Supporting UCSD Merchants in Meeting PCI Requirements
Learn how IT Services supports UC San Diego merchants required to meet Payment Card Industry Data Security Standards (PCI DSS).
About PCI DSS requirements
UC San Diego merchants handling, processing, transmitting or storing cardholder data in physical or electronic format are required to meet Payment Card Industry Data Security Standards (PCI DSS) as outlined in the Policy and Procedure Manual 300 - Accounting Procedure - General, Payment Card Processing and Compliance Policy.
UCSD ITS Security Services provides auxiliary support to the UCSD BFS General Accounting Payment Card Coordinator, primarily ensuring Information Technology Services (ITS) is meeting the latest PCI security standards as applied to the ITS supported merchant information technology.
Additionally, ITS Security Services provides PCI DSS guidance to merchants not receiving ITS support and who lack to requisite knowledge, skills and abilities to ensure compliance to the latest standards.
ITS Security
Information Technology Services (ITS) Security Services working with ITS as a whole will:
- Maintain and disseminate security policies and procedures that address PCI DSS requirements
- Establish and test UCSD’s ITS supported infrastructure and network environment
- Assist the Payment Card Coordinator and UCSD ITS supported merchants in completing the technical sections of the annual self assessment questionnaire (SAQ)
- Work closely with the UCSD Qualified Security Assessor (QSA) to interpret PCI DSS requirements and to communicate and facilitate overall security and technical compliance with Merchants
- Securely configure and maintain ITS IT systems, facilitating ITS supported merchant hardware and software configurations, and providing oversight of all computer systems and other IT resources to support compliance with PCI DSS and UC security requirements
- Manage and provide training and tools to limit access to ITS IT resources and cardholder data
- Support investigation conducted by a third-party forensics vendor and remediation of any reported violations of this policy, and will lead investigations about credit card security breaches with support from UC San Diego’s on-call forensics contractor and may terminate access to protected information of any users who fail to comply with the policy
Standardized IT approach to PCI compliance
- Adoption of PCI DSS validated Point-to-Point Encryption Technologies (P2PE) is required
- UC San Diego’s preferred P2PE solution is provided by Bluefin Payment Systems
- With the Office of Internal Controls and Accounting (General Accounting) approval through consultation with the Chief Information Officer(s) for UCSD, other PCI DSS validated P2PE solutions may be adopted to support unique merchant payment processing requirements
- Alternatives to the preferred solution may bring more risk to UCSD, and therefore will be highly scrutinized
Additional Information
For questions, comments, or concerns related to credit card processing, see Credit and Debit Card Processing. The UCSD Office of Internal Controls & Accounting (General Accounting) is responsible for initiating and overseeing the annual PCI validation, initial merchant setup, and ongoing administration of all UCSD merchant accounts.