Payment Card Industry Data Security Standard (PCI DSS) Policy
Approved by Executive Council on January 23, 2017
|Policy Number||Policy Owner|
The State University of New York College at Plattsburgh (“College”) is committed to safeguarding personal information entrusted to it during the normal course of business. Maintaining the privacy of payment card information is a critical element of this stewardship. Adhering to the recognized PCI DSS Standard protects against data breach and identity theft, safeguards the College’s reputation, and ensures compliance with industry-mandated requirements. Therefore, the College will take appropriate measures to protect cardholder data as defined in this policy and related procedures.
2.0 Revision History
3.0 Units and Persons Affected
All employees or volunteers of the College, College-affiliated organizations, contractors, or consultants that handle cardholder data on behalf of the College and its affiliated organizations ("Covered employee").
4.1 It is the policy of the College to allow acceptance of payment cards as a form of payment of goods and services upon written approval of the Vice President for Administration and the recommendation of the PCI DSS Compliance Committee.
4.2 The College requires all departments of the college or a college affiliated organization, contractors, or consultants that handle cardholder data on behalf of the College to do so only in compliance with PCI DSS Standard and in accordance with those related procedures approved by the PCI DSS Compliance Committee.
4.3 Such procedures shall govern the acceptance of payment cards, the handling, transmitting, processing, storage and disposal of payment card data, the training of all individuals for whom this policy applies, and other applicable areas.
Please note: A comprehensive list of PCI DSS definitions can be found in PCI Security Standard Council Glossary (“Glossary”), which can be found in Section 8.0 of this document. All uses of terms in this policy and any related procedures are in conformance with the definitions found in the Glossary. Any additional terms are defined below.
5.1 College Affiliated Organization– College Auxiliary Services, Plattsburgh Alumni Association, Plattsburgh College Foundation, and the Research Foundation for the State University of New York.
5.2 PCI DSS Standard – Refers to the latest version of the PCI DSS Standard as approved by the PCI Security Standard Council. As of June 2016, the latest version is 3.2.
6.1 Covered employees – Responsible for complying with this policy and all related procedures.
6.2 Department Supervisors – Responsible for ensuring compliance with this policy and any related procedures promulgated by the PCI DSS Compliance Committee.
6.3 PCI DSS Compliance Committee – Responsible for oversight and coordination of campus PCI DSS Compliance efforts, including the establishment and promulgation of related PCI-compliant procedures for handling cardholder data, monitoring and evaluating department compliance with PCI-DSS standard, and approving department-requested deviations from those procedures.
6.4 Vice President for Administration – Responsible for approving department requests to handle payment cards and for revoking authorization to handle cardholder data.
For a detailed list of related procedures approved by the PCI DSS Compliance Committee, please see SUNY Plattsburgh PCI DSS Policy and Procedure Manual