Several requirements must be fulfilled when handling credit card payments at Cornell: Cornell's requirements and PCI DSS requirements, outlined below.
Cornell Requirements
Direct questions about credit card equipment, reconciliations, etc. to Cornell Credit Card Payment Processing. Direct questions about PCI compliance to PCI Help.
- All device-based processing must occur through a validated point-to-point (P2PE) solution offered by Arrow Payments. See Getting Set Up for more information.
- All eCommerce transactions must be fully outsourced to a third-party platform.
- Any employee who processes cards or accesses systems that contain data pertaining to credit card transactions must take the annual PCI compliance training (CASH 200 in CU Learn) upon hire and on an annual basis thereafter.
- Anyone who supervises these employees must also take the training.
PCI DSS Requirements
Version 4.0 of the PCI DSS has recently been released and will take full effect in March 2024.
More information about v. 4.0, access these documents, which open in Cornell Box (a Cornell NetID login is required):
The core of the Payment Card Industry Data Security Standard (PCI DSS) is a group of principles and accompanying requirements, around which the specific elements of the data security standards are organized. These 12 comprehensive standards, developed by the PCI Security Standards Council, are intended to help organizations proactively protect customer account data.
Build and Maintain a Secure Network and Systems
- Requirement 1: Install and maintain network security controls.
- Requirement 2: Apply secure configurations to all system components.
Protect Account Data
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Protect cardholder data with strong cryptography during transmissions over open, public networks.
Maintain a Vulnerability Management Program
- Requirement 5: Protect all systems and networks from malicious software.
- Requirement 6: Develop and maintain secure systems and software.
Implement Strong Access Control Measures
- Requirement 7: Restrict access to system components and cardholder data by business need-to-know.
- Requirement 8: Identify users and authenticate access to system components.
- Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
- Requirement 10: Log and monitor all access to system components and cardholder data.
- Requirement 11: Test security of systems and networks regularly.
Maintain an Information Security Policy
- Requirement 12: Support information security with organizational policies and programs.