Payment Card Industry

Date Approved:11-17-2010
Last Revision:11-17-2010
Last Reviewed:11-17-2010
Approved By:President
Oversight Unit:FINANCE & ADMIN, VICE PRES
This policy has a related procedure. Click to view the procedure below.
Purpose

The university is committed to providing a secure information technology environment and protecting the data of the faculty, staff and students as well as other customer data.  The purpose of this policy is to ensure that all University technology used to process, store, and transmit cardholder data meets payment card industry (PCI) compliance standards.  In addition, this policy is supported by standards which detail the processes NMU will use to adhere to PCI requirements and recommendations.  The standards define the minimum data-handling and security requirements to be used by all university personnel using PCI technology.

Applicability

All Northern Michigan University employees

Policy

It is the Policy of Northern Michigan University to adhere to Payment Card Industry requirements whenever processing, transmitting, or storing cardholder data.  NMU supports this policy with the NMU Payment Card Standards document, which is based on the most current version of “PCI Security Standards Self-Assessment Questionnaire” but also includes general processing standards for paper and phone payment card transactions.  The NMU Payment Card Standards document and the PCI Self-Assessment Questionnaire are reviewed annually as part of the PCI self-certification conducted by Information Technology/Technical Services department.   In addition, departments hosting PCI technology are responsible for developing written procedures and controlled processes to adhere to the NMU Payment Card Standards.  All new or renewed externally hosted PCI technology is supported by a contract reviewed by the Information Technology/Information Services department through their security and risk review process.

 

DEFINITIONS

PCI Technology is defined as any software, hardware, port, connection, or data transmission protocol used to store, process, or transmit cardholder data. 

Externally Hosted PCI Technology is defined as PCI Technology that is used by NMU but whose host server is physically located off NMU’s campus. 

I.T. is defined as the group of Northern Michigan University Information Technology departments who support PCI technology requirements.  These include Information Technology/Information Services for contract review and gateway services support and Information Technology/Technical Services for existing hardware, software and network evaluation and support.  

I.T. Hosted PCI Technology is defined as PCI Technology residing on or attached to a server in one of NMU’s temperature and security controlled I.T. locations. 

Department Hosted PCI Technology is defined as PCI technology housed or maintained by Non-I.T. NMU department.  

Cardholder Media is defined as any media, including paper or electronic media, which holds cardholder data; most payment card restrictions apply to the full 16 digit card number, often referred to as the primary account number or PAN.