A. Purpose and Scope

The University is obligated to comply with various laws, regulations, guidelines, and policies such as BFB BUS-49 and BFB IS-3, to safeguard sensitive financial information, including credit and debit card data of its customers.

This policy applies to all credit card processing at UCI including UCI Merchants, Service Providers, and Third Party Merchants.

B. Definitions

1. Attestation of Compliance (AOC): A form for merchants and Service Providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).
2. Campus Credit Card Coordinator (CCCC): The UCI Credit Card / Internet Payment Gateway Coordinator per BUS-49 and IDA602.
3. Cardholder Data: The full primary account number (PAN) or the PAN plus any of the following: cardholder name, expiration date and/or service code.
4. Merchant ID: An account number from a merchant bank that allows an entity to accept Payment Cards.
5. Near Field Communication (NFC): A short-range wireless technology that allows smartphones and other tools to communicate with payment devices to perform cardholder transactions.
6. Payment Card: a credit card, debit card, or device used for making payments.
7. Payment Card Activity: Processes and functions related to credit and debit card transactions.
8. Payment Card Industry Data Security Standard (PCI DSS): Compliance requirement developed by the PCI Security Standards Council (PCI SSC) to protect cardholders' information.
9. PCI Compliance Program: Coordinated by the PCI Committee, the PCI Compliance Program is established to oversee and ensure all campus Payment Card Activity is secure and compliant with PCI DSS.
10. Qualified Security Assessor (QSA): An individual who has been certified by the PCI SSC to audit merchants for PCI DSS compliance.
11. Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of Cardholder Data on behalf of UCI using a UCI Merchant ID. This also includes companies that provide services that control or could impact the security of Cardholder Data.
12. Third Party Merchant: Other entities/organizations not using a UCI Merchant ID representing UCI that collect Payment Cards payments for various activities.
13. UCI Merchant: Any UCI Unit that accepts Payment Cards as payment for goods and/or services. Payment can be made in any format (card-present, mail order/telephone order, or eCommerce).
14. UCI Unit: UCI school, department and unit, including the UCI Medical Center.
15. Validated P2PE: A solution delivered by a third-party Service Provider, that is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe, dip, or NFC) until the data reaches the solution provider’s secure decryption environment.

C. Policy

The sale of goods and services must be consistent with the University’s mission and the normal activities of the UCI Unit. To minimize the risk of a security weak point or breach UCI Merchants must meet the controls, documentation requirements and testing methodologies of the PCI DSS to:

• Build and maintain a secure network;
• Protect Cardholder Data;
• Maintain a vulnerability management program;
• Implement strong access control measures;
• Regularly monitor and test networks; and
• Maintain an information security policy.

In addition, UCI must adhere to California breach notification laws, University policy, contractual obligations to the University's banks and financial institutions, and other State and federal laws.

1. All Payment Card Activity Requires Approval

   UCI Merchant Payment Card Activity must be approved by the Campus Credit Card Coordinator and the PCI Committee, when applicable, prior to initiating or engaging in any Payment Card Activity, both when the University owns the Merchant ID and when using a Third Party Merchant to accept Payment Cards on behalf of the University.

2. Requirements for UCI Merchants
   1. UCI Merchants are responsible for ensuring that all Payment Card Activity conducted in their units is fully compliant with PCI DSS and UCI policy at all times. This includes the requirement to:
      • Stay current as to changes in the PCI DSS requirements;
      • Keep all applicable Service Provider and Third Party Merchant contracts and documentation current. This includes formally documenting roles and responsibilities with Service Providers;
      • Request and document Service Provider AOC’s and Third Party Merchant AOC’s annually;
      • Conduct an annual review and update all documentation required for PCI compliance and Payment Card processing. This includes all Payment Card policies and procedures used in the unit and any documentation that may be required from other UCI Units;
      • Ensure that all employees handling Payment Card information complete annual PCI security awareness training;
      • Complete an annual SAQ and resulting AOC; and
      • Adhere to all Accounting & Fiscal Services policies and guidelines in the use of accounts and in the recording and reconciliation of payment card income and expense.
   2. UCI Merchants must handle Cardholder Data securely, including:
      • Display only truncated Payment Card numbers on customers' receipts;
      • Not store Cardholder Data electronically (for example, on computers, servers, laptops, tablets, flash drives or storage media);
      • Not transmit Cardholder Data by email, instant messaging, SMS, chat, etc. or by inter-campus mail; and
      • Physically secure (and destroy when no longer needed for business or legal reasons) all paper records containing Cardholder Data. The card verification code must never be stored after authorization.
3. Requirements for Third Party Service Providers

   UCI Units will, whenever possible, use Service Providers approved by Office of the Chief Investment Officer (OCIO) to ensure security, PCI DSS compliance, and efficient use of University resources.

   If not using an OCIO approved Service Provider, UCI Units must ensure Service Providers, and their payment software, gateways, equipment, and outsourced payment services, are PCI DSS compliant, adhere to UCI PCI and security requirements, and the appropriate data security language must be included by Procurement Services in all contracts with third party Service Providers involving Payment Card acceptance. UCI Units must obtain the appropriate documentation from their Service Providers including:

   • A description of services provided;
   • Annual Service Provider AOC;
   • Roles and responsibilities for UCI Merchants and Service Provider; and
   • Appendix DS included in all contracts.

   Service Provider solutions must be approved by the PCI Committee.

