A. Payment Card Industry Data Security Standards
The Payment Card Industry Data Security Standards (PCI DSS) were originally developed through a collaborative effort by the major card brands, MasterCard, Visa and others, as a set of technical and operational security requirements to protect sensitive credit card data. Today these standards are set by the PCI Security Standards Council (PCI SSC) and enforced by the payment card brands. These requirements MUST be followed by ALL entities that process, store or transmit cardholder data.
The PCI Data Security Standard identifies twelve basic security requirements for cardholder transactions. (See Appendix A)
University of Iowa merchants are EXPLICITLY PROHIBITED from storing sensitive cardholder data on any University systems, including University servers, both local and those hosted off-site, workstations, and other locally maintained systems, including databases, file servers, spreadsheets, email, imaging systems, and paper files.
Sensitive Cardholder Data includes:
- Full Credit Card/Personal Account Numbers (PAN)
- Security Codes (CVC2, CVV2, CID)
- PIN/PIN block
- Full Magnetic Stripe Data (most egregious violation of PCI DSS)
All merchants using a shared mailbox to communicate with customers must run identity finder scans monthly. Merchants should consult with their ITS Enterprise Support Consultant to perform the scan (https://its.uiowa.edu/support/article/2697).
Should a merchant experience a security breach, the University’s credit card processor is authorized on behalf of the card brands to assess the merchant any fine levied by the card associations as well as the costs of forensic investigation, remediation, customer notification and re-issuance of cards.
A single merchant breach may result in the elevation of the merchant, or potentially all UI merchants’ status to Level 1 (see Appendix B for merchant level definitions) at the discretion of the UI contracted bank. Level 1 status requires the merchant to pay for and submit to a third-party audit of the credit card processing environment. It should be noted that the University will not reimburse or share the cost of any expenses arising from the unintended exposure of cardholder data; expenses will be the responsibility of the breached merchant.
B. Validation of Merchant Compliance
Compliance with PCI-DSS is not a single event, but a continuous, ongoing process.
PCI Compliance Manager Portal: University credit card merchants are required to use PCI Compliance Manager, a web-based compliance validation tool used by the University to track merchant compliance with PCI DSS. PCI Compliance Manager is used by each merchant to complete Self-Assessment Questionnaires (SAQ), set up network vulnerability scanning, review compliance reports, and access other valuable compliance tools.
Self-Assessment Questionnaire: Merchants are required to annually validate their compliance with PCI DSS by completing a Self-Assessment Questionnaire (SAQ) in PCI Compliance Manager. There are seven different versions of the SAQ; the appropriate version varies by merchant and is determined by the method used to process credit card transactions. (See Appendix C for processing methods and associated SAQ required)
Attestation of Compliance: At the end of each SAQ is the “Attestation of Compliance”. Completion and retention of the Attestation self-certification provides documentation that your department has performed a PCI DSS self-assessment. It is best practice for this final step of the annual SAQ to be executed by the departmental budget officer.
Vulnerability Scans: Merchants who are required to complete SAQ A_EP, B_IP, C or D must also configure PCI Compliance Manager to perform Network Vulnerability Scans for any devices that are used to process, store or transmit credit card data. Scans are performed monthly and pass/fail results are displayed in PCI Compliance Manager.
PCI Network: Merchants who are required to complete SAQ A_EP, B_IP, C or D must also contact the Information Security and Policy Office to configure systems to operate on the University PCI network. Systems on the PCI network will need to have explicit network access defined to allow network traffic through the PCI firewalls.
On-Site Periodic Review of Merchant Compliance: Merchants are subject to an on-site review of compliance and should be prepared to discuss their SAQ answers and how they are fulfilling the data security requirements. Reviews will be conducted by Treasury Operations in collaboration with the Information Security and Policy Office, which will periodically conduct an assessment of security controls in place to protect cardholder data when processing occurs over the University’s network. Reviews of these technology based implementations will include, but not be limited to, periodic network-based vulnerability scans.
Approved merchants are responsible for ALL costs associated with the equipment, setup, operations and maintenance of the merchant account.
1. The fees charged by the card brands (interchange) are typically 2.0%-2.5% of sales, and are calculated based on a variety of factors including the type of card presented by the consumer. To qualify for the best possible rate:
- Make sure the settlement process is performed at the end of business each day (aka “Batching Out”). Note that some terminals and most software can be configured to perform this task automatically at a predetermined time of day. Settlement outside of the required time period may cause the transaction to be “downgraded” (meaning it does not qualify for a preferred rate because it is perceived as riskier).
- Perform/require address verification for each transaction (aka “AVS”). AVS verifies the numeric portions of a cardholder’s billing address. For example, if your customer provides an address of 1847 Hawkeye Drive, Iowa City, IA 52242, AVS will confirm with the credit card company the numbers 1847 and 52242. If the information does not match, it may cause the transaction to be downgraded or even declined.
- If possible, process card present transactions where the actual credit card is swiped rather than keyed manually.
2. PCI DSS Compliance Fees - $7/month charged directly to merchant
3. Monthly statements of credit card processing activity and associated fees are ONLY available online at Merchant Connect. Individuals must enroll for a user account on the website and will need specific information to register. Please contact firstname.lastname@example.org for assistance.
- General Responsibilities
- Merchant Responsibilities
- New Merchant Accounts
- Established Merchant Accounts
- Universal Compliance Requirements
- Important Links for Merchants