PCI COMPLIANCE FAQ
What is the Payment Card Industry Security Standards Council ?
The Payment Card Industry Data Security Standards Council was originally formed by several payment card providers in 2006 with the goal of managing the evolution of the Payment Card Industry Data Security Standard.
What is the Payment Card Industry Data Security Standard (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) is the global standard created by the Payment Card Industry Security Standards Council to help organizations accept payment cards in a manner that helps secure transactions and prevent fraud.
What is a payment card?
A payment card is part of a system that enables the cardholder to make a payment by electronic funds transfer. The most common payment cards are credit cards and debit cards.
What is PCI Compliance?
PCI Compliance is the process of demonstrating alignment and conformance to PCI DSS standards.
When does PCI Compliance Apply?
As a general rule PCI standards apply whenever a payment card transaction is involved. More specifically, PCI Compliance is required whenever a payment card number is stored, processed, or transmitted. This is commonly referred to as "being in scope". The software used to process the transaction must enforce PCI compliance. The systems used for payment card processing must be implemented in a way that enforces compliance. Finally, the communications on the network must be secured to be compliant.
Is PCI Compliance optional?
No, maintaining payment security is required for all entities that accept payment cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts payment cards is implemented.
Why does a card processing solution have to demonstrate and maintain compliance?
Failure to comply with PCI DSS standards can result in fines issued to the University and/or can result in revocation of the University's ability to accept payment cards for any payments.
My vendor states they are PCI Compliant, is that sufficient?
No. While a vendor may indicate their product is compliant, they are often referring only to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to fully meet PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for both the application and the University to be PCI-DSS compliant.
Every service provider involved in the payment card process, including websites that redirect to a third party processor, must provide annual proof of their compliance with the PCI DSS. Additionally, merchants retain the responsibility to ensure implementation of any third party solution is in compliance with both PCI DSS standards and OU policies
When I'm selecting a solution that accepts, stores, processes, or transmits cardholder data, what do I put in the Request for Proposal or look for in the software agreement?
Approval from both Student Business Services SBS and University Technology Services (UTS) is required prior to issuing an RFP for the purchase and/or purchase of any solution or system where payment card processing is involved. Failure to receive appropriate pre-approval may result in a non PCI compliant solution resulting in pentalties to the Univesity. Use of payment card processing through a non comliant solution is subject to immediate termination by either UTS or SBS.
Please contact UTS ( [email protected] ) to request assistance with RFP language or purchase review if payment card processing is involved with a selected solution or system. UTS will include SBS on all subsequent communications related to the request.
For the most efficient service please proactively obtain the sufficient information to address the following items that need to be address in a contract.:
- If the Service Provider is located on site (i.e., restaurant, store, etc.), the Service Provider must supply their own Merchant ID, their own Internet Service Provider, their own network equipment, and their own card readers, and they must maintain all of these components in compliance with their PCI standard.
- PCI DSS Requirement 12.8.3 which asks if there is an established process, including due diligence, that occurs before any new payment-related solution is rolled out. The robust review should not only include processes to obtain assertions from the service provider that it meets compliance regulations, but also include a thorough understanding of what payment channels will be handled by the new product (e.g. in-person, online only, via telephone, etc.) both now and any future plans, and a review of the TPSPs current PCI-compliance status.
- PCI DSS Requirement 12.8.5 which dictates that information is maintained information as to which requirements the Vendor is responsible for, which requirements Oakland University is responsible for, and which requirements are a shared responsibility. Work with the vendor to complete a matrix of responsibility for each applicable requirement but, even if they won’t participate, the University is still responsible to have done the analysis and documented the applicable requirements.
Include a data flow diagram from the vendor that depicts the flow of the Card Holder Data (CHD) and all systems and parties involved with the transaction. If payment card information is being entered into online websites, who are the additional third party service providers involved and are they PCI compliant (i.e. able to provided current/valid AOC as well as an updated one annually)? As discussed, even third parties that don’t literally process, store or transmit CHD can still be a PCI Service Provider if they can affect the security of the process.
