ITS Security Policy 118 – PCI Compliance

Tags security PCI

Status: TDX Submitted Draft (Altered Policy Number)
Last Revision Date: 7 June 2023

Statement of Purpose

This policy is designed to ensure that Clackamas Community College complies with the Payment Card Industry Data Security Standard (PCI-DSS) to protect cardholder data and maintain a secure transaction environment.

Policy Summary

All users and systems at Clackamas Community College that interact with payment card data must comply with PCI-DSS standards to ensure the security and integrity of payment transactions.

Policy

  1. Network Segmentation: All networks carrying cardholder data must be logically segregated from all other Clackamas Community College networks.

  2. Wireless Network Restrictions: Wireless networks carrying PCI traffic should be avoided. If a wired connection is not feasible, the wireless network must meet at least the WPA2-Enterprise standard.

  3. System Hardening: Workstations and terminals used for processing cardholder transactions must be hardened by removing or disabling unnecessary software applications, services, and hardware.

  4. Access Control for Transaction Processing: Workstations and terminals used for cardholder transactions must only be accessible to authorized personnel. Access to these systems must be logged.

  5. Administrative Access Control: Administrative access to systems and networks involved in processing cardholder transactions must be restricted to designated personnel only. All access must be logged.

  6. Prohibition on Data Storage: Cardholder data must not be stored or retained on any Clackamas Community College-owned or managed IT system.

  7. Written Data Retention: Cardholder data must not be retained in any written form. If documented for temporary use, it must be protected at all times and securely destroyed when no longer needed.

  8. Employee Training: All employees handling PCI data must be notified of their responsibilities and receive appropriate training.

  9. Network Monitoring: Networks carrying PCI traffic must be monitored for signs of malicious activity and scanned regularly for vulnerabilities.

  10. Vulnerability Management: The ITS security team must review and mitigate vulnerabilities based on severity, availability of exploit code, and relevant cyber threat intelligence.

Exemptions

None.

Exceptions

Any exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Print Article