Page 1 of 6
FORT HAYS STATE UNIVERSITY
CREDIT CARD SECURITY POLICY
Summary
The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements
for enhancing payment account data security, was developed by the founding payment brands of the
PCI Security Standards Council, including American Express, Discover Financial Services, JCB
International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption
of consistent data security measures on a global basis. PCI DSS compliance is mandatory for any
organization that collects, processes, or stores credit card information.
Purpose
The purpose of this policy is to establish requirements for collecting, storing, processing and
transmitting credit card data to facilitate compliance with the PCI DSS requirements.
Groups Covered
This policy applies to all Fort Hays State University faculty, staff, students, temporary employees and
any other persons who collect, process, transmit or store credit card information physically or
electronically. Any other entity or individual using FHSU servers or the FHSU network must also
abide by this policy. Hereinafter, all applicable persons will be referred to as “Department” for the
purposes of this policy.
To help protect against exposure and possible theft of sensitive credit card data and to comply with
the PCI DSS requirements, Departments must follow the policies and procedures outlined in this
document.
Policy Requirements
Fort Hays State University is required to establish, publish, maintain and disseminate a security policy
that addresses all PCI DSS requirements. Each of the 6 goals and 12 requirements as outlined in the
PCI DSS are addressed in this document.
Section 1 - Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Section 2 - Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Section 3 - Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Section 4 - Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data