PCI-DSS
Payment Card Industry-Data Security Standards
The Payment Card Industry-Data Security Standards (PCI DSS) is a set of controls governed by the PCI council. The council provides security frameworks to set measures in which the security and proper handling of credit/debit cards and eligible prepaid card information are evaluated. The security framework guides merchants, the entities accepting said payment forms, to implement appropriate security controls and best practices that best align with their business processes. The council summarizes its framework into 6 different goals and 12 different supporting PCI DSS Requirements as seen below.
For any merchant, these 12 requirements become the pillars of compliance. It is important to understand that compliance is a continuous process, and to best depict this process, the council has three core steps to follow: Assess, Remediate, and Report. Please PCI Security Standards Document Library to get familiar with the efforts of the PCI Council and their recommendation for continued compliance.
How does PCI DSS compliance affect our departments?
PCI DSS compliance takes effect when a merchant starts to accept credit/debit cards or eligible prepaid cards as a form of payment for services or goods provided. Because compliance is the responsibility of each merchant (UTRGV HOP 10-701 C.1.e), it is important that we begin by understanding and evaluating the cardholder data environment (CDE). The CDE is what will be assessed for compliance, and it is comprised of the people, process (business and technical), and technology utilized for payment data to be transmitted, stored and processed. These different components impact the cardholder data security, determine the PCI scope, and furthermore will dictate the set of requirements or Self-Assessment Questionnaire (SAQ), the merchant must meet to demonstrate compliance.
For software assessment requests, our various teams will ask that you contact the vendor and obtain a set of recommended documents to assist in our evaluation and any further inquiries. It is important that third-party service providers/vendors of software applications recognize the importance of PCI compliance and must provide evidence of their PCI compliance.
The following document, Guide to Safe Payments, from the PCI council provides more details of their efforts, and recommendations for small merchants to implement. Doing our part in compliance is a joint effort, our team members can be contacted at PCIcompliance@utrgv.edu to further obtain information or clarifications on any questions arising from taking payments via credit/debit cards.