PCI DSS Roles and Responsibilities:

  • Oregon State Treasury:  Review, establish and modify policies and procedures for the efficient handling of cash and cash equivalents under the control of all Agencies, such as Oregon State University.  Agencies are required to employ the principles, standards, and related requirements for cash management prescribed by Treasury.  Agencies are required to use third party vendors that comply with industry and Oregon State Treasury Requirements.  Evaluate and approve Merchant ID applications.  Evaluate and approve 3rd party vendor applications. 
  • Assistant Vice President and Controller of Business Affairs or designee:  Approve all e-Commerce activities conducted at the University.
  • Chief Information Security Officer (CISO) and the Director of Business Affairs:  Responsible for University debit/credit card security, the distribution of security policies and procedures, monitoring of system access and alerts, and incident response.
  • Office of Information Security:  Assist business units, business unit IT and Business Affairs with understanding and implementing PCI DSS technical security requirements.  Assist Business Affairs with annual PCI DSS SAQ reporting process.  Conduct internal vulnerability scans.  Using PCI DSS-approved scanning vendor, coordinate and schedule external vulnerability scans, internal penetration testing and external penetration testing as required by PCI DSS.  Provide network diagrams as required by PCI DSS.  Provide vulnerability assessment, technology review, risk assessment and compliance assessment services.  Assist Business Affairs in providing reports required for submission to the acquirer or card brand as requested.  Provide incident response and investigation services for security events impacting the cardholder data environment.  
  • Human Resources:  Upon initiation by the business unit, conduct background checks as required by PCI DSS.  Work with the business unit to update and main position descriptions as necessary.
  • Business Affairs Procurement, Contracts and Materials Management:  Ensure eCommerce contracts include language requiring vendor PCI DSS compliance.  Ensure eCommerce vendor is compliant with PCI DSS requirements before contract is executed.
  • Business Affairs Projects, Improvements, & TechnologyManage approvals of all merchant IDs, assist business units with understanding PCI DSS requirements, coordinate annual PCI DSS SAQ reporting process, coordinate services provided by PCI Qualified Security Assessor (QSA), provide access to PCI DSS awareness training, maintain centralized database for OSU merchant IDs.
  • PCI Steering CommitteeReviewPCI DSS risk assessment results, create action plans to address issues, monitor performance to action plans, elevate exceptions to the standard for resolution. (Modify the current audit response team into a standing governance group - Draft Charter under construction)
  • Business Center Management:  Acknowledge new merchant requests, support resolution of compliance issues, and provide merchants guidance on compliance with OSU policies.
  • Merchant Manager (within Dept/Business Unit): 
    • Definition of Merchant: Any entity that accepts payment cards bearing the logos of any of the five members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.  Merchants handling OSU funds must obtain an Oregon State Treasury/Elavon issued merchant ID.  PCI DSS compliance is required for all merchants handling OSU funds and all merchants submitting cardholder data over the OSU network.  
    • Has primary authority and responsibility for all payment card transactions conducted under the merchant ID.  A merchant manager must be designated for each merchant ID at the time the merchant ID application is submitted to Business Affairs.  Has both fiscal and data security responsibilities for the proper use of the merchant ID, including:
      • Following eCommerce policies and procedures
      • Adhering to Cash Handling Handbook procedures
      • Following Information Security policies
      • Ensuring merchant-level eCommerce policies and procedures are documented, documentation is current, and documents are provided as evidence to support PCI DSS validation processes. 
      • Providing training for all who handle cardholder data.
      • Maintaining PCI DSS compliance for the merchant.  Responsible and accountable for all aspects of PCI compliance within their environment as well as all other aspects of the management and governance of their cardholder data environment.  This includes year-round compliance efforts as well as signing and submitting the PCI DSS cover page and SAQ during the annual PCI DSS assessment process. 
        • Required to fund external vulnerability scans, internal penetration testing and external penetration testing as required by PCI DSS.  Responsible for costs of breach mitigation and/or fines imposed as a result of a cardholder data breach.  
        • Ensure all PCI DSS technical security requirements are implemented and maintained for the merchants in their business unit.  Provide documentation of technology implementation and evidence of technology compliance as requested by the business unit to support PCI DSS validation processes.  With Merchant Manager, create and implement action plans to address PCI DSS compliance issues.