Payment Card Industry Data Security Standard (PCI DSS) Policy

Policy Number	Policy Owner
6017.1	Student Accounts

1.0 Purpose

The State University of New York College at Plattsburgh (“College”) is committed to safeguarding personal information entrusted to it during the normal course of business. Maintaining the privacy of payment card information is a critical element of this stewardship. Adhering to the recognized PCI DSS Standard protects against data breach and identity theft, safeguards the College’s reputation, and ensures compliance with industry-mandated requirements. Therefore, the College will take appropriate measures to protect cardholder data as defined in this policy and related procedures.

2.0 Revision History

Date	Version Number	Change Description	Referenced Section
1/23/17	1.0	New Document	Entire Document
11/1/18	1.1	Minor Revisions	7.0
12/2/18	1.2	Minor Revisions

Date

Version Number

Change Description

Referenced Section

1/23/17

1.0

New Document

Entire Document

11/1/18

1.1

Minor Revisions

7.0

12/2/18

1.2

Minor Revisions

Review Process / Approval

Action:	Units	Date
Policy Review	Student Accounts Management Services
Policy Approval	Executive Council	1/23/17

Action:

Units

Date

Policy Review

Student Accounts
Management Services

Policy Approval

Executive Council

1/23/17

3.0 Units and Persons Affected

4.0 Policy

4.1 It is the policy of the College to allow acceptance of payment cards as a form of payment of goods and services upon written approval of the Vice President for Administration and the recommendation of the PCI DSS Compliance Committee.

4.2 The College requires all departments of the college or a college affiliated organization, contractors, or consultants that handle cardholder data on behalf of the College to do so only in compliance with PCI DSS Standard and in accordance with those related procedures approved by the PCI DSS Compliance Committee.

4.3 Such procedures shall govern the acceptance of payment cards, the handling, transmitting, processing, storage and disposal of payment card data, the training of all individuals for whom this policy applies, and other applicable areas.

5.0 Definitions

Please note: A comprehensive list of PCI DSS definitions can be found in PCI Security Standard Council Glossary ("Glossary") All uses of terms in this policy and any related procedures are in conformance with the definitions found in the Glossary (See Appendix). Any additional terms are defined below.

College Affiliated Organization – College Auxiliary Services, Plattsburgh Alumni Association, Plattsburgh College Foundation, and the Research Foundation for the State University of New York.

PCI DSS Standard – Refers to the latest version of the PCI DSS Standard as approved by the PCI Security Standard Council. As of June 2016, the latest version is 3.2.

6.0 Responsibilities

Covered employees – Responsible for complying with this policy and all related procedures.

Department Supervisors – Responsible for ensuring compliance with this policy and any related procedures promulgated by the PCI DSS Compliance Committee.

PCI DSS Compliance Committee – Responsible for oversight and coordination of campus PCI DSS Compliance efforts, including the establishment and promulgation of related PCI-compliant procedures for handling cardholder data, monitoring and evaluating department compliance with PCI-DSS standard, and approving department-requested deviations from those procedures.

Vice President for Administration – Responsible for approving department requests to handle payment cards and for revoking authorization to handle cardholder data.

7.0 Procedures

8.0 Forms

9.0 Appendix