Overview
James Madison University, in an effort to protect cardholder data, is committed to maintaining compliance with the Purchase Card Industry Data and Security Standards and takes this responsibility very seriously. All department currently accepting payment cards are required to actively work with the University Business Office to ensure compliance at all times to Payment Card Industry Data Security Standards (PCI DSS). The security of our customer's cardholder data is of the utmost importance to James Madison University.
Departments throughout the University currently accept credit card payments for a wide variety of goods and services with a diverse range of acceptance methods. University Departments that processes, transmit, and interact with payment card data as a form of payment are subject to all applicable university policies as well as the entirety of the data security standards as laid out by the Security Standards Council.
All payment card activity is governed by financial procedure 4125
Required Documentation for Compliance
Third Party Vendors
All third party vendors who have any connection to the processing, storing, or transmitting of cardholder data are required by the PCI DSS to be compliant at all times, on a quarterly basis the University Business Office will verify PCI Compliance.
Security Awareness Program
New Employee
All employees (full-time, wage, student, volunteer) designated as responsible for, or given access to payment card information are required to complete PCI DSS Security Awareness Training in person through the University Business Office. To schedule training contact Wesley Howdyshell at howdysjw@jmu.edu.
Annual Renewal Certification
Current employees who have completed their initial PCI Security Awareness training are required to recertify once every twelve months, renewal sessions are offered every year in October.
Payment Card Industry Data Security Standards (PCI DSS)
The Payment Card Industry Security Standards Council (PCI SSC) developed a comprehensive set of regulations that comprise both financial and information technology standards in an effort to protect cardholder data. The PCI DSS are mandatory for any organization that accepts, processes, stores, or transmits card holder data. The requirements assist JMU and other organizations in outlining the requirements for security management, day-to-day credit card processing, network security and much more.
High Level Requirements of the Purchase Card Industry Data and Security Standards
|
GOALS |
PCI-DSS REQUIREMENTS |
|
Build and Maintain a Secure Network |
1. Install and maintain a firewall configuration to protect cardholder data |
|
Protect Cardholder Data |
3. Protect stored cardholder data |
|
Maintain a Vulnerability Management Program |
5. Use and regularly update anti-virus software and programs |
|
Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business need to know |
|
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data |
|
Maintain an Information Security Policy |
12. Maintain a policy that addresses information security for all personnel |
Additional Resources
James Madison University Polices
1204 Information Security
1207 Appropriate Use of IT Resources
1210 E-Commerce
Financial Procedures Manual Polices
1020 Forms Index
3045 Local Funds
4105 Deposits
4125 Payment Cards
PCI DSS
PCI SSC Data Security Standards Overview
PCI DSS v.3.2