政策

这项政策适用于所有人, 教师, and staff of 科罗拉多大学 who process and manage technology that are related to the handling of cardholder data or overseeing employees that have access to authentication data related to cardholder 信息. This means that the institution's PCI scope will include any 部门 or group on campus that receives, 流程, 商店, or transmits cardholder data or has cardholder data collected and processed on their behalf by a third-party entity. 这些用户有责任阅读、理解并遵守本政策.

If there is variance between 部门al expectations and the common approach described through college policy, 学院将依靠校园社区, volunteers and the 校董会 to support the spirit and the objectives of college policy.

目的

The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identity theft and credit card fraud.  PCI - DSS是一套旨在确保所有公司流程的要求, 存储或传输信用卡信息，维护安全的环境.  作为一个处理信用卡数据的商人, 科罗拉多大学 is responsible for safeguarding credit card 信息 and adhering to the standards established by the PCI‐DSS.  This includes establishing policy and setting up controls with regard to handling credit card data, computer and internet security related to credit card processing and annually completing a self‐assessment questionnaire.

The purpose of this policy is to define requirements for accepting and processing payment cards in the course of College business that will protect customer’s credit card data, uphold the College’s reputation and minimize risk of financial costs associated with a breach of credit card 信息.  赌博正规的十大网站要求所有院系处理, store or transmit credit card data remain in compliance the Payment Card Industry 数据安全标准 at all times. 

Penalties for not complying with the security requirements or failure to rectify a security issue may result in fines levied by the merchant bank starting at $50,000和/或对商户账户的限制. 不遵守规定的后果是严重的. 因此，赌博正规的十大网站要求所有部门和员工都必须遵守.

1. Every 科罗拉多大学 部门 accepting payment cards is subject to the Payment Card Industry 数据安全标准 (PCI DSS).

2. 资讯科技服务 (ITS)负责建立和维护一个安全的网络, including installing and maintaining a firewall configuration to protect data and assuring vendor‐supplied passwords are changed prior to installing a system on the network. 信息技术服务将确保所有路由器, 开关, 无线接入点和防火墙配置已得到适当保护.  

3. 资讯科技服务 will assure strong cryptography and security protocols are in place for transmission of cardholder data across open, 公共网络. 通过终端传输持卡人数据需要P2P加密. 通过终端用户技术(如电子邮件)传输持卡人数据, 即时通讯或聊天)是禁止的.

4. 资讯科技服务 is responsible for maintaining a vulnerability management program that includes use and regular update of anti‐virus software/programs and developing/maintaining secure systems and applications.

5. 信息技术 服务 负责安全系统和流程的定期测试. 这包括每季度运行一次内部漏洞扫描.  外部扫描由 网络爬行

6. 财务办公室 will provide training to all the 部门s to ensure they are able to accept and process credit card payments in compliance with 科罗拉多大学’s policy.

7. 外包, 或者使用第三方提供商, 在签订任何协议之前，必须事先得到财务办公室的书面批准. All third party providers must meet the standards set forth by the Payment Card Industry Data Security Standard (PCI DSS) and be certified.  This certification must be obtained before the vendor is contracted and must be reaffirmed annually.

8. 财务办公室 是否每年验证第三方支付应用程序是否符合要求, 如果适用的话, 付款应用最佳实践(PABP)列表.

9. Access to cardholder data is restricted to those staff members who are responsible for processing or transmitting this data. 工作人员 members accessing card holder data physically/electronically will have to be approved by the Department heads as well as the 财务办公室. 工作人员 members approved to access and process this data will be asked to complete PCI 合规 training and testing and will be granted access to these functions on completion of training, 只使用他们唯一的密码.

10. 禁止各部门以电子方式储存持卡人资料. All paper storage should contain only account numbers masked to display the last 4 digits of the account.  任何部门都不应存储卡片验证码, 到期日期, 销的, 或者是卡片磁条上的全部数据.

11. 禁止员工使用远程访问技术, 无线技术, 以及在任何类型的可移动电子媒体上存储信用卡数据, 笔记本电脑, 个人资料/数码助理或电子邮件传送或处理信用卡资料.

12. 信用卡资料的纸质副本, 保留作对账之用, 必须存放在安全的地方. 禁止各部门以传真方式传送信用卡资料, e检测邮件, 学院有线/无线网络(未正确配置), 或者用未密封的信封寄给学校, 因为这些都不是安全的传输方法.  持卡人资料只可透过电话查询, 邮件, 或者亲自去，不要通过电子邮件或电子表格发送.  最好的做法是不要把信用卡数据写在纸上, 但在紧急情况下, if such 信息 needs to be written it should be shredded immediately after the transaction has been authorized by the credit card company.  如果有必要在处理过程中暂时保留这些文件, 它必须存放在一个安全且上锁的区域.

13. 赌博正规的十大网站目前接受美国运通卡、Discover卡、万事达卡和VISA卡. 各部门被授权只接受经财务办公室批准的信用卡.  The 财务办公室 must first approve any addition of merchant accounts or changes to existing merchant accounts.  采购, selling or discarding a terminal; purchasing software with any kind of credit card processing capabilities; or selecting/changing a service provider that has credit card processing capabilities must first be approved by the 财务办公室.

14. 一旦收到可能/怀疑的违规通知、财务处及资讯科技署 will be responsible for reporting about the incident to all the relevant stakeholders and for maintaining network security. 这将包括通知信用卡公司.

15. 资讯科技服务 是否每年审查他们的网络安全政策. All merchant IDs will be annually reviewed for compliance using a Self – Assessment Questionnaire (SAQ). 任何更新将与财务办公室共享.

政策评估

This security policy will be reviewed annually or as deemed necessary by the ITS Security and the 财务办公室, 鉴于一个特定的事件或学院环境的变化.

程序

定义

持卡人资料代表持卡人的任何个人资料.  这可能是一个帐号, 截止日期, 名字, address, 电话号码, 社会保险号, 卡号(CVC), 或任何其他识别持卡人的信息.

Standards developed by the Payment Card Industry council that include controls for secure handling of sensitive consumer 信息 to assure consumers their credit card brands are reliable and secure.  

一个组织, 部门, 接受信用卡作为商品支付方式的机构或单位, 服务, 信息, 或礼物.

银行为一个单位建立的账户，用于赊账销售金额和借记处理费. 

由信用卡行业(Visa)组成的组织, 万事达卡, 发现和美国运通)建立数据安全标准(DSS)的行业.  http://www.pcisecuritystandards.org/ 

PCTA是一种验证工具，主要由商家使用，以启用PCI DSS合规性.

高级干系人包括但不限于: