Overview – NMSU’s PCI DSS Compliance Strategy
This document provides an overview about NMSU’s PCI DSS Compliance Program and its overall strategy.
Background and what is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements.
However, it should be noted that PCI DSS is not a law, but an industry standard and it was created by a Council that was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. These brands share equally in the governance and execution of the Council’s work. An in-depth listing of these standards can be found at: PCI DSS Standards.
PCI DSS at NMSU
New Mexico State University is an institutional merchant and therefore it is subject to and must comply with PCI DSS. NMSU departments that accept payment cards as payment for goods and services are contractually obligated to follow NMSU policy in order to comply with PCI DSS. It should be noted that if a department is out of compliance, the whole institution is out compliance.
Roles and Responsibilities
Ensuring institutional compliance with PCI DSS is complex and it requires NMSU to take an institutional holistic approach requiring a cross-functional team effort and each function plays a key role. In its approach to compliance, NMSU defined and designated the following roles and responsibilities.
- PCI DSS Compliance Steering Committee – oversees institutional PCI DSS compliance, and serves in an advisory capacity to the University Controller in guiding and monitoring the University’s cardholder data environment (CDE) to ensure compliance with PCI DSS. For a full description of the steering committee responsibilities, please see the PCI DSS Committee Charter.
- Controller’s Office/Treasury Services – Oversee, review and approve the creation of new merchants as well as having institutional operating compliance responsibility.
- Information and Communication Technology – Designs and implements an information technology infrastructure that meets the requirements.
- Departmental Responsibilities – Perform credit card processing operations according to requirements.
- Chief Information Security Officer – Determines and defines information security standards and guidelines that meet the requirements.
- IT Compliance Officer – Determines if NMSU’s information technology infrastructure, policy, security, processes and operational practices comply with PCI DSS requirements.