OUHSC Information Technology Department


Home  |  Online Help  |  Policies  |  Tier Ones

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. These standards were developed by the PCI Security Standards Council, which is made up of the major card brands like American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International.

Although this is a self-regulated requirement, the card brands can enforce monetary penalties and the removal of merchants being able to accept cards.

For additional information regarding the PCI Data Security Standard (PCI DSS), please refer to the following: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.

PCI DSS Version 3.2.1 was released May 2018 and is the version we will measure our compliance against.

Leadership and oversight of compliance with the PCI DSS for OUHSC and its Tulsa campus counterparts is charged to the PCI Governance Group.

 

The PCI Governance Group is part of the OUHSC Information Security Review Board and its charter can be found here: PCI Governance Group Charter

 

Only products approved by the Bursar and IT Governance Risk and Compliance (IT GRC) are authorized to be used for processing credit card transactions and only when utilizing a merchant account from the approved merchant provider.

Details on how to request a merchant account can be found at the following link:

How to Accept Credit Cards

 

For questions:  acceptcreditcards@ouhsc.edu

Approved Merchant Provider: First Data

Approved merchant products (may not be complete list):

Touchnet MarketPlace
PayEezy - Cloud based terminal solution that provides the additional capability of recurring billing of both fixed and variable amounts
First Data FD130
First Data FD35 Pin Pad with EMV
First Data FD410 Wireless
IDTech M130 (for Centricity Business Payment locations)
Clover Go

Non-Compliance

The PCI Governance Group has approved the OUHSC Escalation Process for PCI Non-Compliance for issues of non-compliance.

Instances of non-compliance with OUHSC PCI policy and standards will be presented to the PCI Governance Group in accordance with this process.

Supporting documents:

University of Oklahoma Policy

OUHSC Standard

OUHSC PCI Incident Response Plan

PCI DSS

PCI DSS Glossary

Understanding_SAQs

Skimming Prevention At-a-Glance

Skimming Prevention Best Practices

Essentials of Patching

Essentials of Remote Access

Essentials of Strong Passwords

POI Characteristics Form

POI Inspection Log

 

Please submit any questions to : IT GRC