Payment Card Industry Data Security Standard (PCI DSS)
Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ credit/debit card data. These directives apply to all types of credit/debit card activity (storage, processing and transmission of card information), including transactions processed face-to-face, over the phone, via fax, mail or over the internet.
Treasury Management’s Payment Card Operations ensures the adherence of campus core merchants to these standards.
The PCI Security Standards Council was formed to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
The current PCI standards include the following components:
- PCI DSS: Payment Card Industry Data Security Standard
- PCI PTS: PIN Transaction Security
- PA-DSS: Payment Application Data Security Standard
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). All University of Florida campus merchants are required to complete an SAQ on a yearly basis. There are multiple versions of the SAQ to meet various scenarios.
|A||Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.|
|A-EP||Partially outsourced e-commerce merchants using a third-party website for payment processing.|
|B||Merchants with only imprint machines or only standalone, dial-out terminals – no electronic cardholder data storage.|
|B-IP||Merchants with standalone, IP-connected PTS Point-of-Interaction (POI) terminals – no electronic cardholder Data storage|
|C-VT||Merchants with web-Based virtual payment terminals – no electronic cardholder data storage|
|C||Merchants with payment application systems connected to the internet – no electronic cardholder data storage.|
|D||All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.|
|P2PE||Merchants using hardware payment terminals in a PCI SSC-listed P2PE solution only – no electronic cardholder data storage|
One of the PCI DSS requirements is to “educate personnel upon hire and at least annually.” Payment Card Operations, in cooperation with UF Training and Organizational Development, has created an online training course, TRM100 PCI – Payment Card Security. The training is available through myUFL under “Training and Development.”
Every UF employee, student, or faculty member involved in the processing, storage or transmission of credit/debit card information must sign the Credit Card Security Ethics Certification (FA-TM-CCETHICS) to document annually his/her understanding of and willingness to comply with all university credit/debit card security policies, directives and procedures as well as the PCI DSS.
This certification should be submitted to Payment Card Operations during the establishment of a new merchant location or the hiring of a new employee. The certification will be stored by Payment Card Operations and will be available upon request.
- University of Florida Credit Card Merchant Policy
- PCI Security Standards Council
- VISA Operations & Procedures
- VISA Risk Management
- VISA “If Compromised”
- UF Privacy Office
- UF Office of Information Technology Acceptable Use Policy
- UF IT Standards for Data Use Limitations of UF Payment Card Information