E-Commerce

Internal Security and Responsibility Matrix

Last modified 4/14/2020

The Internal Security and Responsibility Matrix RACI chart documents the compliance responsibilities for departments on campus as they relate to overall PCI compliance

CategoryTaskResponsibleAccountableConsulted







Compliance

File SAQ's, obtain AOC'sISO, ComptrollersE-Commerce Committee
Plan, lead, and manage AT compliance improvement and maintenance projectsISOE-Commerce CommitteeComptrollers
Risk assessmentISOISOAT, Foundation/Alumni, Merchants
Compliance validation and testingISOISOComptrollers
Policies, procedures, and acceptable useE-Commerce Committee, University LeadershipE-Commerce Committee, University LeadershipComptrollers, ISO
Documentation managementE-Commerce Committee, ISO, AT, Foundation/Alumni, ComptrollersE-Commerce Committee, ISO, AT, Foundation/Alumni, Comptrollers
Cardholder data flow diagrams - TerminalsAT EndpointAT EndpointISO
Application cardholder data flow diagrams - PayAT WebAT WebISO
Application cardholder data flow diagrams - AgilonAT App AdminsAT App AdminsISO
Onboarding and Offboarding managementAT EndpointAT EndpointISO
Pre-hire personnel screeningHRVPFPISO



Training

Annual End User training- Terminal and virtual terminalAT EndpointE-Commerce CommitteeComptrollers, ISO
Annual End User training- Technical staffAT EndpointE-Commerce CommitteeISO
Annual End User training- ePay websiteAT EndpointE-Commerce CommitteeComptrollers, ISO
Annual End User training- TouchnetAT EndpointE-Commerce CommitteeComptrollers
Annual End User training - General PCI Compliance trainingAT EndpointE-Commerce CommitteeComptrollers, ISO





Cardholder Data Environment 

Maintain master inventory log of all terminals, virtual terminals, REDs, and printersAT EndpointAT Endpoint
Provide support for cardholder data environment devices including terminals, virtual terminals, REDs, and printersAT Endpoint, ISOAT EndpointComptrollers
Inspection of devices for tampering, skimmers, and device damageAT Endpoint, MerchantsAT Endpoint, MerchantsISO
Physical security of terminals, virtual terminals, REDs and printersAT Endpoint, MerchantsE-Commerce Committee, MerchantsISO
Virtual Terminal Active Directory Account ManagementAT EndpointAT EndpointAT CCA, ISO
Client anti-virus managementAT EndpointAT EndpointISO
Secure lifecycle management of written cardholder data mediaMerchantsE-Commerce Committee, MerchantsComptrollers, ISO






Connected-To/Security-Impacting Environment

Touchnet uStore and uPay ManagementComptrollers, AT App AdminsComptrollers, AT App Admins
Application support - PayAT WebAT WebAT CCA, ISO
Application support - Agilon, AgressoAT App Admins, Foundation/AlumniAT App Admins, Foundation/AlumniAT CCA, ISO
Application Support - Tripwire, InsightVMISOISOAT CCA
Amazon Web Services IAM ManagementAT CCAAT CCAISO
Amazon Web Services Workspaces ManagementAT CCAAT CCAISO
Active Directory ManagementAT CCAAT CCAAT Endpoint, ISO
Server Operating System ManagementAT CCAAT CCAISO
Database AdministrationAT DBAAT DBAAT CCA, ISO
Server anti-virus managementAT CCAAT CCAISO






Security

Network design and documentation AT Networking, ISOAT Networking
Firewall and AWS Security Group management and reviewAT CCA, ISOAT CCA
Internal and external penetration testingISOISOAT, Foundation/Alumni
Internal vulnerability scansISOISOAT, Foundation/Alumni
Manage and monitor Trustwave external vulnerability scansISOComptrollersAT CCA, AT App Admins
Log management and reviewISOISOAT CCA, AT App Admins, AT DBA, AT Web, AT Endpoint, Foundation/Alumni
Security alert monitoring and incident responseISOISOAT CCA, AT App Admins, AT DBA, AT Web, AT Endpoint, Foundation/Alumni
Sophos UTM ManagementAT Endpoint, AT Networking, ISOISO






Vendor Management

Manage contracts - Touchnet, JetPay, Heartland, TrustwaveComptrollers, PurchasingComptrollers, PurchasingE-Commerce Committee
Manage contracts - Sophos, Tripwire, InsightVMISO, PurchasingISO, PurchasingE-Commerce Committee
Manage contracts - Agilon, AgressoFoundation/Alumni, PurchasingFoundation/Alumni, PurchasingE-Commerce Committee
Manage contracts - Amazon Web ServicesAT BAC, PurchasingAT BAC, PurchasingE-Commerce Committee
Manage contracts - PaciolanAthletics, PurchasingAthletics, PurchasingE-Commerce Committee
Approval for methods of taking digital paymentsE-Commerce Committee, Comptrollers, ISOE-Commerce Committee
Approval for contracts related to E-CommerceE-Commerce Committee, Comptrollers, ISOE-Commerce CommitteePurchasing
Review and recommend language in University contractsPurchasing, ISOPurchasingComptrollers
Maintain list and manage annual compliance certification of 3rd party vendorsISOISOE-Commerce Committee, Comptrollers, Purchasing

Accounting and Business Processes
Annual Business process updates by departmentComptrollersComptrollers
Accounting and reconciliation of credit card revenue and feesComptrollersComptrollers