Credit Card Processing and PCI Compliance
Data breaches are scary. They can happen at any time, to any business you trust. While we cannot foresee an attack on Ohio University, we are obligated to take steps to protect our customers.
The major credit card issuers (Visa, MasterCard, American Express, Discover and JCB) created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card. PCI compliance is mandatory for every merchant (i.e. department/location) that accepts credit or debit card payments. Departments may think of PCI compliance as an Information Technology or Treasury issue, when in reality it is the responsibility of every department that accepts credit cards.
One of the best ways to ease the PCI burden and safeguard payments is by using PCI Point to Point Encryption (P2PE). With PCI-validated P2PE, payment data is immediately encrypted upon swipe, dip, tap or key in the payment terminal. This ensures that credit and debit card data does not reach the university’s system as clear text, where it could be exposed in the event of a data breach. Existing solutions will need to migrate to P2PE if/when their solution provides P2PE. Going forward, all new credit card processing solutions must be a PCI-validated P2PE (point-to-point encryption) solution.
What are the PCI compliance requirements for Ohio University departments (aka merchants) accepting credit cards?
- Solution must be reviewed and approved by the Office of the Bursar and the OIT Security Office
- Develop and maintain departmental policies and procedures regarding accepting credit card payments. Includes the security of any credit card data handled and an incident response plan to be followed in the event of a suspected breach of that data
- Obtain and maintain documentation of PCI compliance status of any third-party service providers directly or indirectly involved in the processing of credit card transactions (e.g. website hosting services, point-of-sale systems, etc.)
- Complete the Cash Handling & Credit Card Security Awareness training annually. Staff can enroll directly. If you have students or employment agency workers that need to take the training please email a list of student/agency employee names and OHIO IDs to Carole Gilkey (gilkey@ohio.edu)
- Notify the Office of the Bursar (Carole Gilkey or Sherry Rossiter) of any change in credit card processing methods
- Implement the latest PCI P2PE standard
For more information, please contact the Office of the Bursar or the OIT Security Office. More information about PCI P2PE solutions can also be found on the PCI Security Standards Council website.