Departments accepting credit cards must be in compliance with the Payment Card Industry Data Security Standards (PCI).
PCI compliance is mandatory for all units accepting credit cards (merchants). Periodically, merchants are required to ensure they have adequate network security related to credit card processing and are responsibly protecting personal credit card information at all times. All compliance certifications are facilitated through Ambiron Trust Wave (ATW), which is under contract with UC for PCI certification support at all UC campuses. Merchants authorized to accept credit card payments are pre-registered at ATW. An annual $59 ATW charge is passed on to the department.
- Terminal based merchants: These are merchants that do not store credit card data in any form (paper, or electronic). They operate via dial-up terminals or Internet secured processing through the payment gateway (Authorize.net). Terminals, computers, and other hardware resources must be physically isolated and accessible only to authorized personnel. To be certified by ATW, the department must successfully complete a self-assessment PCI questionnaire at ATW's Web site. ATW contacts each merchant to provide guidelines to access the questionnaire.
- Full scan merchants: There are more strict — and costly — requirements for merchants operating an internal database or system (Web application, mail system, point of sale, file server, etc.) that collects, stores and transmits credit card data; or merchants operating outside of UCSD's computer networks. These merchants are required to complete a self-assessment PCI questionnaire, and periodic external electronic scanning of their systems is conducted by ATW.
See current PCI security requirements (PCI DSS, version 1.1.) (PDF).
