{"id":36,"date":"2026-03-05T15:15:27","date_gmt":"2026-03-05T20:15:27","guid":{"rendered":"https:\/\/www.clarku.edu\/business-and-financial-services\/?page_id=36"},"modified":"2026-03-11T10:51:56","modified_gmt":"2026-03-11T14:51:56","slug":"pci-compliance-policy","status":"publish","type":"page","link":"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/","title":{"rendered":"PCI Compliance Policy"},"content":{"rendered":"\n<div class=\"wp-block-columns sidebar is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:45rem\">\n<h2 class=\"wp-block-heading\" id=\"h-clark-university-s-pci-compliance-policy\">Clark University\u2019s PCI Compliance Policy<\/h2>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Who should read this policy<\/summary>\n<p>All persons who have access to credit card information, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Every employee that accesses handles or maintains credit card information. Clark University employees include full-, part-time, and hourly staff members, as well as student workers who access, handle, or maintain records.<\/li>\n\n\n\n<li>Employees who contract with service providers (third-party vendors) who process credit card payments on behalf of Clark.<\/li>\n\n\n\n<li>Employees who manage events and require payment processing capabilities (e.g. Paypal).<\/li>\n\n\n\n<li>IT staff responsible for scanning the University systems to insure no credit card numbers are stored electronically.<\/li>\n<\/ul>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Name: PCI DSS<\/summary>\n<p><strong>PCI DSS<\/strong>&nbsp;stands for Payment Card Industry Data Security Standard,&nbsp;and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC).<\/p>\n\n\n\n<p>PCI DSS includes technical and operational requirements for&nbsp;<strong>security management, policies, procedures, network architecture, software design, and other critical protective measures<\/strong>&nbsp;to prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Purpose<\/summary>\n<p>The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council (PCI SSC). The PCI SSC is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Reason for the policy<\/summary>\n<p>The standards are designed to protect cardholder information of students, parents, donors, alumni, customers, and any individual or entity that utilizes a credit card to transact business with the University. This policy is intended to be used in conjunction with the complete PCI-DSS requirements as established and revised by the PCI Security Standards Council.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Entities affected by this policy<\/summary>\n<p><strong>Tier 1 entities<\/strong>: All departments that collect, maintain or have access to credit card information. These currently include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Student Accounts\/University Cashier \u2013 accept and process credit cards for payment of student accounts<\/li>\n\n\n\n<li>School of Professional Studies\/ALCI \u2013 accept credit card for payment of student accounts<\/li>\n\n\n\n<li>Advancement \u2013 accept and process credit cards for donations and alumni events<\/li>\n\n\n\n<li>IDRISI \u2013 accept and process credit cards for purchase of products<\/li>\n\n\n\n<li>HECCMA \u2013 accept and process credit cards for payment of Teaching Certificate Program<\/li>\n<\/ul>\n\n\n\n<p><strong>Tier 2 entities:&nbsp;<\/strong>All departments managing or sponsoring events that use Paypal or other online payment services approved by the Controller to collect payments through an access point that has been deemed PCI compliant by the University , even though these entities do not have access to credit card information.<\/p>\n\n\n\n<p>Including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All departments hosting\/sponsoring student activities\/programs with payments through Paypal or other online payment service approved by the Controller, (Student leadership &amp; Programming(SL&amp;P), Graduate School of Management (GSOM), IDCE, etc.)<\/li>\n\n\n\n<li>All academic departments hosting\/sponsoring academic conferences\/programs with payments through Paypal or other online payment service approved by the Controller.<\/li>\n<\/ul>\n\n\n\n<p><strong>Tier 3 entities:&nbsp;<\/strong>All departments who have relationships with third-party vendors that serve as access points through which Paypal, or any other payment services approved by the controller, are reached. These departments must confirm PCI compliance on the part of the vendor. Clark\u2019s merchant accounts are not used.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Athletics-uses IM Leagues for intramural registration<\/li>\n<\/ul>\n<\/details>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-definitions\" style=\"padding-top:var(--wp--preset--spacing--20)\">Definitions<\/h2>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Merchant account<\/summary>\n<p>A relationship set up by the Controller\u2019s Office between the University and a bank in order to accept credit card transactions. The merchant account is tied to a general ledger account to distribute funds appropriately to the department (owner) for which the account was set up.