Merchant Services and PCI Compliance
Our team works together to maintain (PCI DSS) for SDSU. Departments that wish to accept payment cards must comply with SDSU鈥檚 PCI DSS policies and procedures. PCI DSS standards involve the people, processes and technology that store, process or transmit cardholder data. PCI compliance mitigates risk, protects the University against the costs of a breach, and strengthens overall security. Compliance within PCI DSS provides protection for not only students, but for employees, alumni and our customers.
Each person with access to payment card data, applications or systems, is required to take PCI training at the point of hire and annually, at a minimum.
What Do I Need To Do
Please follow the guidelines for new hire training and annual training. Inform your supervisor once you have successfully completed all trainings.
What is the Payment Card Industry Data Security Standard (PCI DSS)?
PCI DSS is the result of a collaboration of the major credit card associations to establish a single data security standard designed to protect sensitive cardholder information.
Who has to comply with PCI DSS?
Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.
What can happen if I am not in compliance with PCI DSS?
Non-compliance can result in fines and remedial efforts that could easily exceed $1 million. It can also risk exposing customers (students, faculty, staff and the general public) to fraud and identity theft. Breach of cardholder information can result in negative publicity and cause damage to SDSU鈥檚 reputation. Non-compliance can also result in the loss of credit card and debit card acceptance privileges.
What is cardholder data?
The full magnetic strip or the primary account number (PAN) of a payment card belonging to a cardholder, along with any of the following data types: cardholder name, expiration date or service code (a three or four-digit number coded onto the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe-read transaction).
Do I have to batch out my merchant terminal every day?
Yes, you must complete batch processing of all sales receipts at the end of each business day.
How should papers/printouts that contain cardholder data be handled?
Physical copies of payment card numbers should not be stored past authorization, unless a legitimate business need exists to maintain the information. Paper copies must be crosscut shredded upon disposal. Never throw sensitive data in the trash.
May I create documents containing cardholder data on my computer?
No. Creating a document, even though it may not be saved on the computer, will create temporary copies of the cardholder data on the computer. Any paper document used for processing credit cards or handling cardholder data must remain in that form for creation, storage and transmission.
May I use my work computer to store, enter or transmit cardholder data for someone other than myself as a part of my SDSU work?
No. SDSU computers may not be used to store, enter or transmit cardholder data. Only University approved PCI compliant hardware may be used for these tasks.
May I take cardholder data over the telephone for a campus service or event?
Yes, as long as the conversation is not being recorded or stored. Properly dispose of cardholder data once finished.
May I take cardholder data via email, text or chat (end user messaging) for a campus service or event?
No. Cardholder data should never be sent, received, or stored via end user messaging due to security concerns. If you have previously received payment card information via email, you will need to delete all messages containing credit card information from your inbox, sent folder, drafts folder, and any other folders that you may have created. Once that is done, empty your email trash, empty your web browser cache (temporary browser files), and empty your computer鈥檚 recycle bin or trash.
May I take cardholder data via U.S. Mail for a campus service or event?
Depending on the situation, this may be allowed. The payment must be processed immediately and documents must be disposed of using a cross-cut shredder.
What is PCI compliance and how long is the PCI compliance certification valid?
PCI compliance is the adherence to a set of security standards that were developed to protect credit card information during and after a financial transaction. Although the PCI compliance certification is valid for one year from the date the certificate is issued, compliance is an ongoing and collective effort for all SDSU departments. Ensuring that each department is aware of PCI policies and best practices for handling sensitive payment card information is essential for minimizing risks and obtaining compliance.
Additional Policies and Procedures
- Campus Department Credit Card Policy
- Red Flag Reporting
- SDSU Campus Credit Card Policy
The resources listed are intended to benefit merchants in understanding payment card industry details, policy, and ensure compliance within Payment Card Industry standards.
