PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure all merchants that process, store or transmit credit card information maintain a secure environment. Any area that has a UCLA Merchant ID (MID), including those in which customer payments are accepted via credit or debit card, must certify compliance to this standard, regardless of size or number of transactions. PCI DSS compliance is one of the steps required to Become a Credit Card Merchant.

UCLA updated its requirements for PCI DSS compliance based on the January 2017 standard update. Treasury Services' campus credit card coordinator provides merchants with detailed instructions for completing these requirements beginning in April. To obtain PCI DSS compliance, departments must complete the following steps by May 15, annually:

  • All merchants, including those that process credit card payments through CASHNet under the checkout module, must complete an annual Self-Assessment Questionnaire (SAQ), Treasury Services' campus credit card coordinator will provide a link to complete the questionnaire beginning in April.
  • All employees with access to credit or debit cards must complete PCI Training upon hire and annually thereafter. PCI Training is accessible year-round.

If you are an Internet Merchant who uses a system other than CASHNet, the University's approved credit card processing system, you must work with Treasury Services' campus credit card coordinator to define the additional steps required for PCI compliance. The coordinator uses the merchant's SAQ type to determine what extra steps are required to obtain compliance, which may include:

  • Monthly perimeter scans, conducted by Coalfire (PCI approved security assessor)
  • Quarterly internal penetration tests
  • Annual internal audit based on SAQ type