What is PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security standards that governs those who process, transmit, or store credit cardholder data. The Payment Card Industry Security Standards Council, which includes representatives from the major credit card companies (Visa, Mastercard, American Express, Discover, JCB), create and oversee the requirements within PCI DSS.
PCI DSS ensures that companies who interact with credit cards maintain a secure environment. There are technical and business requirements for PCI DSS. Organizations who fall under the purview of PCI DSS must validate compliance annually.
PCI DSS has 12 broad requirements and more than 300 sub-requirements. The Council created these requirements to meet six broad control objectives:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Any organization that accepts, processes, stores, or transmits cardholder data must comply with PCI DSS—including Penn State.
PCI DSS compliance is very important. Failure to comply could mean fines from banks, increased fees, or even severance of relationships with merchants—meaning Penn State would no longer be able to accept credit cards as payments.
Check with your supervisor to see if you’re required to take annual PCI DSS compliance training, available in Penn State’s LRN system.
What is an SAQ?
The Self-Assessment Questionnaire (SAQ) is a tool that allows merchants that fall under the purview of PCI DSS to self-evaluate their compliance with the standards. Your unit leadership will let you know whether your unit can use the SAQ as part of compliance with PCI DSS.
SAQ Instructions and Guidelines
This document, maintained by the PCI Security Standards Council, contains guidelines and instructions for completing an SAQ.
Which SAQ do I complete?
There are several versions of the SAQ. This document will help you determine which one your unit must complete.
What about skimming?
What is skimming?
Skimming occurs when criminals capture and transfer payment data for fraudulent purposes. They may steal credit card or bank account information and use it for unauthorized charges or balance transfers.
Typically, skimming occurs using a device placed on physical hardware. Criminals wil insert electronic equipment in order to capture consumer account data. The skimming equipment can be very sophisticated, small, and difficult to identify. Another frequent method is through inserting fake overlays or entirely faking legitimate hardware.
How can I prevent skimming?
You can reduce the threat of skimming by:
- Maintaining a list of all credit card devices
- Inspect credit card devices for tampering or substitution. Develop a regular schedule: try once daily or at the beginning of every shift.
- Report tampering or substitution of devices immediately to firstname.lastname@example.org
Want to learn more about skimming?
Check out this resource guide from the PCI Security Standards Council.
Forms and Links