PCI DSS Six Goals, Twelve Requirements

Goal #1: Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Goal #2: Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Goal #3: Maintain a Vulnerability Management Program

  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications

 Goal #4: Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data

Goal #5: Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Goal #6: Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel

Failure to meet these requirements can result to negative consequences to students, donors, customers, departments and ultimately the university. Non-compliant can lead to security breaches or stolen cardholder data and possible fraudulent use (see Section, Danger of not Being Compliant).

Compliance for each requirement applies to merchants based on Self-Assessment Questionnaire. Assessment of merchant's cardholder data environment is a procedural part of acquiring a Merchant ID (see Section on Merchant Identification Number). The university reporting requirements include the compiled SAQ of university merchants as well as the Attestation of Compliance for the SAQ, annually.

The self-assessment questionnaire often referred to as the SAQ or sometimes called the "sack", is a validation tool for merchants self-evaluating their compliance with PCI DSS. There are different versions of the SAQ to meet different merchant environments.