Policy Name: Payment Card Industry Data Security Standards (PCI DSS) Security Policy

PURPOSE

The Payment Card Industry Data Security Standards (PCI-DSS) constitute a set of procedures issued by the PCI Security Standards Council which are contractually required by the payment card industry. The primary intent of PCI-DSS is to ensure the protection of payment card transactions and cardholder data.

This PCI-DSS Security Policy, which supports the University PCI-DSS Policy, defines the security standards that internal and external card processors must follow in implementing basic safeguards to protect the confidentiality, integrity, and availability of payment transaction and cardholder data. This policy outlines the framework for Georgetown University’s compliance with the PCI-DSS regulation.

SCOPE

The PCI-DSS Security Policy applies to all Georgetown University information technology assets, systems, networks, and data; as well as the Faculty, Staff, Researchers, Affiliates, Suppliers, and Students who own, operate, or maintain technology systems that accept, process, store, manage or otherwise interact with payment card data on behalf of or in partnership with Georgetown.

POLICY

As directed by Georgetown University Office of Financial Affairs, the University adheres to all applicable requirements, standards, and specifications of PCI-DSS in developing and maintaining policies and guidelines for security standards for the protection of PCI data. In ensuring the ongoing security of payment card data in the manner outlined in the Georgetown PCI-DSS Policy, the University does not permit the storage, transmittal, and/or processing of PCI data on its networks or its technology assets.  Third-party suppliers acting on behalf of or in partnership with Georgetown must adhere to and abide by the PCI-DSS standards outlined by the PCI Security Standards Council policies.

The University has adopted the most recent version of the Payment Card Industry Security Standards Council Security Standards, as amended from time to time, as the guiding policy for this security domain.

NONCOMPLIANCE

Violations or non-adherence to this policy may result in remediation efforts that can include, but are not limited to, suspension of an individual’s/department’s ability to process credit cards, revocation of the GU merchant number, blacklisting on the University networks, and disciplinary action up to and including termination of employment.  

RELATED DOCUMENTS

Computer Systems Acceptable Use Policy

Georgetown University Payment Card Industry Data Security Standard (PCI DSS) Policy

GU PCI DSS Service Center Handbook

GU PCI DSS Card Processor Handbook

June 2019