Should Boston College Departments be Concerned About PCI Compliance?
YES! The Payment Card Industry Data Security Standard (PCI DSS) applies to any department that collects, stores, processes, or transmits credit or debit card information. If your department does any of the above, PCI Compliance is not a request, or suggestion, it is now a requirement. The University is working to implement new systems to ensure compliance. However, departments still have an ongoing responsibility to protect credit card data. For the University to maintain compliance, we must adhere to the following:
- not storing credit cards on your PC. If you need to keep credit card data, it should be kept in an approved PCI system.
- restricting access to payment card account numbers on a need to know basis.
- authenticating with the use of a unique username and password. DO NOT SHARE PASSWORDS!
- protecting credit card information against unauthorized access including paper or fax copies.
- never storing the contents of any track information including the three digit card validation code.
- properly disposing of cardholder data when no longer needed. Shred paper and delete files from your computer.
- not entering into an agreement with any third party vendor that collects credit card data from your customers without an appropriate contract.
Why do I need to document anything? I know what I'm doing with my work.
Documentation is a specific set of instructions to explain and maintain your processes and controls. For example, often one person in a department develops and implements certain departmental processes. The successful use of these processes and the production of specialized data may depend on the continued presence of a single individual. If that person leaves the University, specific knowledge about that process may be lost.
If I don't properly document my work, what could happen?
Inadequate documentation can result in:
- loss of processing time
- loss of records/files necessary to support an operation
- over-reliance on knowledge of only one key individual
How extensive should my documentation be?
Documentation serves as communication to employees on how to handle a particular process and why. This aids in the consistent application of processing (efficient and effective) transactions and how to address unauthorized, incomplete, or erroneous transactions. Providing the "why" information assists employees in identifying what critical information needs to be maintained should a new system or changes within a federal regulation, state statute or University policy occur.
Documenting procedures is essential for communication, analysis, accountability and control. Adequate documentation permits correct accounting and helps prevent errors in processing and recording. Basic documentation should include:
- a summary of the process including key controls.
- specific procedures for running a program or processing records.
- a list of file names or system descriptions needed to process certain records.
- decisions that are made and agreed upon by management to alleviate future misunderstandings.