PCI Policy

PCI Compliance - SUNY Brockport Payment Card Policy

Main Page Content

Purpose

The purpose of this policy is to help assure that SUNY Brockport is:

  1. Acting as good stewards of personal information entrusted to it by its constituents
  2. Making ongoing efforts to protect the privacy of its constituents
  3. Complying with Payment Card Industry Data Security Standards
  4. Minimizing the potential for a security breach resulting from unauthorized and inappropriate use of cardholder information.

Policy

The University prohibits employees, including student workers, from processing any credit card transactions on behalf of customers using the Brockport IT network (both wired and wireless connections). This restriction also applies to all 3rd party organizations, vendors, and service providers operating on SUNY Brockport campus. Credit card transactions on behalf of customers using any University-issued workstations (desktop, laptop, tablet, mobile device) are prohibited.

The approved mechanisms for University departments that need to process credit card transactions electronically are:

  • Enable patrons to use Self-Service options so department is not processing credit card transactions on their behalf:
    • Utilize the University’s payment gateway (NelNet) where appropriate
    • Utilize an alternate PCI-compliant payment gateway that doesn’t utilize the campus network and is approved by the Payment Card Oversight Committee
    • Utilize a Payment Card Oversight Committee authorized POS device that connects to the University’s traditional phone lines or over an authorized cellular network

Faculty, staff, students, and visitors should use University workstations and the IT network only for purposes approved by SUNY Brockport. Unless specifically noted, the transmission of an individual’s personal information including credit card information for non-business reasons using University workstations is done at the user’s own risk.

  • Compliance with the Payment Card Industry Data Security Standards (PCI DSS) is required of all SUNY Brockport employees and departments that accept, process, transmit, or store payment cardholder information.
  • Only SUNY Brockport employees, including student workers, who are properly trained may accept and/or access cardholder information, devices, or systems which store or access cardholder information.
  • Only PCI DSS compliant equipment, systems, and methods may be utilized to process, transmit, and/or store cardholder information. Similarly, all 3rd party vendors utilized by the University must provide evidence of annual PCI compliance both prior to entering into a contract, and on an annual basis thereafter.
  • Each SUNY Brockport employee, including student workers, with access to cardholder information is responsible for protecting that information in accordance with PCI DSS and University policy and procedures.
  • The events and circumstances of a suspected security breach which could negatively affect cardholder information or the University’s compliance with PCI DSS must be immediately reported and investigated in accordance with University policy.
  • Vendors and service providers operating on SUNY Brockport campus that accept credit cards must execute a contract addendum affirming evidence of their annual compliance with PCI DSS. Non-SUNY Brockport employees who are acting on SUNY Brockport’s behalf must comply with PCI DSS, and provide annual evidence therein.

Because of the substantial penalties and fines that can be levied against SUNY Brockport, as well as the ethical obligation of the University to protect customer information, PCI compliance is of the utmost importance. Please refer to the PCI website, http://www.brockport.edu/support/information_security/pci/, for PCI contact and other information.

Last Reviewed: 11/2019

Last Reviewed by: PCI Oversight Committee