PCI WISP (Written Information Security Policy)

Overview
In accordance with Payment Card Industry Data Security Standards (PCI DSS) V3.2 requirements, Middlebury has established this formal PCI Written Information Security Policy (PCI WISP). The PCI WISP specifically applies to payment card applications supported by the dedicated Payment Tech network, computing, and storage infrastructure, as explained in the section 3, Scope. This comprehensive policy document is to be implemented immediately along with all relevant and applicable standards, procedures and practices.

Purpose
This PCI WISP is designed to provide Middlebury with a documented and formalized written information security policy in accordance with Requirement 12.1 of the PCI DSS V3.2. This policy ensures Middlebury is complying with the PCI DSS V3.2 requirements. Compliance with the stated policy and separate supporting standards, procedures and guidelines helps ensure the safety and security of the Middlebury PCI system components within the cardholder data environment and any other environments deemed applicable.

Scope
This PCI WISP encompasses all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. Examples of system components include but are not limited to the following:

  • Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE.
  • Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
  • Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
  • Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
  • Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
  • Any other component or device located within or connected to the CDE.

Management
Middlebury's Information Technology Services department is responsible for the management and annual evaluation of this policy. ITS and/or the Middlebury PCI Compliance Team may modify this policy from time to time provided that all modifications are consistent with the current PCI DSS. This PCI WISP will be published in the College Handbook and annual notification will be sent to staff. Failure to comply with the terms of this policy may result in disciplinary actions and could also limit a department’s payment card acceptance privileges.