James Madison University, in an effort to protect cardholder data, is committed to maintaining compliance with the Purchase Card Industry Data and Security Standards and takes this responsibility very seriously.  All department currently accepting payment cards are required to actively work with the University Business Office to ensure compliance at all times to Payment Card Industry Data Security Standards (PCI DSS). The security of our customer's cardholder data is of the utmost importance to James Madison University.

Departments throughout the University currently accept credit card payments for a wide variety of goods and services with a diverse range of acceptance methods. University Departments that processes, transmit, and interact with payment card data as a form of payment are subject to all applicable university policies as well as the entirety of the data security standards as laid out by the Security Standards Council.

All payment card activity is governed by financial procedure 4125

Required Documentation for Compliance
Third Party Vendors

All third party vendors who have any connection to the processing, storing, or transmitting of cardholder data are required by the PCI DSS to be compliant at all times, on a quarterly basis the University Business Office will verify PCI Compliance.

Security Awareness Program

New Employee

All employees (full-time, wage, student, volunteer) designated as responsible for, or given access to payment card information are required to complete PCI DSS Security Awareness Training in person through the University Business Office. To schedule training contact Wesley Howdyshell at howdysjw@jmu.edu

Annual Renewal Certification

Current employees who have completed their initial PCI Security Awareness training are required to recertify once every twelve months, renewal sessions are offered every year in October.

PCI Manual

Payment Card Industry Data Security Standards (PCI DSS)

The Payment Card Industry Security Standards Council (PCI SSC) developed a comprehensive set of regulations that comprise both financial and information technology standards in an effort to protect cardholder data. The PCI DSS are mandatory for any organization that accepts, processes, stores, or transmits card holder data. The requirements assist JMU and other organizations in outlining the requirements for security management, day-to-day credit card processing, network security and much more. 

High Level Requirements of the Purchase Card Industry Data and Security Standards



Build and Maintain a Secure Network         

1.  Install and maintain a firewall configuration to protect cardholder data
2.  Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3.  Protect stored cardholder data
4.  Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5.  Use and regularly update anti-virus software and programs
6.  Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7.  Restrict access to cardholder data by business need to know
8.  Assign a unique ID to each person with computer access
9.  Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Additional Resources

Back to Top