Skip Navigation
Request Info
Apply Now
Request Info
Apply Now
Skip to Menu Toggle Button

UMGC Policy X-1.20 Payment Card Industry-Data Security Standards (PCI-DSS) Compliance

EXPLORE MORE OF UMGC

Policy CategoryPolicy OwnerVersion Effective DateReview CyclePolicy Contact
X. Information Governance, Security & TechnologyChief Transformation OfficerOctober 7, 2024Annualinfosec@umgc.edu

  1. Purpose

    The purpose of this Policy is to establish information security standards for Payment Card Industry – Data Security Standards (“PCI-DSS”) compliance relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

  2. Scope and Applicability

    This Policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this Policy.

  3. Definitions

    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

  4. Information Technology PCI-DSS Compliance

    All Users must adhere to the requirements of the Information Technology PCI-DSS Compliance Policy to ensure safe-handling of sensitive information related to credit/debit card transactions that are supported by any University Information Technology Resources.

    UMGC must comply with the complete PCI DSS requirements which can be referenced at the PCI SSC website.

    1. A firewall must be configured and maintained to protect cardholder data.
    2. Information System Stewards should not use vendor-supplied defaults for system passwords and other security parameters.
    3. Internal and external network vulnerability scans must be run at least quarterly and after any change in the network. Vulnerabilities must be addressed and rescans must be performed until passing scans are achieved. Quarterly external scans must be performed by an Approved Scanning Vendor (ASV).
    4. Penetration Testing that includes external and internal penetration testing must be performed at least annually to verify segmentation methods are operational and effective.
    5. Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
    6. Cardholder data must be protected. Card holder data is defined as:
      1. Primary Account Number (PAN)
      2. Card Validation Code (CVV, CVV2, and CVC2)
      3. Credit Card Personal Identification Number (PIN)
      4. Any form of magnetic stripe data from the card (Track 1, Track 2).
    7. Cardholder data must be protected when stored or in transit over public (or untrusted) networks.
    8. Transmission of cardholder data across open, public networks must be encrypted.
    9. All Information Technology Resources must be protected against malware and anti-virus software, or programs must be regularly updated. System components within the cardholder data network must be part of an active vulnerability maintenance program.
    10. Information System Stewards should develop and maintain secure systems and applications.
    11. Cardholder data must be restricted on a need-to-know basis.
    12. Information System Stewards should identify and authenticate access to system components. A unique identification (ID) should be assigned to each person with access to critical systems or software.
    13. Information System Stewards should identify and restrict physical access to cardholder data.
    14. Information System Stewards should track and monitor all access to network resources and cardholder data.
    15. Information System Stewards should regularly test security systems and processes.
    16. Information System Stewards should maintain a policy that addresses information security for all personnel. Consistent policies and procedures are required to be practiced and followed at all times.

  5. Exceptions

    Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested, a compensating control or safeguard should be documented and approved.

  6. Enforcement
    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
  7. Standards Referenced
    1. USM IT Security Standards, v.5, dated July 2022
    2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated February 2020
    3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December, 2021
  8. Related Policies and References
    1. UMGC Information Governance, Security, and Technology Policies
    2. PCI Security Standards Council (PCI SSC)

By using our website you agree to our use of cookies. Learn more about how we use cookies by reading our Privacy Policy.