652  PCI DSS Information Security

Approved by President
Effective Date: June 5, 2017
Responsible Division: Business and Finance
Responsible Office:  Compliance and Enterprise Risk Management
Responsible Officer:  Assistant Vice President for Compliance and Enterprise Risk Management

I. Purpose

The primary purpose of this security policy is to establish rules to ensure the protection of cardholder data and to ensure protection of the University’s resources in scope of PCI DSS. The policy assigns responsibility and provides guidelines to protect the University’s cardholder data and cardholder data environment against misuse and/or loss. This document contains the Middle Tennessee State University (MTSU or University) Payment Card Industry Data Security Standard (PCI DSS) information security policy. Detailed standards and processes that support this policy are described in the latest revision of the PCI DSS. This policy has been written to specifically address the security of data used by the Payment Card Industry. Cardholder data must be protected and security controls must conform to PCI DSS. 

II. Introduction

To maintain the ability to accept payment cards, safeguard its payment card customers, and protect its cardholder data environment, MTSU must take adequate security measures. As a result, this information security policy reflects the University’s commitment to comply with the latest applicable PCI DSS, as mandated by its acquiring bank and the payment card brands.

The University can minimize inappropriate exposures, loss, and inappropriate use of cardholder data by complying with PCI DSS, attending to the proper design and control of systems in scope of PCI DSS, and applying sanctions when violations of this security policy occur.

Security is the responsibility of everyone who uses the University’s information technology resources to accept payment cards on its behalf. It is the responsibility of employees, contractors, business partners, and agents of the University. Each party must become familiar with this policy's provisions, and the importance of adhering to it, when using the University’s computers, networks, data, and other resources to accept payment cards. Each party is responsible for reporting any suspected breaches of its terms. As such, all parties authorized to accept payment cards on behalf of the University must adhere to relevant policies and procedures mandated by the Office of Business and Finance, Information Technology Division, and PCI DSS.

III. Scope 

This policy applies to the University’s cardholder data environment, as defined by PCI DSS, and all devices that connect to the cardholder data environment.

Organizations and contractors affiliated with the University are subject to these same definitions and rules when they store, process, or transmit payment card transactions on University property or at a University sponsored event.

IV. Definitions

A.  Acquiring Bank. Also referred to as acquirer, or acquiring, financial institution. Entity that initiates and maintains relationships with merchants for the acceptance of payment cards.

B.  Attestation of Compliance (AOC). The University’s certification that it is eligible to perform, and has performed, the appropriate Self-Assessment Questionnaire. Filed with the University’s ac