Technology Procedure Categories
PCI base policy
This policy outlines the overarching processes and requirements surrounding the use or credit cards for payments to campus and protection of cardholder data. This policy is supplemented by related policies listed below.
When Was This Policy Updated?
May 22, 2017
Who Should Read This Procedure?
WSC Staff involved in the with any processing of credit card transactions or with the maintenance of the systems which support those transactions.
- PAN – Primary Account Number
- NATS – Network and Technology Services
- ISPC – Information Security Program Coordinator – currently the Chief Information Officer
- Business Service Owner – the department manager or administrator responsible for the credit card processing service
- PCICC - PCI compliance committee – The body convened by the ISPC to oversee compliance with and management of services using credit cards to receive payment. The membership of the PCICC will include the ISPC, the Comptroller, one or more representatives from NATS as appointed by the ISPC, and one or more Business Service Owners.
- Ecommerce non-MoR
- Card Swipe Device (SAQ B-iP)
- Point to Point Encryption (SAQ P2PE) (not currently in use)
- Virtual Terminal (SAQ C-VT) (not currently in use)
Any institution or business taking payments for goods and services should accept credit card payments, it is expected, WSC is no exception. With that service comes a certain level of risk and trust. That trust is established by WSC’s ability to protect customers’ information from that risk. To accomplish this, we must follow certain procedural and technical guidelines.
In keeping with current best practices and guidelines any person involved in accepting credit card information via eCommerce, telephone, or in person on behalf of Wayne State College must adhere to the following guidelines in accordance with their role:
- Read and no less frequent than annually sign an acknowledgement to indicate understanding of and willingness to follow this and related security policies, to be kept on file with the ISPC.
Business service owners
- Upon examining a new service, change to existing service, or renewal of contract for an existing service, work with the ISPC with no less than 1 year advanced notice to time of renewal, change, or service initiation.
- Work with NATS to annually re-request information from the service vendor to be in compliance with the WSC vendor management policy.
- Work with the VPAF, the NSCS System Office, and, if necessary, the State Treasurer to ensure that contracts comply with institutional and NSCS policy and procedure.
- Convene the PCICC when needed.
- Ensure that the PCICC produces an annual report with the compliance status of all vendors in accordance with the WSC vendor management policy.
Personnel processing transactions
- PANs and other personally identifiable data are not to be transmitted via messaging technologies.
- Do not write down, print, or store PANs on any paper or physical media.
NATS employees involved with PCI compliance
- Ensure vendors use currently accepted encryption ciphers in accordance with the WSC vendor management policy.
Last Updated: 5/22/2017