Internal audit awareness and handling credit card information

May 6, 2015
Categories: General News Tags: Business Affairs

Information security standards that apply to the use of credit card information are the topic of this Internal Audit Awareness Month article from the University’s Internal Audit Department.

Payment Card Industry Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. These standards globally govern all merchants and organizations that store, process or transmit this data. Compliance with the PCI standards is mandatory and is enforced by the major payment card brands who established the council: American Express, Discover, JCB International, MasterCard and Visa.

PCI version 3.0 represents the newest updates made to PCI DSS; they went into effect on Jan. 1, 2015, and established a number of new or modified requirements. Any UNC Charlotte department that accepts credit cards for payment of University services must comply with the following requirements:

Goals

PCI DSS Requirements

Build and maintain a secure network and systems
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data
  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program
  1. Protect all systems against malware and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.

Implement strong access control measures
  1. Restrict access to cardholder data by business need to know.
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.

Regularly monitor and test networks
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

Maintain an information security policy
  1. Maintain a policy that addresses information security for all personnel.

The University and each merchant department are required to submit a self-assessment annually that affirms compliance with these 12 requirements, according to the Internal Audit Department. Each of these steps is a key factor to ensure that UNC Charlotte appropriately stores, processes and transmits credit card data and effectively mitigates the potential for a cyberattack that could result in the theft or misuse of cardholder data.

Inside UNC Charlotte, during May (Internal Audit Awareness Month), is publishing a series of short articles on topics to help the campus better understand the role of internal audit.

“We want our colleagues to better understand our role and mission and encourage their engagement with us whenever they believe they need help. Our website has a wealth of information, and employees are welcome to drop into our offices in Cato Hall,” said Tom York, director of internal audit.

For more information on PCI compliance, contact Becky Smith, financial services, at 704-687-5757.