UC IRVINE ADMINISTRATIVE POLICIES AND PROCEDURES
Business and Financial Affairs
Sec. 700-40: Policy on Credit and Debit Card Acceptance and Security
Responsible Administrator: Assistant Vice Chancellor, Accounting and Fiscal Services
Issued: November 2015
References / Resources
- State of California
- UC Policy
- UCI Administrative Policies and Procedures
Contact: Campus Credit Card Coordinator at (949) 824-6918
A. Purpose and Scope
The University is obligated to comply with various laws, regulations, guidelines, and policies such as BFB BUS-49 and BFB IS-3, to safeguard sensitive financial information, including credit and debit card data of its customers.
This policy applies to all UCI merchants.
- Payment card: a credit or debit card.
- Payment Card Industry Data Security Standard (PCI DSS) is the compliance requirement developed by the PCI Security Standards Council (PCI SSC) to protect cardholders' information.
- UCI merchants are:
- UCI units that accept payment cards in any format (card-present, mail order/telephone order, or eCommerce);
- third party payment card service providers that UCI units engage to conduct university business; and
- other entities/organizations representing UCI that collect payment cards for various activities.
- UCI units are UCI schools, departments and units, including the UCI Medical Center.
The sale of goods and services must be consistent with the University’s mission and the normal activities of the UCI unit. To minimize the risk of a security weak point or breach UCI merchants must meet the controls, documentation requirements and testing methodologies of the PCI DSS to:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy.
In addition, UCI must adhere to California breach notification laws, University policy, contractual obligations to the University's banks and financial institutions, and other State and federal laws.
- All Payment Card Activity Requires Approval
UCI merchant payment card activity must be approved by the Assistant Vice Chancellor, Accounting and Fiscal Services (AVC A&FS), prior to initiating or engaging in any payment card activity, whether the University owns the payment card account or a vendor accepts payment cards on behalf of the University.
- Storage of Electronic Payment Card Data
UCI merchants must:
- Display only truncated payment card numbers on customers' receipts.
- Encrypt cardholder data at swipe. Such encryption and security protocols must be UCI approved.
Notstore electronic payment card data such as the Primary Account Number (PAN) on computers, servers, laptops, flash drives or storage media.
- Not transmit payment card data by email or by inter-campus mail.
- Requirements for Third Party Service Providers
UCI units will whenever possible, use vendors vetted by Office of the Chief Investment Officer (OCIO) to ensure security, PCI DSS compliance, and efficient use of University resources.
If not using an OCIO vetted vendor, UCI units must ensure third party service providers, and their payment software, gateways, equipment, and outsourced payment services, are PCI DSS compliant and the appropriate data security language must be included in all contracts with third party service providers involving payment card acceptance. Third party payment solutions must be approved by the AVC A&FS.
UCI has contractual obligations with its merchant processor and depository bank. When contracting with third party vendors that use their own merchant processor and depository bank a written Variance approved by the AVC A&FS may be required before implementation.
- Wireless and Mobile Payment Applications
UCI merchants must not use wireless and mobile payment card applications.
- Network Connected Payment Card Devices
All in-person payment card transactions that are transmitted over a network connection must be encrypted at the swipe with PCI approved encryption standards, such as P2PE (Point-to-Point Encryption) devices or equivalent.
- Costs for Payment Card Acceptance
Payment card processing costs are not optional for UCI. UCI merchants engaging in this activity are responsible for, but not limited to, the following fees:
- PCI DSS compliance validation services, if applicable;
- bank processing charges;
- equipment fees, if applicable;
- software applications and licenses, if applicable; and
- any other-related costs associated with this function.
D. Responsibilities and Authority
- Assistant Vice Chancellor, Accounting and Fiscal Services
The AVC A&FS is responsible for the business aspects of the UCI PCI compliance program and is authorized to approve requests from UCI merchants (via the UCI Campus Credit Card Coordinator) to establish a merchant account and accept cards as a form of payment
Only the AVC A&FS can approve exceptions to this policy.
- Campus Credit Card Coordinator
The Manager of Cashiering and Payment Card Services is the UCI Campus Credit Card Coordinator (CCCC) and is responsible for facilitating the business aspects of the UCI PCI compliance program and coordinating the review, obtaining approvals, and providing guidance in the setup of payment card programs and their use.
- Chief Information Officer and Associate Vice Chancellor, Information Technology
The Chief Information Officer (CIO) is responsible for oversight of the technical aspects of the UCI PCI compliance program and setting security and technical specifications for UCI merchant payment card systems.
The CIO coordinates with AVC A&FS to ensure UCI merchants maintain PCI DSS compliance.
- Information Security Officer or designee
The Information Security Officer or designee is responsible for facilitating the technical aspects of the UCI PCI compliance program, including reviewing:
- security and technical specifications for campus payment card systems;
- third party service provider contracts with Purchasing & Risk Services for appropriate data security wording; and
- UCI unit network architecture for compliance with technical standards and assisting with on-going compliance efforts.
- PCI Compliance Team
The PCI Compliance Team includes representatives from Accounting & Fiscal Services, OIT and UCI Health Affairs IT Security, and Internal Audit, and is responsible for:
- enforcing compliance with the PCI DSS by the campus and UCI Medical Center employees;
- communicating with management and the University’s Quality Security Assessor on all PCI data security matters;
- evaluating payment card systems for data security requirements;
- assisting UCI merchants to establish and maintain a safe environment for payment card processing, both physically and electronically;
- developing data security and payment card policies and procedures; and
- establishing and maintaining an on-going security awareness education program for the campus and UCI Medical Center.
- University Employees and UCI Merchants
All UCI merchants' employees with responsibility for payment card processing in any capacity must complete security awareness education training prior to commencement of such duties and annually.
Background checks and fingerprinting are mandatory for all employees who process payments, deposits, and card-related transactions and data, in accordance with BFB BUS-49, Policy for Cash and Cash Equivalents Received.
E. Re-approval Requirement
Changes to Previously Approved Payment Card Processing Systems and Methods
If any change occurs in payment card processing environment, systems or methods, the UCI merchant must contact the CCCC to determine whether re-review and re-approval is required.
F. Non-Compliance with PCI DSS Requirements
Failure to comply with the PCI DSS can result in:
- Large fines and fees assessed by each card brand
- Civil fees and audit costs
- A loss of reputation and payment card privileges for the University
- Notifications to all customers affected
- Additional costly, on-going PCI DSS reporting requirements.
The UCI unit is liable for all costs associated with a data breach. In addition, employees may be subject to disciplinary action or termination (in accordance with Human Resources policies and procedures) if they fail to adhere to the University’s policies and procedures for payment card acceptance or for the mishandling of cardholder data and/or payment card fraud.
G. Reporting an Incident
In the event of a security breach involving personal information or cardholder data, follow the Incident Response Process in Sec. 800-17: UCI Implementation Guidelines for Notification in Instances of Security Breaches Involving Personal Information Data.