Payment Card Industry Data Security Standards Policy, ITS

How to Find Us

Contact ITS

Exley Science Center
ITS Service Desk / Help Desk - 1st Floor Lobby
265 Church Street
Middletown, CT 06459

Main: 860-685-4000

Hours: Monday - Friday
8:30am - 5:00pm

After hours high impact / high urgency IT support

Payment Card Industry Data Security Standards Policy

Purpose

The Payment Card Industry Data Security Standards (PCI DSS) policy outlines the security controls the university uses to protect systems that store, process, or transmit payment card information.

Scope

This policy applies to any university Information Technology Resource (ITR) that stores, processes, or transmits payment card information.

Policy

Approved ITRs for storing, processing, or transmitting payment card information

All online ITRs used for storing, processing, or transmitting payment card information should outsource all payment processing to a non-university system so the systems can be evaluated against PCI DSS Self-Assessment Questionnaire A as found at https://www.pcisecuritystandards.org/document_library/.

All in-person ITRs used for storing, processing, or transmitting payment card information should use a validated PCI-listed P2PE solution so the systems can be evaluated against PCI DSS Self-Assessment Questionnaire P2PE as found at https://www.pcisecuritystandards.org/document_library/. A list of approved solutions can be found at https://listings.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions.

Storage of payment card information

ITRs that store, process, or transmit payment card information are not permitted to store more than the first 6 digits and the last 4 digits of a payment card. Storage of track data and card verification values is also not permitted.

Exceptions

All exceptions to this policy require written approval from the Chief Information Security Officer. All exceptions require annual renewal.

Appendix

Definitions and Terms

Information Technology Resources (ITR) – This includes, but is not limited to, end-user computing devices, services, networks, email, software, printers, scanners, video distribution systems, telephone systems, fax systems, and other computer hardware and software, whether owned by the university or contracted by the university from a third party.

Revision History

August 2024 – Policy adopted

Information Technology Services