In response to increasing International, Federal, and State regulations as well as contractual agreements defining data security, the Compliance team engages elements of Information Technology Services and the Office of the Corporate Controller to assess units' ability to achieve control requirements of University policy, contractual agreements, or legislation relative to protected data. The Compliance team also facilitates validating controls with external authority when required.

The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) applies to the areas of Penn State where credit cards are accepted for payment. The DSS is an external business agreement to protect credit card data composed of 12 base requirements.

To help units fulfill these requirements the compliance team will:

  • Assist units to educate credit card merchant staff and raise awareness of security practices.
  • Perform annual assessments and penetration tests of merchant environments.
  • Perform quarterly vulnerability assessments internally and oversee external vulnerability assessment.
  • Assist units with annual compliance validation documentation.
  • Assist with implementation of new or changing payment services.
  • Lead credit card data breach incident response.

University Policy AD19

Use of Penn State Identification Number and Social Security Number is a key policy describing the use and protection of the PSU ID and SSN. The compliance team works with the Privacy Office to:

  • Educate the University community on protecting sensitive data.
  • Assist with local policy development and application.
  • Review network segmentation, secure storage capability, policies and practices as part of AD19 Authorizations.
  • Regularly scan authorized networks for vulnerabilities and proper storage.

Collaborating with the Office of the Corporate Controller

The compliance team collaborates with the Office of the Corporate Controller to oversee Penn State's electronic payment systems and provide technical review of new or changing services.

Compliance Resources