All processes, procedures, or technologies used for processing credit card transactions must follow the security standards dictated in the Payment Card Industry Data Security Standards (PCI DSS). Prior to implementation, Cash Management and Cornell Information Technologies (CIT) must evaluate and approve any process, procedure, or technology used.
Units are responsible for creating and maintaining a PCI-compliant environment for any systems under the unit's control that are involved in credit card processing. This includes creating and maintaining compliant networks, system configurations, and physical controls.
To maintain compliance with PCI DSS, units must review, at least quarterly, all data access controls confirming that there is a business need to allow access of each type. Units should analyze carefully why it is “necessary” to keep data that requires encryption, firewalling, special handling, and strict adherence to restrictive business practices and expansive technical solutions. Thoroughly explore other means to achieve the same goals without storing sensitive data and/or consult the Cash Management Office.
The pages following contain information on technical and security standards and protecting cardholder information. For further information, see University Policy 3.17, Accepting Credit Cards to Conduct University Business.
The following documents are restricted to Cornell University employees only. CUWebLogin with a valid NetID and password is required.
