Skip to main content

System Status: 

Payment Card Industry Data Security Standards (PCI DSS)

Find the resources and information you need to comply with PCI requirements.

Payment Card Processing and Compliance is governed by PPM 300-86.

PCI DSS Background and Compliance Requirement

The Payment Card Industry Data Security Standards (PCI DSS) are a set of security guidelines established by the PCI Security Standards Council (Visa, MasterCard, American Express, Discover, JCB, and other institutions) to mitigate risk associated with payment account security and the protection of cardholder information.  Compliance with PCI Standards applies to all merchants, processors, acquirers, issuers, and service providers regardless of size or volume of transactions.

As a Campus merchant, you will be responsible for all requirements related to PCI DSS ongoing compliance.

Currently, PCI DSS consist of a minimum set of requirements (12) for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risk. 

Compliance with Payment Card Industry Data Security Standards (PCI DSS) is mandated by the major credit card organizations and enforced by UCOP.  UCOP has delegated this responsibility to the Campus Credit Card Coordinator.

Continuous compliance and validation applies to all UCSD merchants regardless of size or volume of transactions.  Specific requirements vary depending on the Cardholder Data Environment (CDE) and the Campus’ merchant level.  CDE includes all processes and technology including system components, hardware, software, and all other factors being used during the processing of credit or debit card payments.

Merchant levels fall within categories 1-4 and are based on a 12-month period.  The Campus (as a whole) is assigned a merchant level and required to meet level specific requirements.  UCSD has been classified a level 2 merchant.

Annually merchants must validate and attest compliance with PCI DSS in order for the Campus to meet overall PCI DSS compliance.

In addition to comply with PCI-DSS requirements, depending on the CDE, merchants may also be subject to additional requirements including:   Payment Application Data Security Standards (PA-DSS), PIN Transaction Security Standards (PTS) and Point-to-Point Encryption (P2PE).  The PCI Council is constantly updating their requirements to keep up with innovative technology and data security.

Refer to the PCI DSS Website for more details.

PCI Training

VigiOne SAQ Web Portal

As the University's PCI compliance partner, VigiTrust will be administering the campus's Self-Assessment Questionnaire (SAQs). The VigiOne portal is the web tool developed by VigiTrust for merchants to complete their SAQs.

University merchants are notified by Merchant Services to begin their annual assessments. If you do not have access to the VigiOne portal, but you are assigned to perform the SAQ, please contact merchantservices@ucsd.edu and we will assist you with the onboarding process to VigiOne.

Important PCI DSS Requirements

PCI-DSS 3.1 - Requirement 12

PCI DSS Questions  12.8.1 to 12.8.5 – Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:

Response is “YES” if the merchant is receiving services from the following providers:

  • Bank of America Merchant Services (BAMS)
  • Authorize.net
  • Cybersource

The third parties listed above provide services under University agreements which are governed by Policy BUS49 (PDF). BUS49 is the evidence that supports compliance with this requirement.

Important

For other service providers, merchants are required to maintain written agreements with the service providers that include acknowledgement that the 3rd party service provider is responsible for complying with all applicable PCI DSS requirements. The intent is to confirm the service provider’s commitment to maintaining all controls for all services that are subject to PCI DSS.

When responding to these questions in the VigiOne portal, merchants will have to upload evidence supporting their responses (i.e., upload a copy of valid and current agreements with service providers).

More information on Third Party Vendor Security Assurance (PDF).

SAQ Resources

Templates, policies, and procedures that you can use as reference or evidence when completing your SAQs:


Templates, policies, and procedures that can be used as a reference or evidence when completing the SAQs:

Evidence Required by SAQ type

Merchants are responsible for gathering required evidence based on the associated SAQ type(s). Evidence must be uploaded to the VigiOne portal as part of the annual PCI validation.

SAQ Type

Video/Photo Evidence Required

P2PE

B-IP

• Paper forms used to write down/collect CHD

• Storage of CHD (e.g. filing cabinets, safes)

• Destruction of CHD (e.g. cross-cut shredder, Iron Mountain/Shred-it bins)

• Payment devices (make/model, serial)

• Physical security of payment capture devices (e.g. mounting, cameras)

• Device Inspection Procedures / Logs

D

• TBD based on card processing environment

FACTA Compliance

FACTA, the Fair & Accurate Credit Transactions Act (15 U.S.C § 1681c(g)) requires that vendors accepting credit or debit cards shall not print more than the last 5 digits of the card number on any receipt provided to the cardholder at the point of sale, nor may they include the expiration date.

Statutory damages for FACTA violations range from actual damages for a negligent violation, to $100-$1,000 per willful violation.

Merchants with in-person transactions

Ensure that printed receipts do not contain more than the last 5 digits of the card number nor the expiration date.

Merchants with e-commerce websites

Confirm that your 3rd party vendor does not send electronic receipts with more than the last 5 digits of the card number nor the expiration date.

Use of Email and Messaging Technologies for Transmitting Card Data

The UCOP-Office of the Chief Investment Officer (OCIO) has agreed that BUS-49 (PDF), University’s Policy on Cash Handling, is applicable to messaging technologies as follows:

BUS-49, Appendix B, 7 to 10. Card data cannot be emailed, either in the body of an e-mail or as an attachment. So current messaging technologies would extend to that as well (an extension of technology).

Find answers, request services, or get help from our team at the UC San Diego Services & Support portal.