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Financial data manager (FDM)<\/summary>\n<p>The Controller of the University who has oversight responsibility for this policy. The Financial Data Manager will also communicate changes to the CIO in order to facilitate enforcement of the policy. The FDM will approve appointment of the Compliance Coordinator and the PCI Department Coordinators.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>PCI compliance coordinator<\/summary>\n<p>The Staff Accountant for Tax and Compliance, who, under the direction of the FDM, will be responsible for staying abreast of changes to PCI DSS requirements, suggesting updates to the policy, coordinating training of Tier 1, 2, and 3 entities and serving as point of contact for PCI department coordinators with regard to assessment surveys or other PCI issues.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>PCI department coordinators<\/summary>\n<p>Representatives within Tier 1 departments who are responsible for ensuring that their department has policies and procedures in place to comply with PCI and data security requirements. They will ensure that all departmental personnel with access to credit card data receive appropriate training, read this policy, and sign off on having read this policy. The PCI department coordinator will also be responsible for completing the annual department survey or assessment as required. Appointments of PCI Department Coordinators must be approved by the FDM.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Credit card data<\/summary>\n<p>Full magnetic stripe or the PAN (Primary Account Number) plus any of the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cardholder name<\/li>\n\n\n\n<li>Expiration date<\/li>\n\n\n\n<li>Service Code<\/li>\n<\/ul>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>PCI-DSS<\/summary>\n<p>Payment Card Industry Data Security Standard<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>PCI security standards council<\/summary>\n<p>The security standards council defines credentials and qualifications for assessors and vendors as well as maintaining the PCI-DSS.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Self-Assessment<\/summary>\n<p>The PCI Self-Assessment Questionnaire (SAQ) is a validation tool that is primarily used by merchants to demonstrate compliance to the PCI DSS.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>PAN<\/summary>\n<p>Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. It is also called Account Number.<\/p>\n\n\n\n<p>Level of Compliance: Credit card companies and financial institutions validate that vendors (Clark) are rated based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated. There are four levels of PCI Compliance, with level 1 being the most stringent and level 4 being the least stringent. If a merchant suffers an attack that has caused account data to be compromised, the merchant level requirement goes up to level 1 automatically. Based on the number of credit card transactions processed annually across the campus (fewer than 20K per year), and the fact that the University has not experienced a breach, Clark would be classified as&nbsp;&nbsp;<strong>Level 4<\/strong>. Clark has engaged Security Metrics, a PCI consultant, to assist the university with technical requirements and the completion of our annual self-assessment questionnaire (SAQ).<\/p>\n\n\n\n<p>PCI DSS Version 3.0 Requirements: University policy prohibits the storing of any credit card information in an electronic format on any computer, server or database (this includes Excel spreadsheets). It further prohibits the emailing of credit card information. The following list communicates the full scope of the compliance requirements but based on the University policy that prohibits storing of credit card information electronically and Clark\u2019s practice of utilizing third-party vendors for web based credit card processing, some listed requirements may not be relevant.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th class=\"has-text-align-left\" data-align=\"left\">Goals<\/th><th class=\"has-text-align-left\" data-align=\"left\">PCI DSS Requirements<\/th><\/tr><\/thead><tbody><tr><td>Build and Maintain a Secure network and Systems<\/td><td>Install and maintain a firewall configuration to protect cardholder dataDo not use vendor-supplied defaults for system passwords and other security parameters<\/td><\/tr><tr><td>Protect Cardholder Data<\/td><td>Protect stored cardholder dataEncrypt transmission of cardholder data across open, public networks<\/td><\/tr><tr><td>Maintain a Vulnerability Management Program<\/td><td>Protect all systems against malware and regularly update anti-virus software or programsDevelop and maintain secure systems and applications<\/td><\/tr><tr><td>Implement