4. Requirements for Third Party Merchants

   UCI has contractual obligations with its merchant processor ID and acquiring bank. When contracting with a Third Party Merchant that uses their own Merchant ID and a depository bank, a written approval from the PCI Committee, and the AVC A&FS when applicable, is required before implementation.

   When Third Party Merchants use network or computer connected devices for payment processing (including USB, Bluetooth, NFC, Ethernet, wireless and cellular), UCI Units must obtain the appropriate documentation from their Third Party Merchants including:

   • Evidence that they use a use a Validated P2PE terminal or device, as appropriate;
   • Appendix DS in all contracts; and
   • A copy of the appropriate merchant level AOC.
5. Wireless and Mobile Payment Applications

   UCI Merchants must only use wireless and mobile Payment Card applications that have been reviewed by the UCI PCI Committee and approved by the AVC of A&FS. Any exception to this may require an assessment by the UC’s QSA at the merchants expense and must be approved by the AVC of A&FS.

6. Payment Card Devices

   UCI Merchants must use approved and validated devices for all Payment Card transaction processing. Devices using standalone analog dial-out are approved for use. All network or computer connected devices (including USB, Bluetooth, NFC, Ethernet, wireless and cellular) must use a Validated P2PE terminal or device.

   Any exception to this requires an assessment by the UC’s QSA at the merchant's expense and must be approved by the AVC of A&FS.

7. Costs for Payment Card Acceptance

   UCI Merchants that accept Payment Cards are responsible for, but not limited to, the following costs and fees (if applicable):

   • PCI DSS compliance;
   • bank processing charges;
   • third-party Service Provider fees;
   • equipment fees;
   • software applications and licenses; and
   • any other-related costs associated with this function.

D. Responsibilities and Authority

1. Assistant Vice Chancellor, Accounting and Fiscal Services

   The AVC A&FS is responsible for the business aspects of the UCI PCI Compliance Program.

   Only the AVC A&FS can approve exceptions to this policy.

   The AVC A&FS coordinates with the Chief Information Officer (CIO) to ensure UCI Merchants maintain PCI DSS compliance.

2. Campus Credit Card Coordinator

   The UCI Campus Credit Card Coordinator (CCCC) (appointed by the AVC A&FS) is responsible for facilitating the business aspects of the UCI PCI Compliance Program and coordinating the review, obtaining approvals, and providing guidance in the setup of Payment Card programs and their use.

3. Chief Information Officer and Associate Vice Chancellor, Information Technology

   The Chief Information Officer (CIO) is responsible for oversight of the technical aspects of the UCI PCI Compliance Program and setting security and technical specifications for UCI Merchant Payment Card systems.

   The CIO coordinates with AVC A&FS to ensure UCI Merchants maintain PCI DSS compliance.

4. Chief Information Security Officer

   The CISO is responsible for appointing a Security PCI Program Manager who is responsible for facilitating the technical aspects of the UCI PCI Compliance Program, including reviewing:

   • security and technical specifications for campus Payment Card systems;
   • third party Service Provider contracts with Procurement Services for appropriate data security wording; and
   • UCI Unit network architecture for compliance with technical standards and assisting with on-going compliance efforts.
5. PCI Committee

   The PCI Committee coordinates the campus PCI Compliance Program and serves in an advisory role to the AVC A&FS and CIO.

   The PCI Committee must include representatives from Accounting & Fiscal Services, OIT Security and UCI Health Affairs IT Security, and UCI Merchants.

   The PCI Committee advises on the PCI Compliance Program which includes:

   • ensuring PCI DSS compliance is maintained and validated by UCI Merchants;
   • communicating with management and the University’s Quality Security Assessor on all PCI compliance matters;
   • evaluating Payment Card systems for data security requirements;
   • assisting UCI Merchants to establish and maintain a safe environment for Payment Card processing, both physically and electronically;
   • developing data security and Payment Card policies and procedures; and
   • implementing an on-going security awareness education program for the campus and UCI Medical Center.

   Internal Audit serves on the team in an advisory role as needed.

6. University Employees and UCI Merchants

   All UCI Merchants' employees who process cardholder transactions or handle Cardholder Data in any capacity must complete PCI DSS security awareness education training prior to commencement of such duties and annually.

   Background checks and fingerprinting are mandatory for all employees who process payments, deposits, and Payment Card-related transactions and data, in accordance with BFB BUS-49: Policy for Cash and Cash Equivalents Received.

E. Re-approval Requirement

Changes to Previously Approved Payment Card Processing Systems and Methods

If any change occurs in Payment Card processing environment, systems or methods, the UCI Merchant must contact the CCCC to determine whether re-review and re-approval is required.

F. Non-Compliance with PCI DSS Requirements

Failure to comply with the PCI DSS can result in:

• Large fines and fees assessed by each card brand;
• Civil fees and audit costs;
• A loss of reputation and Payment Card privileges for the University;
• Notifications to all customers affected; and
• Additional costly, on-going PCI DSS reporting requirements.

With the approval of the AVC A&FS, Merchant ID’s may be suspended for non-compliance with PCI DSS or campus PCI policies.

The UCI Unit is liable for all costs associated with a data breach. In addition, employees may be subject to disciplinary action or termination (in accordance with Human Resources policies and procedures) if they do not adhere to the University’s policies and procedures for Payment Card acceptance, or they mishandle Cardholder Data and/or commit Payment Card fraud.

G. Reporting an Incident

In the event of a security breach involving personal information or Cardholder Data, follow the Incident Response Process in Sec. 800-17: UCI Implementation Guidelines for Notification in Instances of Security Breaches Involving Personal Information Data.