unit logo
  1. Home
  2. Knowledge Base
  3. Treasury Management
  4. Payment Card Operations
  5. Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS)

Directive Statement

All University departments whose personnel store, process or transmit cardholder information, including units that outsource the processing of payment card information to third party vendors, have to be compliant with the PCI DSS, which was formed to enhance cardholder data security.

Reason for Directive

Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ payment card data and attest compliance with the Payment Card Industry Data Security Standards (PCI DSS).  Failure to protect such information may result in financial loss for customers and the University, suspension of credit card processing privileges, fines imposed on credit card merchants and damage to the institution’s reputation.

Who Must Comply?

All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.

Background

The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and VISA, Inc.  The current PCI Standards include, among others, the following components:

  • PCI Data Security Standard (PCI DSS)
  • PCI PIN Transaction Security (PCI PTS)
  • Payment Application Data Security Standard (PA-DSS)
  • Point-to-Point Encryption (P2PE) Solutions

Overview

These security related standards were developed to secure all payment card information from unauthorized access and apply to all transactions surrounding the payment card industry and the merchants/organizations that accept these cards as forms of payment.

More information about the PCI DSS can be found at the PCI Security Standards Council website.

Requirements

The PCI consists of well over 300 controls that are broken down into the following requirements:

The following requirements stand out, particularly as they apply to UF staff and departments:

“Educate personnel upon hire and at least annually.”  To satisfy this requirement, Payment Card Operations and UFHR Training and Organizational Development offer the online training course TRM125: Payment Card Security Awareness Training

The above training includes a Credit Card Security Ethics Certification to document their understanding of and willingness to comply with all University payment card security policies, directives, procedures and the PCI DSS. This requirement also applies in the case where a UF department outsources credit card payments to a third party vendor.

Definitions

Payment Card Industry Data Security Standards (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data.

Last Reviewed

05/01/2020: reviewed content

Resources

PCI Security Standards Council

VISA Operations & Procedures

UF Privacy Office

UF Office of Information Technology Acceptable Use Policy

UFIT Standards for Data Use Limitation of UF Payment Card Information

Training

TRM125 – Payment Card Security Awareness Training

Contacts

Treasury Management/Payment Card Operations: (352) 392-9057

Treasury-creditcards@ad.ufl.edu

Still have a question?

View our FAQs