Strong Access Control Measures<\/td><td>Restrict access to cardholder data by business need to knowIdentify and authenticate access to system componentsRestrict physical access to cardholder data<\/td><\/tr><tr><td>Regularly Monitor and Test Networks<\/td><td>Track and monitor all access to network resources and cardholder dataRegularly test security systems and processes<\/td><\/tr><tr><td>Maintain an Information Security Policy<\/td><td>Maintain a policy that addresses information security for all personnel<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/details>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-procedures\" style=\"padding-top:var(--wp--preset--spacing--20)\">Procedures<\/h2>\n\n\n\n<p>Clark requires compliance with PCI standards. To achieve compliance, the following requirements must be met:<\/p>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>General Requirements (applies to tier 1, 2, and 3 entities)<\/summary>\n<ul class=\"wp-block-list\">\n<li>Credit card merchant accounts must be approved by the Financial Data Manager<\/li>\n\n\n\n<li>Management and employees must be familiar with and adhere to the&nbsp;<a href=\"https:\/\/www.pcisecuritystandards.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">PCI-DSS requirements<\/a>&nbsp;of the PCI Security Standards Council.<\/li>\n\n\n\n<li>All employees in Tiers 1, 2, and 3 must sign a statement that they have read, understood, and agree to adhere to Information Security policies of Clark University and this policy.<\/li>\n\n\n\n<li>Any proposal for a new process (electronic or paper) related to the storage, transmission or processing of credit card data must be brought to the attention of and be approved by the Financial Data Manager.<\/li>\n\n\n\n<li>A list of card readers and card processing terminals must be maintained and updated as needed.<\/li>\n<\/ul>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Tier 1 Requirements (in addition to the general requirements above)<\/summary>\n<ul class=\"wp-block-list\">\n<li>Management in departments accepting\/processing credit cards must conduct an annual self-assessment against the requirements and submit results to the Compliance Coordinator.<\/li>\n\n\n\n<li>The PCI Department Coordinator must create or confirm the existence of appropriate policies and procedures for credit card processes, storage, and destruction of card data.<\/li>\n\n\n\n<li>Job descriptions for employees with access to credit card data must be reflective of this access and must include data security requirements associated with access.<\/li>\n\n\n\n<li>New employees must undergo PCI training upon hiring.<\/li>\n\n\n\n<li>Existing employees must undergo PCI training annually.<\/li>\n\n\n\n<li>Access to the cardholder data environment must be restricted to only those employees with a need to access and physical controls must be in place to protect the cardholder data environment.<\/li>\n\n\n\n<li>Terminals\/readers must be routinely examined for evidence of tampering and any evidence brought to the attention of the Compliance Coordinator.<\/li>\n<\/ul>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Tier 2 Requirements (in addition to the general requirements above)<\/summary>\n<ul class=\"wp-block-list\">\n<li>Management in Tier 2 departments using Paypal or other Controller-approved online payment services for event payments must ensure that all personnel within their department understand that&nbsp;<strong>Clark&nbsp;<\/strong><strong>prohibits anyone from accepting credit card information or processing credit card payments on behalf of the \u201ccustomer.\u201d<\/strong><\/li>\n\n\n\n<li>Employees managing\/sponsoring events for which Paypal or other Controller-approved online payment services are used must confirm knowledge of and adherence to the above policy when requesting Paypal or other approved online payment service access\/mailbox from the Financial Data Manager.<\/li>\n<\/ul>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Tier 3 Requirements (in addition to general requirements above)<\/summary>\n<ul class=\"wp-block-list\">\n<li>Management in Tier 3 departments must confirm that the third party vendors through whom they are accessing Paypal or other Controller approved online payment services are PCI compliant.<\/li>\n<\/ul>\n<\/details>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-storage-and-disposal\" style=\"padding-top:var(--wp--preset--spacing--20)\">Storage and disposal<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Credit card information must not be entered\/stored on any electronic device. This includes University network servers, workstations, laptops, tablets, and cell phones, unless it is explicitly approved for use as part of the cardholder data environment.<\/li>\n\n\n\n<li>Credit card information must not be transmitted via email<\/li>\n\n\n\n<li>Web payments must be processed using a PCI-compliant service provider approved by the Financial Data Manager on only computers designated by ITS as belonging to the secure cardholder data environment. Credit card numbers must NOT be entered into a web page of a server hosted on the Clark network.