PCI COMPLIANCE FAQ

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard created to help organizations accept credit cards in a manner the helps prevent fraud. PCI compliance is the process of demonstrating alignment and conformance to PCI-DSS.

More information on PCI is avaible from the PCI Security Standards Council's website at https://www.pcisecuritystandards.org/

When does PCI Compliance Apply?

PCI compliance is required anytime a credit card number is stored, processed, or transmitted. In essence, you can assume PCI standards will apply any time a credit card is involved.

Why does a card processing solution have to demonstrate and maintain compliance?

Maintaining payment security is required for all entities that accept credit cards. Oakland University must annually attest to compliance with current PCI standards and update the attestation anytime a new solution that accepts credit cards is introduced. Failure to comply with PCI standards can result in fines and/or the inability for the University to accept credit card payments.

My vendor states they are PCI compliant, is that sufficient?

No. A vendor may indicate their product is compliant, this is referred to as Payment Application Data Security Standard (PA-DSS) compliance. All PA-DSS appliacations must also be implemnted in a manner that statisfies PCI-DSS standards.

When I'm selecting a solution that accepts, stores, processes, or transmits cardholder data, what do I put in the Request for Proposal or look for in the software agreement?

The awarded Vendor is required to provide their own payment card processing and network connection, and accept the University’s PCI Compliance contract language. The Vendor must also supply all of their own network connectivity, from ISP to port level, to test equipment, if needed. Compliance with Payment Card Industry Data Security Standards https://www.pcisecuritystandards.org/ Required for Service Provider solutions that involve payment card processing. The awarded Vendor is required to periodically demonstrate compliance with the Payment Card Industry Data Security Standard, “PCI DSS”, and will achieve and maintain PCI DSS compliance against the current version of PCI DSS published on the PCI Security Standards Council “PCI SSC” website. The Vendor will create and maintain reasonable detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure their CHD. Such documentation will conform to the most current version of PCI DSS. Refer to Exhibit C.