- Computers that process payments should only be used for processing payments. These computers should not be used for non-work related or unauthorized activities, such as accessing personal email accounts.
- Under no circumstances should you store any sensitive authentication data such as the user’s Personal Identification Number or PIN, three or four digit verification code or full details of the payment card’s magnetic track data.
- Primary Account Numbers should be rendered unreadable, typically through encryption, whenever they are stored.
In addition, if you operate point-of-sale registers to process customer payments, you need to follow these additional requirements:
- Verify the identity of any third party claiming to be a maintenance or repair person for payment card devices before granting them access to the device. Criminals often pose as repairmen when attempting to compromise a payment card device.
- Before installing, replacing or returning a payment card device (or allowing a third party to do so), make sure you have received verification from your supervisor.
- Maintain awareness of any suspicious behavior occurring around a payment card device, like people trying to unplug or open the device. If you detect this, report it immediately to your supervisor.
For more information on PCI DSS, visit PCI Security Standards Council online.