logo.png UTS.png

PCI COMPLIANCE FAQ


What is the Payment Card Industry Security Standards Council ?

What is the Payment Card Industry Data Security Standard (PCI DSS)?

What is a payment card?

  • A payment card is part of a system that enables the cardholder to make a payment by electronic funds transfer. The most common payment cards are credit cards and debit cards.

What is PCI Compliance?

  • PCI Compliance is the process of demonstrating alignment and conformance to PCI DSS standards.

When does PCI Compliance Apply?

  • As a general rule PCI tandards apply whenever a payment card transaction is involved. More specifically, PCI Compliance is required whenever a payment card number is stored, processed, or transmitted. This is commonly referred to as "being in scope".

Is PCI Compliance optional?

  • No, maintaining payment security is required for all entities that accept payment cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts payment cards is implemented.

Why does a card processing solution have to demonstrate and maintain compliance?

  • Failure to comply with PCI DSS standards can result in fines issued to the University and/or can result in revokation of the University's ability to accept payment cards for any payments.

My vendor states they are PCI Compliant, is that sufficient?

  • No. While a vendor may indicate their product is compliant, they are referring to Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS applications must also be implemented in a manner that satisfies PCI-DSS standards in order to fully meet PCI compliance requirements. In essence a PA-DSS application needs to be implemented per all PCI requirements in order for both the application and the University to be PCI-DSS compliant.

When I'm selecting a solution that accepts, stores, processes, or transmits cardholder data, what do I put in the Request for Proposal or look for in the software agreement?

  • Suggested Contract Language for Service Providers PCI DSS Requirement 12.8 requires merchants to maintain and implement policies and procedures to manage Service Providers if cardholder data is shared. Requirement 12.8.2 states further “maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
  • Vendor acknowledges and agrees that it is responsible for the security of all {INSTITUTION NAME} customer cardholder data in its possession. Vendor represents and warrants that for the life of the contract and/or while Vendor has involvement with{INSTITUTION NAME} customer cardholder data, the software and services used for processing transactions shall be compliant with standards established by the Payment Card Industry Security Standards Council (https://www.pcisecuritystandards.org/).Vendor shall, upon written request, furnish proof of compliance with the Payment Card Industry Data Security Standard (PCI DSS) within 10 business days of the request.

  • Vendor agrees to provide to {INSTITUTION NAME} a current and complete copy of their Attestation of Compliance (AOC). Further, Vendor agrees to provide to {INSTITUTION NAME} a proof of a recent (no more than 3 months old) passing quarterlyexternal vulnerability scan as submitted by an Approved Scanning Vendor (ASV). {INSTITUTION NAME} reserves the right to require that the submitted AOC be signed by a qualified security assessor or firm, as listed on the Payment Card Industry Security Standards Council's website.
  • Vendor will inform {INSTITUTION NAME} within 24 hours if it has knowledge of, or can reasonably expect that, a security breach has occurred. Vendor agrees to indemnify and hold {INSTITUTION NAME}, its officers, employees, and agents, harmless for, from, and against any and all claims, causes of action, suits, judgments, assessments, costs (including reasonable attorneys' fees), and expenses arising out of or relating to any loss of {INSTITUTION NAME} customer credit card or identity information managed, retained, or maintained by Vendor, including but not limited to fraudulent or unapproved use of such credit card or identify information.
  • Vendor agrees that notwithstanding anything to the contrary in the Agreement or the Addendum, {INSTITUTION NAME} may terminate the Agreement immediately without penalty upon notice to the Vendor in the event Vendor fails to maintain compliance with the PCI DSS or fails to maintain confidentiality or integrity of any cardholder data.