Evaluating credit card service vendors
Based on the PCI Data Security Standards
Brandeis strongly recommends using either TMS Gateway for tuition and related expenses or Skipjack for accepting credit cards over the web for things such as fundraising, product sales and ticket sales. LTS will assist you in setting up these services. Using these vendors means that Brandeis never actually retains the credit card information and does not have to deal with the security of this sensitive data.
If you choose not to use the recommended vendors, you MUST have LTS speak with your proposed vendor in order to verify compliance with the Payment Card Industry (PCI) Data Security Standards (PDF), a set of guidelines set up by the major credit cards to provide maximum security.
- Build and Maintain a Secure Network
- Install and maintan a firewall to protect data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored data using encryption, perform regular purges of old data and perform regular backups.
- Encrypt transmission of cardholder data and sensitive information across public networks.
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications including applying regular security patches.
- Implement Strong Access Control Measures
- Restrict access to data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an Information Security Policy
- Maintain a policy that addresses information security.