<\/li>\n\n\n\n<li>Although electronic storage of credit card data is prohibited by this policy, the University will perform a quarterly network scan against the cardholder data environment to ensure that the policy has not been violated.<\/li>\n\n\n\n<li>Any paper documents containing credit card information should be limited to information required to transact business, those individuals who have a business need to have access, should be in a secure location, and must be destroyed via cross-cut shredding or placement in a secure shred bin once business needs no longer require retention.<\/li>\n\n\n\n<li>All credit card processing machines must be programmed to print-out only the last four or first six characters of a credit card number.<\/li>\n\n\n\n<li>Sensitive cardholder data must be destroyed when no longer needed for reconciliation, business or legal purposes. In no instance shall this exceed 45 days and should be limited whenever possible to only 3 business days. Secured destruction must be via cross-cut shredding in house or with a third-party provider with certificate of disposal.<\/li>\n\n\n\n<li>Neither the full contents of any track of the magnetic stripe nor the three-digit card validation code may be stored in a database, log file, electronic document, or point of sale product.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-third-party-vendors-processors-software-providers-payment-gateways-or-other-service-providers\" style=\"padding-top:var(--wp--preset--spacing--20)\">Third-Party vendors (processors, software providers, payment gateways, or other service providers)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Financial Data Manager must approve each merchant bank or processing contract of any third-party vendor that is engaged in, or proposes to engage in, the processing or storage of transaction data on behalf of Clark \u2014 regardless of the manner or duration of such activities.<\/li>\n\n\n\n<li>The Financial Data Manager must ensure that all third-party vendors adhere to all rules and regulations governing cardholder information security.<\/li>\n\n\n\n<li>The Financial Data Manager must contractually require that all third parties involved in credit card transactions meet all PCI security standards, and that they provide proof of compliance and efforts at maintaining ongoing compliance.<\/li>\n\n\n\n<li>Information must be maintained about which PCI-DSS requirements are managed by each third party provider and which are managed by Clark.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-additional-requirements\">Additional requirements:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.pcisecuritystandards.org\/document_library\/\" target=\"_blank\" rel=\"noreferrer noopener\">Complete an annual self-assessment<\/a>&nbsp;\u2014 both at the Tier 1 entity and University level<\/li>\n\n\n\n<li>Perform a quarterly network scan<\/li>\n<\/ul>\n\n\n\n<p>Without adherence to the PCI-DSS standards, the University would be in a position of unnecessary reputational risk and financial liability. Merchant account holders who fail to comply are subject to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Any fines imposed by the payment card industry<\/li>\n\n\n\n<li>Any additional monetary costs associated with remediation, assessment, forensic analysis or legal fees<\/li>\n\n\n\n<li>Suspension of the merchant account<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-self-assessment\">Self-Assessment<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The PCI Compliance Coordinator will notify each Tier 1 entity ahead of the timeline to complete and submit the&nbsp;<a href=\"https:\/\/www.pcisecuritystandards.org\/document_library\/\" target=\"_blank\" rel=\"noreferrer noopener\">annual departmental assessment<\/a>. This assessment is the responsibility of the PCI Department Coordinator.<\/li>\n\n\n\n<li>The PCI-DSS Self-Assessment Questionnaire must be completed at the University level by the merchant account owner annually and anytime a credit card related system or process changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-training\">Training<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Annual employee training programs must be offered to train employees on PCI DSS and the importance of compliance. This will be made available by the Financial Data Manager and coordinated by the PCI Compliance Coordinator. PCI Department Coordinators must ensure that employees with access to card data within their departments take part in annual PCI training and that all new employees within these departments take part in PCI training upon hiring.<\/li>\n<\/ul>\n\n\n\n<p id=\"h-\"><strong>Responsible Organization\/Party:<\/strong>&nbsp;The Controller shall serve as the Financial Data Manager of the policy which includes responsibility for notifying the Information Security Officer, applicable Department Heads and Data Managers about changes to the policy. S\/he will be assisted by the CIO, the Staff Accountant for Tax and Compliance and University Officers as needed.