Payment Card Industry Data Security Standard (PCI DSS)
All University departments whose personnel store, process or transmit cardholder information, including units that outsource the processing of payment card information to third party vendors, have to be compliant with the PCI DSS, which was formed to enhance cardholder data security.
Reason for Directive
Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ payment card data and attest compliance with the Payment Card Industry Data Security Standards (PCI DSS). Failure to protect such information may result in financial loss for customers and the University, suspension of credit card processing privileges, fines imposed on credit card merchants and damage to the institution’s reputation.
Who Must Comply?
All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.
The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and VISA, Inc. The current PCI Standards include, among others, the following components:
- PCI Data Security Standard (PCI DSS)
- PCI PIN Transaction Security (PCI PTS)
- Payment Application Data Security Standard (PA-DSS)
- Point-to-Point Encryption (P2PE) Solutions
These security related standards were developed to secure all payment card information from unauthorized access and apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment.
More information about the PCI DSS can be found at the PCI Security Standards Council website.
The PCI consists of well over 300 controls that are broken down into the following requirements:
The following requirements stand out, particularly as they apply to UF staff and departments:
“Educate personnel upon hire and at least annually.” To satisfy this requirement, Payment Card Operations and UFHR Training and Organizational Development offer the online training course TRM125: Payment Card Security Awareness Training
The above training includes a Credit Card Security Ethics Certification to document their understanding of and willingness to comply with all University payment card security policies, directives, procedures and the PCI DSS. This requirement also applies in the case where a UF department outsources credit card payments to a third party vendor.
Payment Card Industry Data Security Standards (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data.
05/01/2020: reviewed content
TRM125 – Payment Card Security Awareness Training
Treasury Management/Payment Card Operations: (352) 392-9057