The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure ALL merchants that process, store or transmit credit card information maintain a secure environment.
PCI DSS includes technical and operational requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data.
Important Information about PCI Compliance at UCSB
The following is important information for each merchant to know about PCI compliance at UCSB:
- UCSB works to ensure that all merchants are 100% PCI compliant as validated on a specific date each year. Merchants must complete their validation by the given date, unless prior arrangements are made with the Coordinator, or will risk having their credit card acceptance privileges suspended or revoked. Non-compliance can also result in fines and other penalties from the card brands and/or our acquiring bank.
- PCI validation is an annual requirement to attest that at a single point-in-time (the finish date of the validation for that year), a merchant is in compliance with PCI DSS requirements. However, merchants are obligated as part of the conditions of accepting credit cards, to be compliant at all times (24x7x365). Never make changes to your processing environment (e.g., changing POS security settings, changing terminals, etc.) without considering how the changes might affect PCI compliance, and credit card security in general.
- To comply with PCI DSS, campus merchants must validate their compliance by completing an annual self-assessment questionnaire (SAQ). An online portal is used for easier and more efficient completion of the assessment.
- Each merchant must designate a Primary PCI Contact for each credit card processing environment.
- While each merchant is responsible for completing their own SAQ(s), the Coordinator will provide guidance where possible, and/or will arrange for a quote for facilitated assistance from our QSA at UC-negotiated prices.
Non-Compliance with PCI DSS Requirements
Failure to comply with the PCI DSS can result in:
- Large fines and fees assessed by each card brand
- Civil fees and audit costs
- A loss of reputation and payment card privileges for the University
- Notifications to all customers affected
- Additional costly, ongoing PCI DSS reporting requirements.
The non-compliant UCSB department is liable for all costs associated with a data breach. In addition, employees may be subject to disciplinary action or termination (in accordance with Human Resources policies and procedures) if they fail to adhere to the University’s policies and procedures for payment card acceptance or for the mishandling of cardholder data and/or payment card fraud.
Security Awareness Education (SAE) Training Requirements
Each University of California employee is responsible to safeguard the information assets entrusted to us. The UC Office of the President requires all employees to complete Cyber Security Awareness Training upon hire, and annually thereafter. In addition, every UCSB employee involved with handling cardholder data, including student workers, must complete the PCI DSS Security Awareness Training upon initial hire, and on an annual basis thereafter. To access the training, go to UC Learning Center (https://www.learningcenter.ucsb.edu/) and enter “PCI” in the Search field. The training takes approximately 30 minutes.
The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants report the results of their PCI DSS self-assessment. Merchants should ensure they meet all the requirements for a particular SAQ before using the SAQ. The correct SAQ will be selected in consultation with the Coordinator, the supplier of the POS system in use, our QSA, and through the Coalfire One portal’s selection wizard.
There are currently eight SAQs covering various processing environment, but except in extraordinary circumstances, UCSB only allows systems that qualify for the following (definitions directly from PCI DSS documentation; a full list of SAQ types and qualifying factors is available on the PCI SSC website (https://www.pcisecuritystandards.org/):
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
Merchants using only standalone, dial-out or cellular terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ-P2PE (preferred for Retail & MO/TO merchants)
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
SAQ-C (by exception only)
Merchants with payment application systems connected to the Internet. No e-commerce or electronic cardholder data storage.
SAQ-D (by exception only)
All merchants not included in descriptions for the above SAQ types.