PCI COMPLIANCE FAQ

What is the Payment Card Industry Security Standards Council ?

The Payment Card Industry Data Security Standards Council was originally formed by several payment card providers in 2006 with the goal of managing the evolution of the Payment Card Industry Data Security Standard.

What is the Payment Card Industry Data Security Standard (PCI DSS)?

The Payment Card Industry Data Security Standard (PCI DSS) is the global standard created by the Payment Card Industry Security Standards Council to help organizations accept payment cards in a manner that helps secure transactions and prevent fraud.

What is a payment card?

A payment card is part of a system that enables the cardholder to make a payment by electronic funds transfer. The most common payment cards are credit cards and debit cards.

What is PCI Compliance?

PCI Compliance is the process of demonstrating alignment and conformance to PCI DSS standards.

When does PCI Compliance Apply?

As a general rule PCI standards apply whenever a payment card transaction is involved. More specifically, PCI Compliance is required whenever a payment card number is stored, processed, or transmitted. This is commonly referred to as "being in scope". The software used to process the transaction must enforce PCI compliance. The systems used for payment card processing must be implemented in a way that enforces compliance. Finally, the communications on the network must be secured to be compliant.

Is PCI Compliance optional?

No, maintaining payment security is required for all entities that accept payment cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts payment cards is implemented.

Why does a card processing solution have to demonstrate and maintain compliance?

Failure to comply with PCI DSS standards can result in fines issued to the University and/or can result in revocation of the University's ability to accept payment cards for any payments.

My vendor states they are PCI Compliant, is that sufficient?

No. While a vendor may indicate their product is compliant, they are referring to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to fully meet PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for both the application and the University to be PCI-DSS compliant.

When I'm selecting a solution that accepts, stores, processes, or transmits cardholder data, what do I put in the Request for Proposal or look for in the software agreement?

Please contact UTS ( uts@oakland.edu ) to request assistance with RFP language or purchase review if payment card processing is involved with a selected solution or system.

Suggested Contract Language includes:

  • If the Service Provider is located on site (i.e., restaurant, store, etc.), the Service Provider must supply their own Merchant ID, their own Internet Service Provider, their own network equipment, and their own card readers, and they must maintain all of these components in compliance with their PCI standard.
  • The Service Providers PCI DSS Requirement 12.8 requires merchants to maintain and implement policies and procedures to manage Service Providers if cardholder data are shared. Requirement 12.8.2 states further “maintain a written agreement that includes an acknowledgement that the Service Providers are responsible for the security of cardholder data the Service Providers possess."
  • Vendor acknowledges and agrees that it is responsible for the security of all Oakland University customer cardholder data in its possession. Vendor represents and warrants that for the life of the contract and/or while Vendor has involvement with Oakland University customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council. Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.
  • Vendor agrees to provide to Oakland University a current and complete copy of their Attestation of Compliance (AOC). Further, Vendor agrees to provide to Oakland University a proof of a recent (no more than 3 months old) passing quarterly external vulnerability scan as submitted by an Approved Scanning Vendor (ASV). Oakland University reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website. The actual requirements must be coordinated among UTS, the Controller or designee, and Risk Management.
  • Vendor will inform Oakland University within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. Vendor agrees to indemnify and hold Oakland University, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of Oakland University customer credit card or identity information managed, retained, or maintained by Vendor, including but not limited to fraudulent or unapproved use of such credit card or identify information.
  • Vendor agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, Oakland University may terminate the Agreement immediately without penalty upon notice to the Vendor in the event Vendor fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.

Sample Contract Language:

PCI DSS Requirement 12.8 requires merchants to maintain and implement policies and procedures to manage Service Providers if cardholder data is shared. Requirement 12.8.2 states further “maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.”

Vendor acknowledges and agrees that it is responsible for the security of all {INSTITUTION NAME} customer cardholder data in its possession. Vendor represents and warrants that for the life of the contract and/or while Vendor has involvement with {INSTITUTION NAME} customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/). Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.

Vendor agrees to provide to {INSTITUTION NAME} a current and complete copy of their Attestation of Compliance (AOC). Further, Vendor agrees to provide to {INSTITUTION NAME} a proof of a recent (no more than 3 months old) passing quarterly external vulnerability scan as submitted by an Approved Scanning Vendor (ASV). {INSTITUTION NAME} reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website.

Vendor will inform {INSTITUTION NAME} within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. Vendor agrees to indemnify and hold {INSTITUTION NAME}, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of {INSTITUTION NAME} customer credit card or identity information managed, retained, or maintained by Vendor, including but not limited to fraudulent or unapproved use of such credit card or identify information.

Vendor agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, {INSTITUTION NAME} may terminate the Agreement immediately without penalty upon notice to the Vendor in the event Vendor fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.

(NOTE that the following section is required if the Vendor is placing payment equipment on campus to operate with their own merchant ID)

<Vendor> confirms no requirements associated with PCI have been communicated to / or are required from OU. <Vendor> assumes all responsibility associated with their devices operating in compliance with current PCI standards and ensuring all PCI responsibilities are met, including but not limited to, periodically checking payment card devices located within the vendor-owned equipment located on OU's campus as well as inspecting for any possible tampering or substitution of equipment.

October 2018