PCI Program Overview

Compliance with Payment Card Industry Data Security Standards (PCI-DSS)

The payment card industry has established standards for the secure handling and transmission of cardholder data, commonly referred to as PCI-DSS. Georgetown University is committed to handling confidential cardholder information in accordance with PCI-DSS, and therefore requires any department that accepts credit cards as a form of payment to operate in compliance with both PCI-DSS and the University’s information security policy.

Anyone in a department that handles credit cards must be authorized by the administrative manager and must complete the University’s PCI compliance training course each year. Authorized individuals should review University procedure and the Card Processor Handbook to understand how to securely accept, process, handle and store confidential cardholder data in accordance with PCI-DSS requirements.

PCI Compliance is managed centrally by the Office of the Chief Financial Officer through the accomplishment of our PCI-DSS Annual Activities. Service Center Coordinators are tasked with the oversight and management of PCI Compliance at the department level. Service Center Coordinators are directly responsible for the day-to-day operations of payment acceptance programs within their respective departments. A Service Center Coordinator directory can be found on our Contacts page under Collaborative Partners.

PCI-DSS Activities

Georgetown University participates in an annual PCI guided assessment administered by an external security consultant. This annual review will be conducted in Q1 of each calendar year. It is the responsibility of the Service Center Coordinator to ensure all information relating to departmental payments programs is current, accurate, and housed in the appropriate BOX folder.

Documentation for Review

  • Annual Audit Workbook
  • Service Center Overview
  • Process Flow Charts

Physical Processes for Review

  • PCI Data Storage
  • Device Storage
  • Network Connection

During the third quarter of each calendar year, Revenue and Receivables will conduct an internal risk assessment with each service center. The intent of the Annual Internal Risk Assessment is to ensure that the policies, procedures, and internal controls put in place by Georgetown University, as they relate to Payment Card Industry Data Security Standards (PCI DSS), are conducted as described in the PCI DSS Service Center Handbook and the PCI DSS Card Processor Handbook. Furthermore, it is the intent of this risk assessment that process failures and potential risks be identified so that Georgetown University may act to mitigate these risks and identify program enhancement opportunities.

Documentation for Review

  • Annual Audit Workbook
  • Service Center Overview
  • Process Flow Charts

Physical Processes for Review

  • PCI Data Storage
  • Device Storage
  • Network Connection