Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services
What is PCI-DSS? PCI-DSS is an acronym for the Payment Card Industry-Data Security Standard PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data.
About the Council The Payment Card Industry Security Standards Council, or PCI SSC – often termed simply “the Council” – is an open global forum, launched in 2006, that develops, maintains and manages the PCI Security Standards, which include the Data Security Standard (DSS), Payment Application Data Security Standard (PA- DSS), and PIN Transaction Security (PTS) Requirements. The Council’s five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The Council does NOT validate or enforce any organization’s compliance with its PCI Security Standards, nor does it impose penalties for non-compliance. These areas are governed by the payment brands and their partners.
PCI-DSS Requirements
Merchant Levels LEVELMERCHANT CRITERIAVALIDATION REQUIREMENTS 1Merchants processing over 6 million Visa transactions annually Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company o The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification Quarterly network scan by Approved Scan Vendor (“ASV”) Attestation of Compliance Form 2Merchants processing 1 million to 6 million Visa transactions annually Annual Self-Assessment Questionnaire (“SAQ”) Quarterly network scan by ASV Attestation of Compliance Form 3Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form 4Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by merchant bank
Report on Compliance The Report on Compliance (ROC) is produced during onsite PCI DSS assessments as part of an entity’s validation process. The ROC provides details about the entity’s environment and the assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement.
UCD/UCDHS Level 2 Merchant 2,508,716 combined transactions processed 2013 $129,479, in sales processed in 2013 UCD is the 2 nd Largest in UC System –UCLA and UCSD are also Level 2 Merchants 203 Merchants must comply collectively with the PCI-DSS
PCI Merchant Types and SAQ (Self Assessment Questionnaire) 5 Different SAQ Forms; each drives to higher levels of validation complexity UCD/UCDHS have a combined 203 merchants SAQ “A” Fully Outsourced Merchant (47) SAQ “B” Dial-Out Terminal, Card Imprint Merchant (146) SAQ “C” Internet Connected Payment Application Merchant (3) SAQ “C-VT” Internet Connected Virtual Terminal Merchant (4) SAQ “D” All Others (POS Point of Sale System) (3)
PCI NON-Compliance The fines can vary based on level of non-compliance Visa/MC have the discretion to determine those fines Visa/MC have indicated that UCD could be required to pay $ per month in fines for every month of non-compliance
UCD Credit Card Breach Impact Average cost per credit card compromised is $ Significant fees, fines, and penalties Cost of Forensic Audit Litigation Regulatory notification requirements Negative image for UC Davis brand
Campus Compliance Efforts Sylvia Montgomery (University Cashier & Credit Card Coordinator) is leading our compliance efforts. Coalfire, our QSA, is working with our largest merchants on gap analysis reports. Merchants are addressing risks and preparing for the ROC. The ROC is scheduled for early October.