|To:||All Departments that Accept Payment Cards|
|From:||MaryFrances McCourt, Treasurer|
|Dennis W. Reedy, Managing Director|
|Subject:||Compliance Requirements for Payment Card Transactions|
|Date:||February 6, 2007|
Indiana University has always adhered to the highest standards when it comes to protecting sensitive data. President Herbert notified all University staff in July of 2006 of new Indiana State laws that place additional responsibilities on Indiana University staff for safeguarding sensitive data. Payment card data is highly sensitive and therefore must meet these compliance standards.
Within the past 2 years the major credit card companies (VISA, MasterCard, Discover and American Express) came together and published a uniform set of data security standards that ALL merchants (i.e. IU Departments) must comply with in connection with the acceptance of payment cards. These new standards are called Payment Card Industry Data Security Standards or PCI DSS. These standards have placed additional responsibilities on your department in connection with your acceptance of payment cards.
Complying with PCI DSS is not an option. Indiana University must comply in order to be approved and continue to accept payment cards.
Non compliance with these standards puts Indiana University at risk for:
Maintaining compliance is no easy task for a rapidly growing, complex, decentralized organization like Indiana University. Compliance is further complicated with Indiana University’s increased use of web-initiated transactions and third party vendors.
Almost daily there are articles regarding data security breaches, many at colleges and universities. We do not want to see Indiana University or your department name in the headlines. To assure that Indiana University does not incur a breach and become a headline, your department must do a number of things. These are outlined in the appendix.
Compliance is a challenge, but it is one that we are meeting and will continue to meet. If you have any questions or feel you may have some compliance issues, please do not hesitate to contact Ruth Harpool via phone (812) 855-3910 or email. Ruth will be happy to meet with you and address any concerns you may have. I also recommend that you visit the Office of the Treasurer website to find additional information on PCI DSS.
AppendixPCI DSS Compliance Requirements/Guidelines
Please call Treasury Operations if you have any questions at 812-855-6465.
Contact Payment Card Services