- Vendor acknowledges and agrees that it is responsible for the security of all Oakland University customer cardholder data in its possession. Vendor represents and warrants that for the life of the contract and/or while Vendor has involvement with Oakland University customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council. Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.
- Vendor agrees to provide to Oakland University a current and complete copy of their Attestation of Compliance (AOC). Further, Vendor agrees to provide to Oakland University a proof of a recent (no more than 3 months old) passing quarterly external vulnerability scan as submitted by an Approved Scanning Vendor (ASV). Oakland University reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website. The actual requirements must be coordinated among UTS, the Controller or designee, and Risk Management.
- Vendor will inform Oakland University within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. Vendor agrees to indemnify and hold Oakland University, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of Oakland University customer credit card or identity information managed, retained, or maintained by Vendor, including but not limited to fraudulent or unapproved use of such credit card or identify information.
- Vendor agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, Oakland University may terminate the Agreement immediately without penalty upon notice to the Vendor in the event Vendor fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.
Service Providers that are eligible to self-assess must provide the AOC from an SAQ D for Service Providers. Vendors that are classified as a PCI Level 1 Service Provider will need to provide an AOC from an Onsite Assessment (also known as a Report on Compliance or ROC). Vendor agrees to provide to Oakland University a current and complete copy of their Attestation of Compliance (AOC). The AOC must be obtained annually. Merchant is responsible for requesting an updated AOC from all involved service providers each year.
Sample Contract Language:
PCI DSS Requirement 12.8 requires merchants to maintain and implement policies and procedures to manage Service Providers if cardholder data is shared. Requirement 12.8.2 states further “maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.”
{VENDOR NAME} acknowledges and agrees that it is responsible for the security of all {INSTITUTION NAME} customer cardholder data in its possession. {VENDOR NAME} represents and warrants that for the life of the contract and/or while {VENDOR NAME} has involvement with {INSTITUTION NAME} customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/). {VENDOR NAME} shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.
{VENDOR NAME} agrees that it is responsible for the security of cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data or to the extent {VENDOR NAME} can affect the security of the {INSTITUTION NAME} cardholder data environment.
{VENDOR NAME} represents and warrants that for the life of the contract and/or while Vendor has involvement with {INSTITUTION NAME} customer cardholder data, the software, services, and any Third Party provider that {VENDOR NAME} subcontracts with used in processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/).
{VENDOR NAME} agrees to provide to {INSTITUTION NAME} a current and complete copy of their Attestation of Compliance (AOC). If applicable {VENDOR NAME} further agrees to provide to {INSTITUTION NAME} a proof of a recent (no more than 3 months old) passing quarterly external vulnerability scan as submitted by an Approved Scanning Vendor (ASV). {INSTITUTION NAME} reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website.
{VENDOR NAME} will inform {INSTITUTION NAME} within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. {VENDOR NAME} agrees to indemnify and hold {INSTITUTION NAME}, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of {INSTITUTION NAME} customer credit card or identity information managed, retained, or maintained by {VENDOR NAME}, including but not limited to fraudulent or unapproved use of such credit card or identify information.
{VENDOR NAME} agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, {INSTITUTION NAME} may terminate the Agreement immediately without penalty upon notice to {VENDOR NAME} in the event {VENDOR NAME} fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.
(NOTE that the following section is required if the Vendor is placing payment equipment on campus to operate with their own merchant ID)
{VENDOR NAME} confirms no requirements associated with PCI have been communicated to / or are required from OU. {VENDOR NAME} assumes all responsibility associated with their devices operating in compliance with current PCI standards and ensuring all PCI responsibilities are met, including but not limited to, periodically checking payment card devices located within the vendor-owned equipment located on OU's campus as well as inspecting for any possible tampering or substitution of equipment.
September 2020