Statement of purpose
The following policy is intended to ensure compliance with the PCI-DSS standard.
Scope statement
This policy shall be applicable to all CCC Staff, Students, Guests, 3rd Party Service Providers, and Public users that utilize CCC Information Technology resources for the purpose of conducting financial transactions using payment cards on behalf of Clackamas Community College.
Policy Summary
CCC Users and Systems that interact with payment card data are required to do so in compliance with PCI-DSS standards.
Policy
Unless an exemption has been approved and documented by CCC’s CIO, the following requirements shall be implemented:
- All networks carrying traffic with cardholder data shall be logically segregated from all other CCC networks
- Wireless networks carrying PCI traffic shall be avoided. When it’s not possible to use a wired connection, the wireless shall be at minimum a WPA2-Enterprise standard
- Workstations and terminals used to process cardholder transactions shall be hardened by removing or disabling unnecessary software applications, services, and hardware.
- Workstations and terminals used to process cardholder transactions shall be accessible only to those individuals with assigned duties to accept and process card transactions. Access to these systems shall be logged
- Administrative access to systems and networks used to process cardholder transactions shall be restricted to only those individuals with assigned duties to administer PCI systems and networks, and access shall be logged
- Cardholder data shall not be stored or retained on any CCC owned or managed information technology system
- Cardholder data shall not be retained in any written form. If card data is documented for any temporary purpose, it shall be protected at all times, and then securely destroyed when no longer required
- All employees with responsibilities for PCI data shall be notified and trained regarding those responsibilities
- Networks carrying PCI traffic shall be monitored for indications of malicious activity and routinely scanned for vulnerabilities
- Vulnerabilities shall be reviewed by the ITS security team and mitigated in accordance with the severity of the vulnerability, availability of exploit code, and cyber threat intelligence indicating that a vulnerability is being exploited
Exemptions
None
Responsible executive
Chief Information Officer
Last revision date
06-07-2023 srw (Final Draft)