Payment Card Industry Data Security Standards

In light of growing consumer concerns over the compromise of credit card data, the four major credit card associations joined forces to establish a security program for merchants called the Payment Card Industry Data Security Standards (PCI DSS). The PCI Security Standards Council (PCI Co) was later formed to work with credit card associations as an advisory group to manage the PCI standards.

Credit card information must be handled in a secure manner, as a breach of credit card information has significant consequences. All campus merchants are required to comply with the PCI DSS as determined by the Campus Credit Card Coordinator (see UC BUS-49 policy (PDF)). Non-compliance could result in our merchant bank assessing significant fines, suspending campus ability to accept credit cards, and/or requiring on-site credit card audits.

Campus departments may not store credit card numbers in any electronic format including email, spreadsheet, databases, etc., unless official approval from the Controller's Office has been obtained.

PCI DSS Compliance Validation

To comply with PCI DSS, campus merchants must validate their compliance by completing an annual self-assessment questionnaire (SAQ) and reviewing quarterly network security scans (if required). In addition, all third party service providers that store, process or transmit credit card data on behalf of campus merchants must be contractually obligated to confirm on-going PCI:DSS compliance.