Supporting Stanford Merchants: PCI DSS 2016 Update
Stanford does a substantial amount of business involving credit and debit card transactions. There are 180 departments/ business units at the university operating as “merchants,” and each is required to comply with Payment Card Industry Data Security Standards (PCI DSS).
University IT (UIT) supports these units by ensuring that their transaction systems are compliant. The PCI team wrapped up 2015 by successfully completing the annual PCI DSS validation, ensuring that all Stanford merchant hardware, software, and infrastructure meet the PCI DSS version 3.1 Standard.
The turn of the calendar to 2016 begins the year-round validation process anew, with a couple of critical pieces to focus on.
Strong cryptography: SSL and TLS
Last April, the PCI Security Standard Council (PCI SSC) pronounced Secure Sockets Layer (SSL) and Transport Layer Security (TLS) 1.0 no longer valid as a method of strong cryptography for merchant systems. New system implementations may no longer use this method as a security control; older systems must be brought into compliance by June of 2018 (an extension from the original deadline of June 2016).
It is critically important that all merchant systems and providers upgrade to a secure alternative with TLS 1.1 or higher as soon as possible, and disable any fallback to both SSL and early TLS.
Fortunately, all Stanford merchant systems developed and set up by UIT already meet this requirement — all use TLS 1.1 or higher. The critical piece to pursue in the coming year is compliance on the part of third-party vendors who provide products and/or services to enable Stanford merchants to perform payment card processing.
Written service provider acknowledgment
Another compliance focus for 2016 also involves third-party service providers.
PCI DSS requires service providers to acknowledge to customers in writing that they are responsible for the security of cardholder data that the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Pursuant to this requirement, all Stanford merchants must contract only with compliant service providers who can provide proof of compliance. Those who have questions about the PCI DSS and working with compliant service providers are encouraged to contact Corrina Petriceks in UIT Compliance Services for assistance.