Payment Card Industry Data Security Standard (PCI DSS)

Credit card fraud and identity theft are major concerns of the Credit Card Industry. To prevent these occurrences the Credit Card Industry has instituted Payment Card Industry Data Security Standard (PCI DSS) as security measures to safeguard sensitive cardholder data on credit card transactions. Compliance with PCI DSS is mandatory for all merchants and is enforced by the major card brands who established the PCI Security Standards Council.

PCI Core Standards

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test network
  • Maintain an information security policy


  • Cardholder data is defined under PCI DSS as the full magnetic strip data, Primary Account Number (PAN), cardholder name and/or expiration date
  • Physical security of credit card information is critical in protecting University assets; any document with cardholder data is required to be stored in a secured area with access on a need to know basis to authorized personnel
  • Handling of credit card transactions should be completed in a secured area and verified by a supervisor
  • Departments must, at all times, secure all hard-copy receipts in a location where unauthorized individuals can NOT gain access
  • Cardholder data should not be emailed to and from anyone and should never be sent via end-user messaging technologies
  • Cardholder data cannot be accepted by fax machines unless exception approval has been granted by the Controller’s Office
  • Cardholder data should never be photocopied or scanned
  • Mail requests to charge a customer’s card must be processed in accordance to guidelines set forth in BUS-49 section VIII F
  • A visitors log should be kept in any area where cardholder data is visible for any length of time i.e. faxed credit cards to be processed, membership form, housing leases, mail-in registration form, special order form, credit card settlement report or any document with sensitive data

Policies relating to computers with access to Point of Sale (POS) system

  • All computers accessing POS systems must have a password locked screen saver that’s set to activate within 15 minutes of inactivity
  • Password to access POS systems must be changed every 90 days or more frequently if necessary
  • New password must not be the same as previous four passwords (do not rotate passwords)
  • Password must be at least seven digits long including at least three of the following – one uppercase, one lowercase, one number and/or one special character
  • Sharing of password is prohibited
  • Cut and paste function should not be used with any cardholder data
  • Cardholder data should not be stored on any storage media i.e. computer hard drive, flash drive, CD or DVD
  • Accessing POS system on a wireless device is prohibited
  • Merchant IDs are restricted to the sole use of the assigned department/merchant only. They are not to be shared at any time with any other department. Departments not complying with this policy will forfeit their MIDs and lose the ability to take credit/debit cards as a form of payment.

Ramifications and Exceptions

In the event of a breach or other non-compliant incident, the Credit Card Industry penalties start at $100,000.00 and go up to $500,000.00; in addition to the initial penalty there is a per item penalty ranging from $15.00 to $25.00 per credit card number violation. These penalties will be bore entirely by the department of violation and that department will lose all privileges of accepting credit cards.

Therefore it is imperative that your department, in order to maintain credit card privileges, follows all policies established by both the UCSF Credit Card Coordinator and the Credit Card Industry. The UCSF Credit Card Coordinator has the ability and willingness to refuse or to close down an account where the UCSF department using that account is abusing the account or has committed a violation of either UCSF policy or the Credit Card Industry policy.

After establishing credit card privileges, except with approval from the UCSF Credit Card Coordinator, departments are NOT to add to their credit card operations any functions, services (e.g., e Check), software, or hardware that is provided by any individual or company. Doing so may result in the termination of privileges.