Complying with Payment Card Industry (PCI) rules and regulations is certainly not a "one and done" effort. There is always more to do. A case in point is the new PCI Data Security Standard 2.0. It has added another requirement for you to deal with.
PCI 2.0 states, "The first step of a PCI DSS assessment is to accurately determine the scope of the review." As in the past, you start with a roster of all campus merchants. Then you define each merchant's payment procedures, systems, and devices. The result is the scope of your PCI assessments. PCI 2.0 calls this your Cardholder Data Environment, or CDE. It's where you ensure cardholder data is properly protected and secured.
Now, however, PCI 2.0 adds a new, somewhat counterintuitive requirement to your to-do list. You must demonstrate that areas outside of your CDE do not contain cardholder data. In other words, you will need to prove a negative. To do this, it will be necessary to search all campus computers and servers for sensitive payment card data. That's a big job. PCI 2.0 does not stipulate use of an automated scanning tool, but the sheer magnitude of this search dictates a need for one.
Once you start searching for cardholder data outside of the CDE, don't be surprised to find some. Cardholder data leakage is not uncommon; it's just not acceptable. With spring break just around the corner, this is a great time to make plans for a campuswide spring data cleaning. Let me know how it goes.
Thanks for reading.