What is PCI?

  • The Payment Card Industry Data Security Standard (PCI DSS) is a global standard created to help organizations accept credit cards in a manner the helps prevent fraud.

What is PCI Compliance?

  • PCI compliance is the process of demonstrating alignment and conformance to PCI-DSS standards. More information on PCI standards is available from the PCI Security Standards Council's website https://www.pcisecuritystandards.org/

When does PCI Compliance Apply?

  • As a general rule PCI standards will apply whenever a credit card is involved. Specifically compliance is required whenever a credit card number is stored, processed, or transmitted. This is often referred to as "being in scope".

Is compliance optional?

  • No, maintaining payment security is required for all entities that accept credit cards Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is introduced.

Why does a card processing solution have to demonstrate and maintain compliance?

  • Failure to comply with PCI standards can result in fines being issued to the University or the University's ability to accept credit card payments being revoked.

My vendor states they are PCI compliant, is that sufficient?

  • No. A vendor may indicate their product is compliant, this is referred to as Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS appliacations must also be implemnted in a manner that statisfies PCI-DSS standards in order to meet compliance requirements.

When I'm selecting a solution that accepts, stores, processes, or transmits cardholder data, what do I put in the Request for Proposal or look for in the software agreement?

  • The awarded Vendor is required to provide their own payment card processing and network connection, and accept the University’s PCI Compliance contract language. The Vendor must also supply all of their own network connectivity, from ISP to port level, to test equipment, if needed. Compliance with Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/ Required for Service Provider solutions that involve payment card processing. The awarded Vendor is required to periodically demonstrate compliance with the Payment Card Industry Data Security Standard, “PCI DSS”, and will achieve and maintain PCI DSS compliance against the current version of PCI DSS published on the PCI Security Standards Council “PCI SSC” website. The Vendor will create and maintain reasonable detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure their CHD. Such documentation will conform to the most current version of PCI DSS. Refer to Exhibit C.