PCI DSS

Many departments across Texas A&M University accept credit and debit cards as a convenient way to pay for goods and services – from tuition and fees to event tickets and merchandise. Whenever we handle these payment cards, we take on the important responsibility of protecting our customers' sensitive cardholder data. The Payment Card Industry Data Security Standard (PCI DSS) provides the framework for doing this securely.

PCI DSS is a global standard established by the major payment card brands (like Visa, Mastercard, and American Express). It's a set of technical and operational requirements designed to ensure that all organizations that accept, process, store, or transmit cardholder information maintain a secure environment. The primary goal is to prevent credit card fraud and data breaches by protecting sensitive card details.

Any Texas A&M unit, affiliated group, or third-party vendor handling payment card transactions on behalf of the university must comply with PCI DSS. Compliance isn't just a best practice; it's typically a contractual requirement for being allowed to accept card payments.

While the university provides overarching support, the responsibility for PCI compliance ultimately rests with the department or unit accepting payments. This includes:

• Ensuring staff are properly trained on secure card handling procedures.
• Using only approved equipment, software, and processes for handling transactions.
• Potentially completing an annual PCI Self-Assessment Questionnaire (SAQ) to validate compliance.
• Cooperating with Texas A&M Technology Services and the Office of the CISO for network setup, security scans, and assessments.

The Texas A&M Division of Finance facilitates the capacity for departments/organizations to accept credit cards. Texas A&M Technology Services plays a key role by approving network architectures, and configuring and managing firewalls for PCI environments. Vulnerability scans and web application security assessments are regularly conducted against PCI systems to check for potential weaknesses; information resource custodians are required to swiftly remediate any identified issues.

If your department accepts payment cards or you have questions about PCI DSS compliance at Texas A&M, please contact security@tamu.edu for guidance.