University Policies

PCI-PII Security Policy

University Technology Services
University Technology Services

Provide requirements to ensure proper control and integrity of credit card data as well as security in the collection, maintenance, and transfer of credit card data, as well as any personally identifiable information.
Ensure compliance with the standards of the leading card associations referred to as the Payment Card Industry (PCI) Data Security Standards.

PCI and PII data will be secured according to Commonwealth and federal guidelines, as well as according to industry best practices.

  • The University's CFO (or designee) shall approve all requests from business and academic to process financial transactions.
  • The University's CFO (or designee) shall approve all credit card processing activities at the College.
  • All University's business and academic units shall adhere to appropriate standards for PCI/PII data services including training, outsourcing agreements with third party vendors, data/system security, and PCI compliance.

System Security

  • Change vendor default security settings prior to installing the system on the network.
  • Disable or change default accounts and passwords prior to installing the system on the network.
  • Harden production systems by removing all unnecessary services and protocols.
  • Use secure, encrypted communications for remote administrative access.

Data Security

  • PCI/PII data shall not be stored on removable media or transmitted by unencrypted email or instant messenger.
  • PCI/PII data shall not be stored locally in an unencrypted format.
  • PCI/PII data is disposed when it is no longer needed; maximum retention of such data shall not exceed thirty days.
  • Full contents of any track from magnetic stripes are not stored in any manner.
  • Credit card validation codes (the three digit value printed on the signature panel of a card) are not stored in any manner.
  • Only last four digits of the account numbers are displayed when viewing cardholder data.
  • Accounts numbers must be securely stored by means of encryption or truncation.
  • Account numbers must be sanitized before being logged in the audit trail.
  • Access to PCI/PII data must be restricted for users on a need-to-know basis.
  • All users must authenticate using a unique user ID and password.
  • Remote access must be via a secure connection, for example the VPN.
  • All user accounts must be revoked immediately upon termination.
  • All user accounts must be regularly reviewed to ensure that malicious, out-of-date and unknown accounts do not exist.
  • All inactive accounts must be automatically disabled after a pre-defined period.
  • Vendor accounts used for remote maintenance must be disabled when not needed.
  • Group, shared or generic accounts are prohibited.
  • Passwords must be changed on 90 day intervals.
  • Multiple password attempts or brute force attacks must result in an account lockout.
  • Multiple physical security controls must prevent unauthorized access to the facility.
  • Equipment and media containing PCI/PII data must be physically protected against unauthorized access.
  • PCI/PII data printed on paper or received by fax must be protected against unauthorized access.
  • Proper procedures for the distribution and disposal of any media containing PCI/PII data must be followed.
  • PCI/PII data must be deleted or destroyed before it is physically disposed (e.g. by shredding paper and degaussing media).
  • Logs must be secured, regularly backed up and retained for forty-five days online and one year offline.


  • All access to system components is logged and linked to an individual user.
  • Automated system trails are used to log all actions taken with administrator/root privileges.
  • Access to all audit trails is logged
  • Invalid logical access attempts are logged.
  • use of identification and authentication mechanisms are logged.
  • Initialization of adit logs is logged.
  • creation and deletion of system level objects is logged.
  • Audit trail entries for each event contain user identification, type of event, date and time, success or failure indication, origination of event, identity or name of affected data, system component or resource.
  • System clocks and times are synchonized to a central server.
  • Viewing of audit trails is limited to those with job-related need.
  • Audit trails are protected from unauthorized modification.
  • Audit trails are backed up to a centralized log utility.(EventSentry).
  • Logs for the external facing technologies are written to the centralized log utility.
  • Event Sentry is configured to generate alerts for unusual activity.

Potential employees will be asked as part of the application process if they have ever been convicted of a felony.
Vendor PCI Compliance

  • All vendors contracted to manage PCI data must be compliant with the Payment Card Industry (PCI) Data Security Standards.
  • If an active merchant becomes non-compliant with the PCI Data Security Standard, the ability to accept payments by credit cards will be revoked until a compliant status is attained.