Cash Handling and Banking Services

PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS

Cash Handling and Banking Services home Bank Deposit Handling Credit Card Merchant Services Electronic Payments Human Subject Prepaid Card Program Petty Cash Program

In light of growing consumer concerns over the compromise of credit card data, the four major credit card associations joined forces to establish a security program for merchants called the Payment Card Industry Data Security Standards (PCI DSS). The PCI Security Standards Council (PCI Co) was later formed to work with credit card associations as an advisory group to manage the PCI standards.

Credit card information must be handled in a secure manner, as a breach of credit card information has significant consequences. All campus merchants are required to comply with the PCI DSS as determined by the Campus Credit Card Coordinator (see UC BUS-49 policy (PDF)). Non-compliance could result in our merchant bank assessing significant fines, suspending campus ability to accept credit cards, and/or requiring on-site credit card audits.

Campus departments may not store credit card numbers in any electronic format including email, spreadsheet, databases, etc., unless official approval from the Controller's Office has been obtained.

PCI DSS Compliance Validation

To comply with PCI DSS, campus merchants must validate their compliance by completing an annual self-assessment questionnaire (SAQ) and reviewing quarterly network security scans (if required). In addition, all third party service providers that store, process or transmit credit card data on behalf of campus merchants must be contractually obligated  to confirm on-going PCI:DSS compliance. 

The following areas are covered under PCI:DSS:

AreaRequirements
Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
  1. Protect captured cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need to know.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security for all personnel.

For information and assistance, contact the Credit Card Coordinator at MerchantSupport@berkeley.edu.