ITS Security Policy 118 – PCI Compliance

Summary

This policy ensures Clackamas Community College complies with PCI-DSS standards by securing payment card data, restricting access, prohibiting data storage, enforcing employee training, and monitoring networks for vulnerabilities. It mandates strict security controls, with exceptions requiring CIO approval.

Body

Status: TDX Submitted Draft (Altered Policy Number)
Last Revision Date: 7 June 2023

Statement of Purpose

This policy is designed to ensure that Clackamas Community College complies with the Payment Card Industry Data Security Standard (PCI-DSS) to protect cardholder data and maintain a secure transaction environment.

Policy Summary

All users and systems at Clackamas Community College that interact with payment card data must comply with PCI-DSS standards to ensure the security and integrity of payment transactions.

Policy

  1. Network Segmentation: All networks carrying cardholder data must be logically segregated from all other Clackamas Community College networks.

  2. Wireless Network Restrictions: Wireless networks carrying PCI traffic should be avoided. If a wired connection is not feasible, the wireless network must meet at least the WPA2-Enterprise standard.

  3. System Hardening: Workstations and terminals used for processing cardholder transactions must be hardened by removing or disabling unnecessary software applications, services, and hardware.

  4. Access Control for Transaction Processing: Workstations and terminals used for cardholder transactions must only be accessible to authorized personnel. Access to these systems must be logged.

  5. Administrative Access Control: Administrative access to systems and networks involved in processing cardholder transactions must be restricted to designated personnel only. All access must be logged.

  6. Prohibition on Data Storage: Cardholder data must not be stored or retained on any Clackamas Community College-owned or managed IT system.

  7. Written Data Retention: Cardholder data must not be retained in any written form. If documented for temporary use, it must be protected at all times and securely destroyed when no longer needed.

  8. Employee Training: All employees handling PCI data must be notified of their responsibilities and receive appropriate training.

  9. Network Monitoring: Networks carrying PCI traffic must be monitored for signs of malicious activity and scanned regularly for vulnerabilities.

  10. Vulnerability Management: The ITS security team must review and mitigate vulnerabilities based on severity, availability of exploit code, and relevant cyber threat intelligence.

Exemptions

None.

Exceptions

Any exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Details

Details

Article ID: 152130
Created
Wed 6/7/23 4:37 PM
Modified
Thu 3/6/25 6:15 PM