Office of Information Security
The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of security standards that governs those who process, transmit, or store credit cardholder data.
Payment Card Industry Data Security Standard
Also known as PCI DSS, this is a set of security standards that governs those who process, transmit, or store credit cardholder data. The Payment Card Industry Security Standards Council, which includes representatives from the major credit card companies (Visa, Mastercard, American Express, Discover, etc.), create and oversee the requirements within PCI DSS.
PCI DSS ensures that companies that interact with credit cards maintain a secure environment. There are technical and business requirements for PCI DSS. Organizations who fall under the purview of PCI DSS must validate compliance annually.
PCI DSS has 12 broad requirements and more than 300 sub-requirements. The Council created these requirements to meet six broad control objectives:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Any organization that accepts, processes, stores, or transmits cardholder data must comply with PCI DSS—including Penn State.
PCI DSS compliance is very important. Failure to comply could mean fines from banks, increased fees, or even severance of relationships with merchants—meaning Penn State would no longer be able to accept credit cards as payments.
Check with your supervisor to see if you’re required to take annual PCI DSS compliance training, available in Penn State’s LRN system.
Additional PCI resources
PCI standards and terms
- PCI Security Standards Council
- Payment Card Industry (PCI) Data Security Standard (PCI DSS Version 3.2.1)
- Glossary of Terms, Abbreviations, and Acronyms (Version 3.2)
FN07: Electronic Payments – Credit Cards
University Policy FN:07 outlines the acceptance of electronic payments, specifically credit cards, as a form of payment by University areas or departments. For the purpose of this policy, the term “credit cards” shall also be construed to include “credit-card-branded,” “debit cards” and “check cards.” Only units which have established merchant accounts approved through the Corporate Controller’s Office are permitted to accept credit cards as payment.
Online systematic acceptance of other forms of electronic payments, such as wires, EFTs and ACHs, must be approved by the Corporate Controller. The use of third-party payment services, such as PayPal, to process payment for goods or services offered by any University unit are not permitted, unless explicitly approved by the Corporate Controller.
Presentation & Archived Communications (Requires permission)
Self-Assessment Questionnaire (SAQ)
The Self-Assessment Questionnaire (SAQ) is a tool that allows merchants that fall under the purview of PCI DSS to self-evaluate their compliance with the standards. Your unit leadership will let you know whether your unit can use the SAQ as part of compliance with PCI DSS. SAQ forms can be found below.
This document contains the requirements by SAQ type.
SAQ Instructions and Forms
What is skimming?
Skimming occurs when criminals capture and transfer payment data for fraudulent purposes. They may steal credit card or bank account information and use it for unauthorized charges or balance transfers.
Typically, skimming occurs using a device placed on physical hardware. Criminals will insert electronic equipment in order to capture consumer account data. The skimming equipment can be very sophisticated, small, and difficult to identify. Another frequent method is through inserting fake overlays or entirely faking legitimate hardware.
How can I prevent skimming?
You can reduce the threat of skimming by:
- Maintaining a list of all credit card devices.
- Inspect credit card devices for tampering or substitution. Develop a regular schedule: Try once daily or at the beginning of every shift.
- Report tampering or substitution of devices immediately to email@example.com.
- Want to learn more about skimming?
Review this resource guide from the PCI Security Standards Council.