For the person completing this report.
Payment Card Industry Data Security Standard (PCI DSS) Compliance Steering Committee (the Committee)
Chief Information Officer and University Controller
New Mexico State University (NMSU) operates within complex regulatory environments that are constantly changing. The PCI DSS Steering Committee (the Committee) was formally established jointly by the University Controller’s Office and Chief Information Officer (CIO) to recognize its role in assisting the university with implementing and maintaining its compliance program relating to PCI DSS industry standards, which apply to NMSU since it accepts and processes payment card payments.
The Committee’s primary function will be to assist university officials to decide the priorities and order of business relating to NMSU system wide PCI DSS compliance, as well as to serve in an advisory capacity to the University Controller and to the Chief Information Officer, as they fulfill their roles and responsibilities relating to guiding and monitoring operations in the NMSU system wide cardholder data environment (CDE).
The Payment Card Industry Data Security Standard (PCI DSS) Compliance Steering Committee under the authority of the President of New Mexico State University (NMSU) is currently reviewing PCI DSS compliance issues and processes at NMSU and addressing areas needing improvement.
The PCI DSS Compliance Steering Committee chair will be elected by the membership, and will rotate each calendar year.
The members were appointed based on best management practices identified by the Higher Ed Treasury Institute on PCI DSS Compliance community, EDUCAUSE Information Security and at other Universities similar in size to NMSU.
The members represent the major credit card operations and areas of compliance for the university and are responsible for those areas in each of their units that contribute to the overall compliance issues in the university.
Office of the Chief Information Officer and University Controller
Members by position are permanently appointed to this committee.
The committee request a designee from the department. If there are changes in best practices or members retire or change positions within NMSU.
|CARLOS LOBATO||IT COMPLIANCE OFFICER/CHIEF PRIVACY OFFICER||Voting Member|
Meetings are held twice a month currently until the committee becomes stable and the compliance program is fully implemented and then may meet once a month or quarterly.
Met Tuesdays on a biweekly basis in Hardman Jacobs 220 Conference Room
- Expanded the PCI DSS Compliance Steering Board to include Financial Services Administration, client card-taking representatives, and NMSU Audit
- Charter officially approved by the Chancellor 12/2016
- Rule No. 15.55 PCI DSS rewritten and disseminated to the NMSU community 03/2017
- Created a PCI DSS website to meet the university needs of a single portal for information and procedures for merchants
- Created Standard Operating Procedures (SOPs), which were disseminated to all identified merchants
- Committee formally established and approved as an official University Board 05/2017
- Identified merchants and their business processes, procedures, and methods related to taking credit card payments
- Developed a campus-wide PCI-DSS awareness/notification program
- Refined a PCI DSS website to meet the university needs of a single portal for information and procedures for merchants. https://pcidss.nmsu.edu/
- Established an overall NMSU system PCI DSS Compliance Strategy focusing on encryption throughout the communication channel better known as point-to-point encryption (P2PE). This significantly reduces risk and effort in applying controls to existing IT infrastructure.
o The P2PE technology has been deployed at:
DACC Dental Hygiene Clinic
- Hardened UAR’s Cashnet computing through the creation of a separate 4G Network, which is PCI DSS compliant if the operation fully operate year-round under this environment.
- Released new and updated PCI DSS training modules through NMSU Training Central. PCI DSS training is required for anyone who handles, processes, or oversees the handling/processing of credit card information.
o Module 1 – Overview of PCI DSS
o Module 2 – Specialized training for credit card takers/ processors / cashiers
o Module 3 – Administrators/Supervisors
- Identified areas needing improvement:
o Network for Cash net locations
o Budgets related to PCI DSS compliance initiatives
o Complexity – development/training of Internal Security Assessor(s)
o Standardization – merchant packets, solutions, and forms
o Loaner program relating to portable event technology
o Dedicated human resources
o Process reengineering
o Training for end-users handling or having exposure credit card information
o Compliance is ongoing with yearly verification cycles
o Regular vulnerability and penetration testing
o Major merchants Special Events, Blackboard, Cash net, Aloha and KRWG
-Cashnet is NMSU's cashiering system for processing tuition payments at UAR
-Blackboard is point of sale system used by Auxiliary Services
-Aloha system is the used by the restaurant at the Golf Course