<\/p>\n\n\n\n<p id=\"h-\"><strong>Enforcement:<\/strong>&nbsp;The Information Security Officer will oversee enforcement of the policy. Additionally this individual will investigate any reported violations of this policy, lead investigations about credit card security breaches and may terminate access to protected information of any users who fail to comply with the policy. S\/he will be assisted by the CIO, Controller, and the Staff Accountant for Tax and Compliance, as well as other University officers as needed.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><?xml encoding=\"utf-8\" ?><nav class=\"is-vertical wp-block-navigation is-content-justification-stretch is-layout-flex wp-container-core-navigation-is-layout-2c14e10a wp-block-navigation-is-layout-flex\" aria-label=\"Security and Identification Menu\"><ul class=\"wp-block-navigation__container  is-vertical wp-block-navigation\"><li class=\" wp-block-navigation-item wp-block-navigation-link\"><a class=\"wp-block-navigation-item__content\" href=\"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/financial-information-security-plan\/\"><span class=\"wp-block-navigation-item__label\">Financial information security plan<\/span><\/a><\/li><li class=\" wp-block-navigation-item wp-block-navigation-link\"><a class=\"wp-block-navigation-item__content\" href=\"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/\"><span class=\"wp-block-navigation-item__label\">PCI compliance policy<\/span><\/a><\/li><li class=\" wp-block-navigation-item wp-block-navigation-link\"><a class=\"wp-block-navigation-item__content\" href=\"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/red-flag-rule\/\"><span class=\"wp-block-navigation-item__label\">Red flag rule<\/span><\/a><\/li><li class=\" wp-block-navigation-item wp-block-navigation-link\"><a class=\"wp-block-navigation-item__content\" href=\"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/ferpa\/\"><span class=\"wp-block-navigation-item__label\">FERPA<\/span><\/a><\/li><\/ul><\/nav>\n\n\n\n<div class=\"wp-block-group has-white-color has-blue-background-color has-text-color has-background has-link-color wp-elements-13ce30334ce7db7af89d0a4a9776b58f is-layout-constrained wp-container-core-group-is-layout-c385debf wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--20);padding-right:var(--wp--preset--spacing--20);padding-bottom:var(--wp--preset--spacing--20);padding-left:var(--wp--preset--spacing--20)\">\n<h3 class=\"wp-block-heading\" id=\"h-additional-resource-for-pci-dss\">Additional resource for PCI DSS<\/h3>\n\n\n\n<p class=\"arrow\"><a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI_DSS_v3.pdf\" type=\"link\" id=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI_DSS_v3.pdf\"><strong>Requirements and security assessment procedures<\/strong><\/a><\/p>\n\n\n\n<p class=\"arrow\"><a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCIDSS_QRGv3.pdf\" type=\"link\" id=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCIDSS_QRGv3.pdf\"><strong>Quick reference guide version 3.0<\/strong><\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group section is-layout-constrained wp-block-group-is-layout-constrained\">\n<div class=\"wp-block-columns contact-area is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:42%\">\n<div class=\"wp-block-cover has-custom-content-position is-position-bottom-left\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\"><img loading=\"lazy\" decoding=\"async\" width=\"683\" height=\"1024\" class=\"wp-block-cover__image-background wp-image-365 size-large\" alt=\"\" src=\"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-content\/uploads\/sites\/126\/gates-683x1024.avif\" data-object-fit=\"cover\" srcset=\"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-content\/uploads\/sites\/126\/gates-683x1024.avif 683w, https:\/\/www.clarku.edu\/business-and-financial-services\/wp-content\/uploads\/sites\/126\/gates-200x300.avif 200w, https:\/\/www.clarku.edu\/business-and-financial-services\/wp-content\/uploads\/sites\/126\/gates-768x1152.avif 768w, https:\/\/www.clarku.edu\/business-and-financial-services\/wp-content\/uploads\/sites\/126\/gates-1024x1536.avif 1024w, https:\/\/www.clarku.edu\/business-and-financial-services\/wp-content\/uploads\/sites\/126\/gates.avif 1200w\" sizes=\"auto, (max-width: 683px) 100vw, 683px\" \/><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim wp-block-cover__gradient-background has-background-gradient has-gradient-2-gradient-background\"><\/span><div class=\"wp-block-cover__inner-container is-layout-constrained wp-container-core-cover-is-layout-639b5052 wp-block-cover-is-layout-constrained\"><div style=\"color:var(--clarku-color-white)\" class=\"eyebrow  has-text-align-left\">Contact information<\/div>\n\n\n\n<h2 class=\"wp-block-heading has-white-color has-text-color