Payment Card Industry Data Security Standard (PCI DSS)
Summary: Departments that plan to accept credit cards must adhere to the Payment Card Industry Data Security Standard (PCI DSS).
Since its inception, the PCI DSS represents a common set of technical requirements and testing methodologies created to ensure the safe handling of sensitive information. It provides guidelines on how to store, process or transmit credit card data in electronic format. If you are a department/merchant of any size accepting payment cards, you must comply with PCI DSS.
The PCI Security Standards Council, the creators of the PCI DSS, includes members from the major card brands: Visa, MasterCard, American Express, Discover and JCB. It governs the security for the payment card industry.
The University of California Office of the President has mandated that every campus department in the UC system that accepts credit cards must follow the PCI DSS set forth by the council.
Payment Card Security Breach
A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:
- Regulatory notification requirements
- Financial liabilities, for example, regulatory and other large fines and fees
- Loss of the University of California’s reputation
- Loss of customers
PCI Compliance Certification and Training
Annual PCI compliance validation is mandatory for all units accepting credit cards. Merchants are required to ensure they have adequate network security related to credit card processing and are responsibly protecting cardholder data at all times.
There are associated charges passed on to the department at the time of certification and training.
- All compliance certifications are facilitated through Trustwave’s Trustkeeper, which is under contract with UC for PCI certification support at all campuses. Merchants are required to register annually at Trustkeeper to validate compliance.
- Online credit card security training is also required and provided by Trustwave and must be completed upon hire and at least annually.
Requirements for processing credit card payments at UCI vary by type. All departments must establish a Merchant ID (MID) in order to acquire a terminal or implement an e-commerce system
All campus departments accepting credit cards must abide by the following:
Payment Card Industry Data Security Standards (PCI DSS) set forth by the PCI Security Council which includes
- o UC Irvine merchants, or any third-party processors (TPP) or data storage entities (DSEs) that process, store, or transmit cardholder account data on behalf of UC Irvine.
- Any computer connected to the UC Irvine network that has an outward-facing IP address.
- The University of California’s Business and Finance Bulletin, BUS-49, Policy for Cash and Cash Equivalents
- State and federal laws, and contractual obligations with the University’s banks, financial institutions and payment processors.
The storage of sensitive cardholder data is prohibited on any University system.
Merchant IDs (MID) have varying setups based on the type of vendor:
Merchant Setups and Approvals
Terminal Merchants: Campus departments that process debit and credit card payments through terminals at their location.
Terminals, computers and other hardware resources must be physically isolated and accessible only by authorized personnel.
CCCS (Campus Credit Card System) Merchants: Campus departments that use the University’s centralized system, the CCCS , via the gateway or online mode. These locations fall under the Central Cashier’s CCCS MID.
E-Commerce Merchants: Campus departments with a payment website and credit card processor other than the CCCS.
There are more strict and costly requirements for merchants operating an internal database or system (web application, mail system, point of sale, file server, etc.) that collects, stores and transmits cardholder data; or merchants operating outside of UC Irvine’s computer networks.
These merchants may be required to undergo quarterly scans and/or penetration testing.
- There are bank and interchange fees associated with credit card processing that will be absorbed by your department. To become a Terminal Merchant and/or E-Commerce Merchant, complete a Request to Accept Payment Cards form.
All merchant setups require approval and must be completed before a transaction can be processed. Setups, other than the CCCS, can take approximately three weeks to complete.
- At this time there are no PCI-compliant mobile payment applications, therefore, they are restricted from being used on campus.
There are costs involved in credit card acceptance.
For more information refer to the Credit Card Processing main menu.
Need an expert? Please contact Dianne Bean, Campus Credit Coordinator, Financial Services, (949) 824-6918.
Notice: University policies, procedures and applicable collective bargaining agreements shall supersede information in this document or elsewhere on this site.