PCI Data Security Standard Requirement

PCI Data Security Standard Requirement

February 21, 2014

Summary: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure ALL merchants that process, store or transmit credit card information maintain a secure environment. Essentially any area that has a UCLA Merchant ID (MID) must certify compliance to this standard, regardless of size or number of transactions. In other words, if your customer ever pays using a credit or debit card, then PCI DSS requirements apply.

UCLA recently updated requirements to ensure the campus is in compliance with the PCI DSS based on the latest October 2010 update. Business and Finance Services provides detailed instructions for departments to complete the requirements beginning in May. To satisfy the requirements for PCI DSS, departments must complete the following steps annually by June 30.

  1. Complete the annual Self-Assessment Questionnaire (SAQ) required. Business and Finance Services will provide a link to complete the Self-Assessment in May.
  2. Employees with access to credit or debit card must complete online Security Awareness Education training. See Security Awareness Education Training article on related link for more details.
  3. For online departments processing credit card through CASHNet, Payment Solutions & Compliance will certify compliance through the PCI approved vendor on your behalf. Required annual training referenced in the step above (#2) still applies.
  4. Internet Merchants using a process other than CASHNet must work with the Director of Business and Finance Services to establish a variance to policy which requires use of CASHNet as the University approved credit card process. Merchants must also certify PCI compliance based on the SAQ type required as determined by the Director of Business and Finance Services. This may include:
  • Monthly perimeter scans conducted by the PCI approved Security Assessor, Coalfire,
  • quarterly internal penetration tests, and
  • an annual internal audit based on SAQ type.