PCI DSS Do’s and Dont’s
What are my responsibilities?
There are a few key things you should do (and also not do!) to ensure you are compliant with PCI’s standards. This simple list of Do’s and Do Not's should get you started down the path of PCI compliance:
PCI compliance: DO
- Change the default password on your computer to a complex password.
- Supervise all visitors (including YOUR personnel) in areas where credit card information is maintained.
- Ensure all cardholder data is unreadable, no matter where it is stored – portable media, back-up media, logs, or Wi-Fi networks.
- Cross-cut shred handwritten credit card information immediately after use.
- Store documents or media with credit card information in a locked drawer or filing cabinet accessible only by authorized personnel.
- Report immediately to your supervisor and the Office of the Treasurer if you suspect credit card information has been lost, stolen, exposed, or otherwise misused.
- Submit a quarterly scan report, completed by an Approved Scanning Vendor (also called an ASV). DoIT and the Office of the Treasurer can facilitate your scan
- Fill out an annual self-assessment questionnaire (also called an SAQ) and submit the questionnaire to the Office of the Treasurer to help ensure PCI compliance.
- Attend a PCI training class. Contact the Office of the Treasurer for on-site training or to learn more about what PCI training is offered.
- Maintain a copy of all university credit card policies and departmental credit card polices at their work stations.
PCI compliance: DO NOT
- Physically write down any credit card information unless you are explicitly required to do so as part of your business processes.
- Acquire or disclose any cardholder’s credit card information without the cardholder’s consent, including but not limited to:
- the partial sixteen (16) digit card number
- the CVV/CVC (three or four digit validation code on the back of the card)
- the PIN (personal identification number)
- Transmit or accept any of the above cardholder information via e-mail
- Store any sensitive authentication data on a University computer, server, or on paper, including:
- The card’s storage chip or magnetic stripe
- The CVV/CVC (the three or four digit validation code on the back of the card)
- Use an imprint machine to process credit card payments (unless you must as part of your business processes).
- Leave unsettled batches in terminals at the end of a business day. You set up auto-settle programming or ensure that batches are settled manually each night.
- Share the password to your computer or any computer you access.
Contact John Layman of the Office of the Treasurer by email (firstname.lastname@example.org) or by phone at 573/882-3318