Michigan State University
Controller's Office
Purpose
MSU is contractually required to ensure that all card processing activity be compliant with the Payment Card Industry Data Security Standard (PCI DSS
or PCI). PCI compliance applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data or could impact
the security of the cardholder data environment (CDE). The CDE includes all entities involved in payment card processing. Note that some PCI requirements
may also apply to entities that do not store, process, or transmit CHD – for example, entities that outsource payment operations or management. Entities
that outsource their payment environments or payment operations to third parties remain responsible for ensuring that the account data is protected by
the third party per applicable PCI requirements. The scope of the card processing activity includes people, processes, systems, applications, hardware,
software, and anything connected to the card processing environment. To the extent a Third-Party Service Provider (TPSP) meets this definition, the requesting
department must comply with this policy.
Scope
Applies to all MSU employees, faculty, staff, students, organizations, service providers, third-party merchants, individuals, processes, applications,
systems, and networks involved with the processing, transmitting, or storing of payment card data, or any other entity or process that could impact the
security thereof.
Financial Accuracy
Proper accounting of revenue and expenses is a critical byproduct of card processing. The Office of the Controller’s
Cashier’s Office is responsible for ensuring entries are posted timely and accurately. Centrally supported vended solutions (e.g., Transact eMarket, PNC
Merchant Accounts) have an automated or structured process for recording revenue and expense. All other vendors require customized manual posting which
is prone to error, inefficient, less timely, and not sustainable in the long-term without additional resources
Security & Compliance
The volume and variety of systems and technologies that have a payment card component is continually increasing as departments find more ways to bring
in revenue. Having a formalized process will help minimize MSU’s risk of a security incident and ensure MSU maintains its own PCI compliance and overall
Data Security by only partnering with PCI compliant service providers per requirement 12.8 of the PCI DSS.
Stakeholders
Office of the Controller, MSU IT, Procurement, General Counsel, Departments, Customers.