has-link-color has-small-font-size wp-elements-d3ccb48e0aea22c3612183e894ec0ad7\" id=\"h-business-and-financial-services\">Business and Financial Services<\/h2>\n<\/div><\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group contact-text has-light-warm-gray-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p><strong>Office location<\/strong><\/p>\n\n\n\n<p class=\"icon map has-small-font-size\">Geography Building<br>950 Main Street<br>Worcester, MA 01610<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Clark University\u2019s PCI Compliance Policy Definitions Procedures Clark requires compliance with PCI standards. To achieve compliance, the following requirements must be met: Storage and disposal Third-Party vendors (processors, software providers, payment gateways, or other service providers) Additional requirements: Without adherence to the PCI-DSS standards, the University would be in a position of unnecessary reputational risk [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"parent":28,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-36","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>PCI Compliance Policy | Business and Financial Services | Clark University<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PCI Compliance Policy\" \/>\n<meta property=\"og:description\" content=\"Clark University\u2019s PCI Compliance Policy Definitions Procedures Clark requires compliance with PCI standards. To achieve compliance, the following requirements must be met: Storage and disposal Third-Party vendors (processors, software providers, payment gateways, or other service providers) Additional requirements: Without adherence to the PCI-DSS standards, the University would be in a position of unnecessary reputational risk [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/\" \/>\n<meta property=\"og:site_name\" content=\"Business and Financial Services\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ClarkUniversityWorcester\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-11T14:51:56+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@clarkuniversity\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"11 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"PCI Compliance Policy | Business and Financial Services | Clark University","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/","og_locale":"en_US","og_type":"article","og_title":"PCI Compliance Policy","og_description":"Clark University\u2019s PCI Compliance Policy Definitions Procedures Clark requires compliance with PCI standards. To achieve compliance, the following requirements must be met: Storage and disposal Third-Party vendors (processors, software providers, payment gateways, or other service providers) Additional requirements: Without adherence to the PCI-DSS standards, the University would be in a position of unnecessary reputational risk [&hellip;]","og_url":"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/","og_site_name":"Business and Financial Services","article_publisher":"https:\/\/www.facebook.com\/ClarkUniversityWorcester","article_modified_time":"2026-03-11T14:51:56+00:00","twitter_card":"summary_large_image","twitter_site":"@clarkuniversity","twitter_misc":{"Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/","url":"https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/","name":"PCI Compliance Policy | Business and Financial Services | Clark University","isPartOf":{"@id":"https:\/\/www.clarku.edu\/business-and-financial-services\/#website"},"datePublished":"2026-03-05T20:15:27+00:00","dateModified":"2026-03-11T14:51:56+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.clarku.edu\/business-and-financial-services\/operations-services\/security-and-identification-protection\/pci-compliance-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/pages\/36#breadcrumbs","itemListElement":[{"@type":"ListItem","position":0,"name":"ClarkU","item":"https:\/\/www.clarku.edu\/"},{"@type":"ListItem","position":1,"name":"Business and Financial Services","item":"https:\/\/www.clarku.edu\/business-and-financial-services"}]},{"@type":"WebSite","@id":"https:\/\/www.clarku.edu\/business-and-financial-services\/#website","url":"https:\/\/www.clarku.edu\/business-and-financial-services\/","name":"Business and Financial Services","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.clarku.edu\/business-and-financial-services\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/pages\/36","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/comments?post=36"}],"version-history":[{"count":4,"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/pages\/36\/revisions"}],"predecessor-version":[{"id":419,"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/pages\/36\/revisions\/419"}],"up":[{"embeddable":true,"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/pages\/28"}],"wp:attachment":[{"href":"https:\/\/www.clarku.edu\/business-and-financial-services\/wp-json\/wp\/v2\/media?parent=36"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}