Payment Card Industry Data Security Standard (PCI DSS) Compliance Steering Committee (the Committee)

CONTACT INFORMATION

For the person completing this report.

CARLOS LOBATO

Email hidden; Javascript is required.

INFORMATION ABOUT THE BOARD

Board Website (if applicable)

http://pcidss.nmsu.edu/

Official Name of the Board

Payment Card Industry Data Security Standard (PCI DSS) Compliance Steering Committee (the Committee)

Effective date of establishment

12/2016

Authorized by

President

Board Reports To (if applicable)

Chief Information Officer and University Controller

Scope of Impact

System

Type of Board

Standing

Purpose

New Mexico State University (NMSU) operates within complex regulatory environments that are constantly changing. The PCI DSS Steering Committee (the Committee) was formally established jointly by the University Controller’s Office and Chief Information Officer (CIO) to recognize its role in assisting the university with implementing and maintaining its compliance program relating to PCI DSS industry standards, which apply to NMSU since it accepts and processes payment card payments.

The Committee’s primary function will be to assist university officials to decide the priorities and order of business relating to NMSU system wide PCI DSS compliance, as well as to serve in an advisory capacity to the University Controller and to the Chief Information Officer, as they fulfill their roles and responsibilities relating to guiding and monitoring operations in the NMSU system wide cardholder data environment (CDE).

Authority

The Payment Card Industry Data Security Standard (PCI DSS) Compliance Steering Committee under the authority of the President of New Mexico State University (NMSU) is currently reviewing PCI DSS compliance issues and processes at NMSU and addressing areas needing improvement.

MEMBERSHIP

What is the process for selecting a chair?

The PCI DSS Compliance Steering Committee chair will be elected by the membership, and will rotate each calendar year.

Chair for 2017-18 Academic Year

Name

CARLOS LOBATO

Email

Email hidden; Javascript is required.

Co-Chair for 2017-18 Academic Year

Chair for 2018-19 Academic Year

Name

CARLOS LOBATO

Email

Email hidden; Javascript is required.

Co-Chair for 2018-19 Academic Year

Additional Membership Details

Members are appointed by

By Position

Position appointment description

The members were appointed based on best management practices identified by the Higher Ed Treasury Institute on PCI DSS Compliance community, EDUCAUSE Information Security and at other Universities similar in size to NMSU.

Is membership representative?

Yes

Please describe how the membership is representative.

The members represent the major credit card operations and areas of compliance for the university and are responsible for those areas in each of their units that contribute to the overall compliance issues in the university.

What university function/office is responsible for appointments?

Office of the Chief Information Officer and University Controller

What are the terms of appointment?

Members by position are permanently appointed to this committee.

Are terms staggered?

No

Are members subject to reappointment?

No

What is the process for filling vacant positions?

The committee request a designee from the department. If there are changes in best practices or members retire or change positions within NMSU.

Member List
Name Title Member Type
CARLOS LOBATO IT COMPLIANCE OFFICER/CHIEF PRIVACY OFFICER Voting Member
MEETINGS & ADMINISTRATIVE SUPPORT

What university office/function provides administrative support to this board?

CIO

What are the requirements for the number of meetings to be held annually?

Meetings are held twice a month currently until the committee becomes stable and the compliance program is fully implemented and then may meet once a month or quarterly.

Was the requirement for the number of meetings met?

Yes

List of Meeting Dates

Met Tuesdays on a biweekly basis in Hardman Jacobs 220 Conference Room

Major Accomplishments

- Expanded the PCI DSS Compliance Steering Board to include Financial Services Administration, client card-taking representatives, and NMSU Audit
- Charter officially approved by the Chancellor 12/2016
- Rule No. 15.55 PCI DSS rewritten and disseminated to the NMSU community 03/2017
- Created a PCI DSS website to meet the university needs of a single portal for information and procedures for merchants
- Created Standard Operating Procedures (SOPs), which were disseminated to all identified merchants
- Committee formally established and approved as an official University Board 05/2017
- Identified merchants and their business processes, procedures, and methods related to taking credit card payments
- Developed a campus-wide PCI-DSS awareness/notification program
- Refined a PCI DSS website to meet the university needs of a single portal for information and procedures for merchants. https://pcidss.nmsu.edu/
- Established an overall NMSU system PCI DSS Compliance Strategy focusing on encryption throughout the communication channel better known as point-to-point encryption (P2PE). This significantly reduces risk and effort in applying controls to existing IT infrastructure.
o The P2PE technology has been deployed at:
 Golf Course
 Special Events
 DACC Dental Hygiene Clinic
 KRWG (Bluefin)
- Hardened UAR’s Cashnet computing through the creation of a separate 4G Network, which is PCI DSS compliant if the operation fully operate year-round under this environment.
- Released new and updated PCI DSS training modules through NMSU Training Central. PCI DSS training is required for anyone who handles, processes, or oversees the handling/processing of credit card information.
o Module 1 – Overview of PCI DSS
o Module 2 – Specialized training for credit card takers/ processors / cashiers
o Module 3 – Administrators/Supervisors
- Identified areas needing improvement:
o Network for Cash net locations
o Budgets related to PCI DSS compliance initiatives
o Complexity – development/training of Internal Security Assessor(s)
o Standardization – merchant packets, solutions, and forms
o Loaner program relating to portable event technology
o Dedicated human resources
o Process reengineering
o Training for end-users handling or having exposure credit card information
o Compliance is ongoing with yearly verification cycles
o Regular vulnerability and penetration testing
o Major merchants Special Events, Blackboard, Cash net, Aloha and KRWG

Definitions:
-Cashnet is NMSU's cashiering system for processing tuition payments at UAR
-Blackboard is point of sale system used by Auxiliary Services
-Aloha system is the used by the restaurant at the Golf Course


This entry was posted in . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.