PCI DSS Compliance Quick Guidelines

University policies prohibit campus departments and individuals from establishing bank accounts without prior approval from the Executive Vice Chancellor/Chief Financial Officer (EVC/CFO) of the CSU and/or the Campus CFO.


PCI DSS Compliance quick guidelines checklistExamples of unauthorized bank(s) would be any account established with a bank or financial institution that has not been approved by the EVC/CFO of the CSU for the purpose of depositing and/or administering institutional funds, such as student fees, state operating funds, state appropriated funds, trust funds or auxiliary revenue. This applies to proceeds and receipts related to any University, auxiliary or affiliated organization activities including, but are not limited to, proceeds and receipts from any donor, contract, workshop, event, project, service, grant, campus program and/or reimbursement arrangements.

  • University prohibits staff and faculty to store credit card numbers on any computer, server, or database. This includes Excel spreadsheets & Emails.
  • All employees and students involved in credit card processing will undergo background checks. The background check must be completed prior to the employee or student working with credit card data.
  • Restrict access to card data by business need to know
  • Paper documents containing cardholder data must be kept in a secure environment (i.e. safe, locked file cabinet, etc.).
  • Restrict physical access to cardholder data.
  • University prohibits transmitting credit card numbers via email.
  • Fax transmittal of cardholder data is permissible only if the receiving fax is as follows:
    • Connected to a dedicated fax line;
    • Located in a secure environment; and
    • Password protected.
  • Credit card numbers on paper receipts must be masked to include the last 4 digit only.
  • Changes that affect payment card systems are required to be approved by the University Controller prior to being implemented.
  • Any new systems/software that process payment cards are required to be approved by the University Controller prior to being purchased.
  • Install and maintain a firewall and router configuration to protect cardholder data.
  • Use and regularly update anti-virus software.
  • Do not use vendor-supplied defaults for systems passwords and other security parameters.
  • Campus users are assigned a unique ID and system access rules based on user access roles. See Campus Password Policy for students, faculty and staff.Opens in new window
  • Individuals with administrative access to system components or software that can impact the security of cardholder data are required have multi-factor authentication
  • University tracks and monitors all access to network resources and cardholder data, daily
  • Report all suspected or known security breaches to Information Security Officer, University Controller, Police or PCICC