PCI Services

/https://siu.edu/search-results.php

Last Updated: Sep 26, 2024, 02:50 PM

FAQ's

What is PCI DSS?

PCI DSS is the result of a collaboration between major credit card associations to establish a single data security standard designed to protect sensitive cardholder information. Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.

What are PCI DSS requirements?

PCI DSS requirements are defined by the Payment Card Industry Security Standards Council (PCI SSC). Within the standards there are 12 basic requirements and over 180 specific tasks. Visit the PSCI SSC website at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml or request a copy by emailing etroue@siu.edu.

Who has to comply with PCI DSS?

Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.

What can happen if I am not in compliance with PCI DSS?

  • Non-compliance can result in fines and remedial efforts that could easily exceed $1 million. Costs include fines, forensic exams, cardholder notifications, setup of a call center, credit monitoring and more costly compliance requirements. Such costs would be the responsibility of the merchant.
  • Risk exposing customers (students, faculty/staff and general public) to fraud and identity theft
  • Breach of cardholder information can result in negative publicity and damage to SIU’s reputation
  • Non-compliance can result in the loss of credit card and debit card acceptance privileges

Who do I contact if I believe credit card information may have been compromised?

You may contact the Bursar's Office or if you are a department, please refer SIUC's Personal Information Protection Act Policy

Who has to attend annual credit card security training?

Annual training is required for personnel involved in credit card processing in one of the following categories:

  • Has access to cardholder data
  • Fiscal officer of account in which credit card payments are credited and/or their delegate.
  • Handles credit card payments as part of their regular job duties. Personnel who handle credit card payments on a one-time or temporary basis are recommended to attend training, but not required. Personnel whose only contact with credit card information is to swipe cards through a credit card acceptance device, e.g., a POS terminal, are not required to attend training.

What credit card information can I store?

When required for business purposes, the following information may be stored:

  • Primary Account Number (PAN)
  • Cardholder Name*
  • Service Code*
  • Expiration Date*

*Any of these elements being stored in conjunction with the primary account number must be protected in accordance with PCI DSS requirements

The following information may never be stored subsequent to authorization:

  • Full Magnetic Stripe
  • Card Validation Code (CVC2/CVV2)
  • PIN/PIN Block

Note: If storage of cardholder information is necessary, whether in electronic or hard copy form, contact your PCI DSS Campus Committee Representative to discuss acceptable storage methods.

How do I get approval to begin accepting credit card payments or to begin using a new credit card processing method?(e.g. on a website, through a cashiering system, etc.)

See Credit Card Acceptance Process Approval Forms

I have a question not answered on this website, who should I contact?

See Contact Information

Definitions of Frequently Used Terms

  1. Payment Card Industry Data Security Standard (PCI DSS):  PCI DSS is the result of collaboration between the four major credit card brands to develop a single approach to safeguarding sensitive data.  PCI DSS defines a series of best practices for handling, transmitting, and storing sensitive data.
  2. Cardholder Data:  Includes cardholder name, full account number, expiration date, service code, full magnetic stripe, PIN / PIN Block or Card Validation Code (e.g., three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data)).
  3. Sensitive Cardholder Data: Includes Card Validation Code (e.g., three-digit or four-digit value printed on the front or back of a payment card (e.g., CVV2 and CVC2 data)), full magnetic stripe, and PIN / PIN Block.
  4. Merchant:  Any person or department accepting money for goods or services.  Includes conference registrations, memberships, fees, etc.
  5. Credit Card: Any payment card, including debit cards, which is issued by one of the major credit card associations (e.g. Visa, MasterCard, Discover)
  6. PCI DSS Campus Committee Representatives: The Bursar and designated Information Technology representative at each respective campus location.  For purposes of this document, the term Bursar includes the Comptroller at the School of Medicine.
  7. Payment Application Data Security Standards (PA-DSS): Program developed by Visa to assist software vendors in creating secure payment applications that are PCI DSS compliant.  A list of all vendors currently PABP compliant can be found on Visa’s website at PCI Security Standards.
  8. Payment Application Data Security Standards (PA DSS): Program managed by the Payment Card Industry Security Standards Council (PCI SSC) formerly managed by Visa and known as PABP.  PA DSS is a set of standards designed to assist software vendors in developing secure payment applications that comply with PCI DSS requirements.  A list of validated payment applications will be listed on the PCI SSC website, https://www.pcisecuritystandards.org/,