Developed by the PCI Standards Security Council (PCI-SSC), the Payment Card Industry Data Security Standard (PCI-DSS) is a set of comprehensive best practice requirements for credit card account data security designed to counteract identity theft and credit card fraud.
There are a number of different ways to accept credit card payments, such as online, in-person, or over the phone. Each of these methods has its own requirements. By accepting credit card payments, the University of Central Florida (UCF), and each of its merchant locations, is obligated to adhere to these requirements in order to be PCI compliant.
To prove our PCI compliance efforts, each UCF merchant location must fill out an annual Self-Assessment Questionnaire (SAQ) for each method of credit card acceptance. Once all merchant locations have completed their SAQ(s), UCF submits a combined SAQ as proof of compliance to their acquirer (bank). PCI non-compliance can result in costly fines, additional fees, and potentially no longer be able to accept credit cards.
QUICK links
PCI DSS Goals and Requirements
What are the requirements of the PCI DSS?
- PCI DSS has 6 goals, which is broken down into 12 main requirements. Each requirement has a number of sub-requirements.
Click the tabs to learn about the PCI goals and requirements.
Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel.
Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel.
Frequently Asked Questions
In 2006, the five major card brands – Visa, Mastercard, Discover, Amex, and JCB, created the Payment Card Industry Security Standards Council (PCI SSC) to align their individual security card programs and create the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is one of several standards that the PCI SSC has established that focuses on the ecosystem of payment devices, applications, infrastructure, and users. The PCI DSS focuses on the merchants and service providers responsibilities.
The PCI DSS has 6 goals which break down into 12 requirements, each having numerous sub-requirements. In order to accept credit cards, merchants needs to follow each of these requirements. The requirements are a mix of technical, administrative, and logical controls that are designed to protect cardholder data.
As the payment landscape evolves and new technology is developed and implemented, the PCI DSS evolves with it to ensure that customer data is protected to the fullest extent possible.
The latest version of the PCI DSS is version 3.2.1. For more information about PCI, please visit the PCI SSC website, https://www.pcisecuritystandards.org.
PCI defines Merchants and Service Providers as follows:
Merchant: Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
Service Providers: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.
If you store, process, transmit, or can impact cardholder data security, you must comply with the PCI DSS. Your responsibilities can vary depending on if your merchant area is considered the “merchant of record” or if you are using a third party service provider. In order to determine what needs to be protected as part of the cardholder data environment, a PCI Scoping exercise must be performed prior to performing an assessment.
PCI Scope defines what parts of your environment must be protected by the PCI DSS controls. The larger the scope, the greater the difficulty and cost there is to maintain compliance. At a high level, scoping involves the identification of people, processes, and technologies that interact with or could otherwise impact the security of cardholder data.
Performing a Scoping exercise on your environment is the first step during a PCI assessment. Knowing what is in-scope and what is out of scope, including switches, routers, firewalls, telephony equipment, workstations, POS machines, stand-alone terminals, etc., is critical to understanding what PCI requirements apply to your environment.
The PCI-SSC has published guidelines on how to scope your network.
Self Assessment Questionnaires (SAQs) contain questions which are a subset of the requirements of the full PCI-DSS. The subsets are based on method of payment that an area uses.
Merchants and Service Providers fill out their SAQs to validate their compliance to the PCI DSS. SAQs have different questions based on the method of payment being utilized.
| SAQ Type (PCI DSS v3.2.1) | Description of Environment | # of Questions |
|---|---|---|
| A | Fully out-sourced e-commerce solution. | 22 |
| A-EP | Partially out-sourced e-commerce solution. | 191 |
| B | Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage | 41 |
| B-IP | Merchants with standalone IP (Internet) connected payment terminals: No e-commerce or electronic cardholder data storage. | 82 |
| C-VT | Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage | 79 |
| C | Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage | 160 |
| D | SAQ eligible service providers | 329 |
| P2PE | Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage | 33 |
| UCF Credit Card Merchant Policy | University level policy that governs credit and debit card transactions across campus. |
| UCF Merchant Services Website | Merchant Services website hosted by the UCF Finance & Accounting department. Interested in accepting credit cards? This is the first place to visit. |
| UCF Merchant Manual | High-level Merchant procedures that apply across the university. |
| Annual UCF PCI training | Each person involved in handling credit cards is required to go through annual training. Sign up for FSC111 by following the directions here. |
| UCF Merchants Microsoft Teams | Additional resources can be found in our Microsoft Teams Channel. Request access here. |
| Bluefin P2PE Terminal Cleaning Guide | Guideline for cleaning Bluefin payment terminals. |