CSUF PCI DSS STANDARDS

The objective of CSU, Fullerton PCI DSS Standard is to establish payment card requirements for all areas within the campus community or effect the security of a system that processes, transmits, or stores confidential cardholder data. The provisions of this policy and PCI DSS apply to the entire University, including its auxiliary organizations, as well as all third party service provider that processes, transmits and stores cardholder data on behalf of the University, or provide services that could affect the integrity of cardholder data.

Directive

Securing information protected by federal and state law as well as California State University (CSU) policies and procedures, is essential. As such, the University will:

• Comply with all federal and state laws and regulations, as well as CSU policies and procedures, concerning the collection, use, maintenance, and release of protected information.
• Develop, implement, and monitor administrative, technical, and physical safeguards to mitigate unauthorized intrusion, malicious misuse, or inadvertent compromise of protected information.
• Ensure all individuals working with protected information are responsible for collecting, using, maintaining, and releasing it do so in accordance with federal and state laws or regulations, as well as CSU policies and procedures.

Authority

Several federal and state laws, as well as CSU policies, govern access to information collected, used, maintained, and released by the University, including but not limited to the:

• Family Education Rights and Privacy Act
• California's Information Practices Act
• Title V
• California's Public Records Act
• Gramm-Leach-Bliley Act
• Health Information Portability and Accountability Act
• CSU Information Security Policy
• CSU Board of Trustee Executive Orders
• PCI SSC Requirements

Information Security Implementation

This Directive applies to the collection, use, maintenance, and release of protected information by the University or, when applicable, by any of its auxiliary or affiliate organizations.

Roles and Responsibilities

Payment Card Industry Implementation Members

PAYMENT CARD INDUSTRY COMPLIANCE COMMITTEE (PCICC)

• University Controller
• Internal Security Assessor
• Information Security Officer
• Student Business Services

PCICC is responsible for the implementation and oversight of university policy and general compliance with the PCI Goals and Requirements.

The following are university PCI Standards and Guidance

• PCI Policies and Guidelines for Non-IT Staff
• PCI Standards and Guidance for IT Staff
• PCI Basics and Skimming Handout