Compliance & Regulatory Information

DATA SECURITY

• Payment Card Industry Data Security Standard (PCI-DSS)
  The credit card industry has implemented the Payment Card Industry Data Security Standard (PCI-DSS) to protect it's customers, and compliance is required of all merchants and service providers that store, process, or transmit cardholder data. PCI-DSS is designed to safeguard sensitive data for all card brands. This Standard is a collaborative result between Visa, MasterCard, and other card companies, and is designed to create common industry security requirements.


Duke University Authority for PCI-DSS: Senior management for Duke University and Duke University Health System has confirmed Duke's E-Commerce department within Treasury and Cash Management as the central organizational structure to govern and enforce PCI-DSS compliance. Duke University 's IT Security Office will be the authoritative source for the technical requirements associated with PCI-DSS. The E-Commerce department will lead all PCI-DSS efforts and will partner with the IT Security Office to determine appropriate technical compliance strategies.

ALL Duke credit card merchants must comply with the PCI-DSS to ensure the security of cardholder data processed by their merchant account. Merchants must preserve the security and confidentiality of card numbers and cardholder information. It is PROHIBITED by Duke for any merchant to store full credit card information (16-digit account numbers (PAN), CV codes, PINs, or full magnetic stripe) on Duke systems and/or servers.




New Compliance Tool & Self-Assessment Process with Trustwave ®
Beginning late-September 2007, Duke University and Duke University Health System credit card merchants will be required to use Trustwave's TrustKeeper ® portal to manage their required compliance with the Payment Card Industry Data Security Standards (PCI-DSS). TrustKeeper is a certified remote assessment and compliance solution designed to help merchants meet the security standards of all credit card companies. TrustKeeper has been certified by Visa CISP/AIS, MasterCard SDP, American Express DSS, Discover DISC, and all other credit card companies. This is a proactive action to secure Duke's credit card environment and facilitate compliance with industry standards. Duke's E-Commerce department will serve as the central organizational structure to govern and enforce PCI-DSS compliance, and will assist merchants with the new Trustwave process. Duke's E-Commerce department has outlined expectations for merchants PCI-DSS administration roles for Trustwave.

The Self-Assessment Questionnaire process must be completed annually, or you must submit an updated Self-Assessment if your processing methods change during the year. Network Questionnaires are applicable for some merchants and must be completed quarterly. Contact the E-Commerce department if you have questions.



Duke PCI Documentation & Supporting Links:
Duke's E-Commerce department and the IT Security Office have developed supporting materials to assist merchants in understanding the requirements for PCI-DSS and how the requirements apply in the Duke environments:
• PCI Security Standards Council: latest version of PCI-DSS Self-Assessment Questionnaire and supporting information
• PCI-DSS: Duke University Overview* (effective September 2007)
• Network Diagram Requirements* (effective September 2007)
• Media Control Guidelines for Duke System Administrators: a guideline for data retention and disposal
• OIT Information Security Standard: Server Security (revised September 2006)
• Internal Data Security Policy:* a guideline for your department (revised September 2007)
• Incident Response Plan:* a guideline for your department (revised September 2007)
• Background Certification - Duke HR
• Duke University IT Security Office: resource for any computer security information
• Report a CREDIT CARD SECURITY PROBLEM* > When reporting a problem, reference your department name and related details to ensure the proper escalation.
• Trustwave TrustKeeper: Duke merchant's portal for completing their Self-Assessment and Network Questionnaires. Contact the E-Commerce department for your login information (after September 25, 2007)

DUKE POLCIES

• Terms of Use Agreement for Duke University Credit Card Merchants
• Duke E-Commerce Policy
• Minimum Transaction Volume for Credit Card Merchants
• Policy Memos from Duke's EVP
• 2007 - Discontinue Credit Card Number Storage
• 2005 - DukePay Policy

TAX ISSUES

• Corporate Tax Office
  • Sales Tax
  • Unrelated Business Income Tax (UBIT)

INTELLECTUAL PROPERTY ISSUES

• Office of Corporate Research Collaborations, Office of Science and Technology
  • Licenses for distribution of copyrighted or patented materials
  • Material Transfer Agreements for distribution of biological materials
  • Collaboration Agreements for providing research resources

LEGAL ISSUES

• University Counsel's Office
  • Protecting Duke's tax-exempt status
  • Website content review in regards to liability for libel, invasion of privacy, violation of law, or other legally actionable claim
  • Unrelated Business Income Tax (UBIT)

OTHER REGULATORY LINKS

• Duke University Information Security Office: Resource for computer security information.
  
• UBIT (Unrelated Business Income Tax): An activity is an unrelated business (and subject to tax at corporate rates) if it meets three requirements: it is a trade or business, it is regularly carried on, and it is not substantially related to the furtherance of the exempt purpose of the organization. There are, however, a number of exclusions and modifications to this general rule. See the Internal Revenue Service: Unrelated Business Income Tax - General Rules.
  
• FERPA (Family Educational Rights and Privacy Act): A Federal law that protects the privacy of student education records.
  
• HIPAA (Health Insurance Portability and Accountability Act): Purpose is to improve the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.
  
• GLB (Gramm-Leach-Bliley Act): Includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. See the Federal Trade Commission.