Cash Handling and Banking Services
PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS
In light of growing consumer concerns over the compromise of credit card data, the four major credit card associations joined forces to establish a security program for merchants called the Payment Card Industry Data Security Standards (PCI DSS). The PCI Security Standards Council (PCI Co) was later formed to work with credit card associations as an advisory group to manage the PCI standards.
Credit card information must be handled in a secure manner, as a breach of credit card information has significant consequences. All campus merchants are required to comply with the PCI DSS as determined by the Campus Credit Card Coordinator (see UC BUS-49 policy (PDF)). Non-compliance could result in our merchant bank assessing significant fines, suspending campus ability to accept credit cards, and/or requiring on-site credit card audits.
Campus departments may not store credit card numbers in any electronic format including email, spreadsheet, databases, etc., unless official approval from the Controller's Office has been obtained.
PCI DSS Compliance Validation
To comply with PCI DSS, campus merchants must validate their compliance by completing an annual self-assessment questionnaire (SAQ) and reviewing quarterly network security scans (if required). In addition, all third party service providers that store, process or transmit credit card data on behalf of campus merchants must be contractually obligated to confirm on-going PCI:DSS compliance.
The following areas are covered under PCI:DSS:
|Build and Maintain a Secure Network||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
|Implement Strong Access Control Measures||
|Regularly Monitor and Test Networks||
|Maintain an Information Security Policy||
For information and assistance, contact the Credit Card Coordinator at MerchantSupport@berkeley.edu.