Quarterly and Annual Monitoring Requirements

Directive Statement

All departments that accept credit or debit cards as a form of payment must perform certain processes on a quarterly and annual basis to ensure ongoing compliance.

Reason for Directive

Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ credit card data.  Merchant Services must ensure continuing compliance with the Payment Card Industry (PCI) Data Security Standards (DSS) as well as the UF Credit Card Merchant Policy.

Who Must Comply?

All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.

Quarterly Processes

At a minimum quarterly, departments must perform the following processes :

1. Perform a programmatic (automatic or manual) removal of stored cardholder data that exceeds requirements defined in the data retention policy
2. Change user passwords
3. Run internal and external network vulnerability scans, if the applicable UF implementation(s) trigger an according PCI DSS requirement (contact Merchant Services for more details)

Annual Processes

At a minimum annually, departments must perform the following processes:

1. Test Incident Response Plan
2. Ensure all workforce members (employees, students or volunteers) who work with (process, store, or transmit) credit/debit cards successfully complete the applicable annual training TRM125: Payment Card Security Awareness Training
3. Require personnel to acknowledge that they have read and understood the University’s security policy and procedures, as documented by signature on the Credit Card Security Ethics Certification, as included in the training course TRM125.
4. Submit documentation of the following actions to Merchant Services:
   • Completed PCI DSS Self-Assessment Questionnaire
   • Monitor and report on PCI status of third-party service providers
   • Review the departmental payment card procedures and update as needed
5. Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment

Note: The UF Office of Information Security and Compliance has the authority to perform such assessments

All departments that accept credit or debit cards are required to meet with a representative from Merchant Services on an annual basis.  The agenda will include, but is not limited to, credit and debit card security, inventory analysis and PCI compliance.  The meeting will be scheduled at the department and unit’s availability.  For the meeting, departments will need to have accessible:

• All documentation detailed for the annual processes above
• All credit and debit card accepting terminals, devices, and implementations to confirm and verify the inventory
• All departmental credit and debit card processing procedures
• Network Diagram (PDF)

Last Reviewed

Last reviewed on 03/20/2024

Resources

PCI Security Standards Council

VISA Operations & Procedures

UF Privacy Office

Training

TRM125 – Payment Card Security Awareness Training

Contacts

Banking & Merchant Services: (352) 392-9057

Treasury-creditcards@ad.ufl.edu

Still have a question?

View our FAQs