PCI FAQ

Main Content

campus

1. What is PCI DSS?

PCI DSS is the result of a collaboration of the major credit card associations to establish a single data security standard designed to protect sensitive cardholder information. Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.

2. What are PCI DSS requirements?

PCI DSS requirements are defined by the Payment Card Industry Security Standards Council (PCI SSC). Within the standards there are 12 basic requirements and over 180 specific tasks. Visit the PSCI SSC website at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml or request a copy by emailing etroue@siu.edu.

3. Who has to comply with PCI DSS?

Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.

4. What can happen if I am not in compliance with PCI DSS?

  • Non-compliance can result in fines and remedial efforts that could easily exceed $1 million. Costs include fines, forensic exams, cardholder notifications, setup of a call center, credit monitoring and more costly compliance requirements. Such costs would be the responsibility of the merchant.
  • Risk exposing customers (students, faculty/staff and general public) to fraud and identity theft
  • Breach of cardholder information can result in negative publicity and damage to SIU’s reputation
  • Non-compliance can result in the loss of credit card and debit card acceptance privileges

5. Who do I contact if I believe credit card information may have been compromised?

You may contact the Bursar̢۪s Office or if you are a department, please refer SIUC's Personal Information Protection Act Policy

6. Who has to attend annual credit card security training?

Annual training is required for personnel involved in credit card processing in one of the following categories:

  • Has access to cardholder data
  • Fiscal officer of account in which credit card payments are credited and/or their delegate.
  • Handles credit card payments as part of their regular job duties. Personnel who handle credit card payments on a one time or temporary basis are recommended to attend training, but not required. Personnel whose only contact with credit card information is to swipe cards through a credit card acceptance device, e.g., POS terminal, are not required to attend training.

7. What credit card information can I store?

When required for business purposes, the following information may be stored:

  • Primary Account Number (PAN)
  • Cardholder Name*
  • Service Code*
  • Expiration Date*

*Any of these elements being stored in conjunction with the primary account number must be protected in accordance with PCI DSS requirements

The following information may never be stored subsequent to authorization:

  • Full Magnetic Stripe
  • Card Validation Code (CVC2/CVV2)
  • PIN/PIN Block

Note: If storage of cardholder information is necessary, whether in electronic or hard copy form, contact your PCI DSS Campus Committee Representative to discuss acceptable storage methods.

8. How do I get approval to begin accepting credit card payments or to begin using a new credit card processing method?(e.g. on a website, through a cashiering system, etc.)

See Credit Card Acceptance Process Approval Forms

9. I have a question not answered on this website, who should I contact?

See Contact Information