UCSB departments will, whenever possible, use suppliers previously vetted by Office of the President (UCOP) or UCSB to ensure security, PCI DSS compliance, and efficient use of University resources.
If not using an UCOP/UCSB vetted supplier, departments must ensure third-party service providers, and their payment software, gateways, equipment, and outsourced payment services, are PCI DSS compliant and the appropriate data security language must be included in all contracts with third party service providers involving payment card acceptance. They must also be registered with our acquiring bank (Bank of America). Third party payment solutions must be approved by the Coordinator and Procurement Services.
General Requirements of Third-Party Suppliers
In general, if a department wants to work with an outside (third-party) supplier to sell goods and/or services on behalf of the UC Regents, the supplier must meet the following requirements:
- Will use the University merchant account
- Will use a UC Approved gateway
- Can demonstrate PCI compliance with evidence of passing PCI certification
- Is listed on the PCI approved Payment Applications (if appropriate)
- Will accept all terms and conditions of the UC Data Security and PCI Addendums
- Is willing to negotiate terms and conditions as part of the contract process
- Is registered with our acquiring bank (Bank of America)
The following is additional information about some of these requirements.
Payment Card Industry Standards (PCI)
Any supplier that offers credit card acceptance capability and wishes to do business with the University must agree to standard UC contract language about PCI compliance and provide evidence of their PCI validation. PCI validation must be verified by the merchant or Coordinator annually, and any supplier that fails to maintain compliance with PCI standards is subject to being discontinued as an approved supplier to UCSB merchants.
Payment Application Data Security Standard (PA-DSS)
Depending on the type of product offered by the supplier, the supplier may also have to certify their product was developed according to the PA-DSS. Suppliers listed on the PCI SSC website’s List of Validated Payment Applications (https://www.pcisecuritystandards.org) or Visa’s Global Registry of Service Providers (https://usa.visa.com/splisting/splistingindex.html) are automatically accepted as being compliant with PA-DSS.
Certificates of Insurance
Any supplier that offers credit card acceptance capability, and wishes to do business with the University must agree to standard UC levels of insurance that must be carried by the supplier.
NOTE: Departments need to be very aware of the requirements outlined above. Many times smaller businesses/suppliers will not be able to meet the PCI and/or insurance requirements, or be willing to accept or negotiate our contract language. Should this occur, we will not be able to move forward and use the supplier.
Using Suppliers not Integrated with UCSB’s Acquirer (Merchant Processor)
UCSB has contractual obligations with its merchant processor. When contracting with third-party suppliers that use their own merchant processor, an exception may need to be obtained from UCSB’s acquiring bank, and written Variance approved by the Controller’s Office may be required before implementation.