While convenience and efficiency are essential to our payment processes, the importance of secure payment processing cannot be overstated. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
All UCSF departments that have merchant capabilities to accept payments in any form are required to have documentation that meets PCI DSS guidelines no later than July 1, 2024, to maintain their merchant eligibility status.
UCSF is under continuous scrutiny of our PCI DSS processes. The current cycle of PCI DSS compliance testing has identified that many merchants’ payment process documentation is either not formalized (written), not current, or not complete, and does not meet the compliance requirements. Requirements for achieving and maintaining PCI DSS compliance have been recently communicated to all UCSF merchants and shared throughout 2023 in our Merchant Services trainings. This article aims to assist in understanding these requirements.
What Your Department Needs to Meet PCI DSS Guidelines:
- Payment Process Documentation: Payment process documentation is required to be on hand and reviewed for updates at least annually for PCI DSS compliance. This documentation should contain step-by-step procedures covering the entire payment acceptance process. Be sure to include an effective date and a reviewed date in your document and keep it readily available in a known location for all payment staff.
- Regularly Scheduled Process Training: All staff, including temporary support staff, must complete training prior to accepting payments and be re-trained annually utilizing the current process documentation in addition to required annual PCI security training.
- Payment Terminal Maintenance & Inspections: Payment terminal maintenance and inspection process documentation should be in place in each department, specific to the equipment in place. Documentation should include step-by-step inspection processes to ensure that staff understand the minimum monthly reboot process for security updates, that no skimmers or overlays have been applied to the terminal(s), and that the terminal(s) are the original equipment (have not been replaced with a fraudulent terminal) and do not show any other signs of tampering. Terminal inspection schedules should be daily at a minimum and more frequent for public facing terminals that are not attended to full-time.
- Incident Response Plan: Staff are required to know and understand the current steps for responding to evidence of a terminal being tampered with or stolen, or to any suspected fraudulent activity. Incident response process documentation should be readily available to staff for quick reference. This includes reporting the issue to IT Security, Merchant Services, and UCSF Police as necessary along with disabling the terminal or discontinuing use.
- Employee and Activity Logs: It is mandatory that each department maintain current logs of all equipment and staff that are authorized to accept, process, or obtain reporting on payments. Logs should include terminal model and serial numbers along with the address of where the terminal resides. Staff names, hire and termination dates, and training dates must also be logged, including those for temporary staff. Terminal inspections must be logged including dates, times, staff name, and notes of the terminal condition. Mobile or wireless terminals that are carried by staff to customer locations or that are utilized by roaming staff must have logs of users and the time of use and return included.
Steps to Achieve PCI DSS Compliance:
- Assess Your Environment: Conduct a thorough assessment of your payment processing systems and payment steps. Include pictures and step-by-step instructions with as much detail as possible in your documentation.
- Regular Maintenance and Training: Frequent inspection and maintenance of terminals, process document updates, and training of staff will ensure a smooth PCI DSS testing process.
- Maintain Compliance: PCI DSS compliance is an ongoing process that requires dedication and vigilance. Regularly review and update your PCI DSS procedure documents and logs to ensure they are current with the staff, actions, and systems currently in play for your department.
PCI DSS compliance is not just a checkbox exercise; it's a legal obligation and a critical component of responsible day-to-day business practices. By prioritizing the security of cardholder data, UCSF departments not only protect themselves from financial and reputational harm but also uphold the trust and confidence of their customers.
Merchant Services is here to support departments in meeting the upcoming deadline. If you have questions, please email [email protected].