色花堂

Live now: Board of Curators meeting

UM System

Payment Card Industry Data Security Standards

New Standards (Version 3.2.1)

 

PCI DSS Self-Assessments

All merchants should complete the designated self-assessment for their merchant.  Completion of the appropriate self-assessment ensures that you fully understand your processes and operations, that you are educated and are held accountable concerning PCI policy and procedures, and that you recognize and remediate any security flaws.

Category 1 - All credit card processing is outsourced.

Category 2 - Merchant only processes payments using a dial up (copper phone line or cellular) terminal.

Category 3 - Merchant only processes payments using an IP terminal.

Category 4 - Merchant only processes payments using a web-based (virtual terminal), and does not store cardholder data electronically.

Category 5 - Merchant only processes payments using systems connected to the internet and NO electronic cardholder data storage.

Category 6 - Merchant stores electronic cardholder data.

Category P2PE - Merchants who only process payments using hardware payment terminals included in a validated and PCI SSC-listed PCI point-to-point encryption (P2PE) solution.

Category A-EP - Merchants who are e-commerce merchants who are not using URL redirection or iFrame, but instead use Direct post or JavaScript to interact with the gateway.  

Category SPoC - Merchants who use software-based PIN entry on COTS (SPoC) solutions.  

 

PCI Data Security Standards Overview

The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security.  These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step.

PCI Data Security Standard - High Level Overview:
  1. Build and Maintain a Secure Network
    1. Install and maintain a firewall configuration to protect data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect Cardholder Data
    1. Protect stored cardholder data
    2. Encrypt transmission of cardholder