2.
Only authorized ACU employees who are properly trained for PCI-DSS compliance may accept,
capture, store, transmit, or processes cardholder data or access cardholder information, devices, or
systems that store or access cardholder information:
○
Employees new to the role of handling cardholder data must be trained prior to receiving
credit/debit card handling duties.
○
Employees whose payment card handling duties preceded implementation of this policy
should receive training as soon as possible.
○
The content of the training program must be reviewed and approved by the Controller in
Financial Operations.
○
Evidence of successful completion of the training program for each applicable employee is
required on an annual basis and will be documented by the employee's signature on a
certification of training form or completion of an approved online training delivery method.
3.
Only PCI-DSS compliant equipment, systems, and methods that are approved by the Financial
Operations Team may be utilized to process, transmit, and/or store cardholder information.
4.
Critical or high-risk technologies (for example, remote-access technologies, wireless technologies,
removable electronic media, laptops, tablets, personal data/digital assistants [PDAs], and internet
usage) may be used to handle or transmit cardholder data only if approval is obtained from
Financial Operations that defines the following:
o
Authentication for use of the technology;
o
A list of all such devices and personnel with access;
o
A description of the acceptable uses of the technologies;
o
When applicable, automatic disconnect of remote-access technologies after a specific period
of inactivity.
o
Activation of remote-access technologies for vendors and business partners only when
needed by vendors and business partners, with immediate deactivation after use.
o
Cardholder data may not be entered, processed, or transmitted by an ACU employee or
contractor on a computer connected to the internet unless the computer is placed within a
separate and secure LAN and only if internet access on the applicable computers is restricted
to only the websites necessary to complete transactions.
5.
Third-party vendors processing or accessing cardholder data must be PCI-DSS compliant and
must, prior to their engagement, provide Financial Operations with a copy of the Vendor’s
Attestation or Certificate of Compliance with PCI DSS for their applicable validation types. If
cardholder data is shared with service providers, the following items apply:
o
A list of such service providers must be maintained;
o
A written agreement must be obtained from such service providers indicating the service
providers are responsible for the security of cardholder data the service provider possesses.
o
Financial Operations will monitor the status of service provider compliance with PCI-DSS
at least on an annual basis.
6.
Each ACU employee or contractor acting on behalf of ACU who has access to cardholder
information is responsible for protecting that information in accordance with PCI-DSS and
University policy and procedures.
o
All media (consisting of all paper and electronic data containing cardholder data) must be
physically secured at all times, and the transport of any such media containing cardholder
data, if applicable, must be approved by management and tracked by a log or other method.