• Your Technology
• Technology for Students
• Technology for Faculty
• Technology for Staff
• MyCSUDH
• toroMail
• Labs
• Academic Technology
• WebMail
• Phone/E-Mail Directory
• Request Help Online
• FAQ
• Who We Are
• About IT
• Organization
• Contacts
• Policies
• Information Technology Governance

Payment Card Industry Data Security Standard (PCI DSS) Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.  This standard is designed to minimize both the chance of a card member data compromise and the effects if a compromise does occur

PCI DSS applies to all organizations that accept payment cards as a method of accepting financial gifts or in exchange for goods or services.  PCI DSS also applies to all types of payment card activities transacted in-person, over the phone, via fax, mail or Internet.

New credit card handling security standards and a credit card security self assessment questionnaire have been developed which require campus departments (both state and auxiliaries organizations) taking credit or debit cards for payment to notify the Information Security Office and conduct a yearly self assessment. Useful links:

• Annual Self Assessment PCI Questionnaire (33 KB) (Adobe Acrobat Reader required)
• CSUDH Credit Card Handling Security Standards (56 KB) (Adobe Acrobat Reader required)

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security