Acceptance of Credit Cards and PCI Compliance
Payment Card Industry Data Security Standards
Departments who accept credit card payments, in person or online, must comply with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS is a set of requirements intended to ensure that all merchants that process, store, transmit, or are involved in the security of credit card information, maintain a cardholder data secure environment. These guidelines assist to mitigate many of the risks of a breach and potential costs and fines associated with a data breach or fraudulent transactions.
Prior to accepting credit/debit card transactions, UND departments must submit a request
to accept credit card
transactions which will be reviewed by the UND PCI Committee. The UND PCI committee
approval must be
obtained in advance of signing an agreement with a vendor or purchasing a product/software
system with the
functionality to store, process, and/or transmit cardholder data or are involved in
the security of the cardholder
data. PCI DSS language is required to be included in the contract with the vendor.
Please review the UND Credit Card Policy for additional information.
Request UND PCI Committee Approval
Form Option A: Complete this form when requesting a new software connection to Nelnet that will accept credit card payments.
Checklist before beginning this form:
- Department has obtained approval from UND Business Charges Committee for this fee
- Department has obtained from the Vendor an Attestation of Compliance (AOC) that has been signed within the last year
- Department has worked with UND Procurement to include approved UND PCI DSS language in the signed contract with the vendor
- Department has verified that the third party is an approved Third Party Service Provider
Form Option B: Complete this form when a vendor the department has contracted with that will be accepting credit card payments has a presence on UND's campus or website, but the revenue from the transactions is not remitted to UND.
Checklist before beginning this form:
- Department has obtained from the Vendor an Attestation of Compliance (AOC) that has been signed within the last year
- Department has worked with UND Procurement to include approved UND PCI DSS language in the signed contract with the vendor
- Department has verified that the third party is an approved Third Party Service Provider
Request an additional Credit Card Machine
Departments who would like to purchase an additional credit card machine must work with UND Treasury. Treasury will help coordinate with the bank and Chase and guide the department through the process. The University is required to obtain all credit card machines through the Bank of North Dakota/Chase.
To request a credit card machine, discuss available options, and review pricing provided by the bank/Chase, please email UND.treasury@UND.edu.
Request a New Merchant ID (MID) Number
Departments who would like to request a new Merchant ID (MID) number must work with UND Treasury. Treasury will coordinate with the bank and Chase and assist the department throughout the process. UND.treasury@UND.edu
Before requesting a new Merchant ID (MID) number, please complete the following items:
- Department has obtained approval from the UND Business Charges Committee for the proposed revenue
- Department has worked with UND Procurement and Payment Services to ensure UND PCI language is included in the contract (if a third party service provided is involved)
Ongoing Requirements
The following requirements apply to any departments who accept credit card payments in person or online.
Daily: The department adheres to ongoing compliance with all UND PCI DSS requirements.
October/November:
- The department Merchant ID contact receives a request from UND Treasury to provide a complete list of all employees who work with the acceptance of credit cards in any way. These employees will then receive an annual training requirement.
- Annual training requirements issued to employees who work with the acceptance of credit card transactions.
December:
- The department Merchant ID contact receives a calendar invite and instructions for any scheduled group Self Assessment Questionnaire (SAQ) completion sessions.
January:
- Annual Self Assessment Questionnaire (SAQ) completion sessions occur.
- Departments are required to complete and finalize annual Self Assessment Questionnaire (SAQ)
February/March:
- UND Treasury and UND PCI Committee finalize the overall University compliance and submit compliance to the bank.
PCI DSS requires annual credit card training for all employees working with credit card transactions. PCI DSS requires new employees to be trained prior to working with the acceptance of credit card transactions.
When new employees start, department heads or managers are required to submit employee information (name, EMPLID, UND email address) to UND Treasury for enrollment in the online training module.
Once per year, typically in the fall, the department Merchant ID contact will receive a request from UND Treasury to submit a list of employees who work with the acceptance of credit card transactions. These employees will then be enrolled in the online training module to complete the annual training requirement.
Once enrolled, the employee will receive an email from Vector Solutions with information for accessing the training module.
Departments that have employees that are delinquent in completing the annual training will be considered as non-compliant and will risk the revocation of authorization for the acceptance of credit card transactions.
PCI DSS requires that departments have a documented risk assessment on file for timing of physical device inspections and documented evidence of these device inspections.
The preferred method to show documented evidence is by completing the device inspection checklist.
If a department chooses a different method for documenting device inspections, please work with UND Treasury to properly document and have documented device inspections available for internal/external review.
MID contacts must ensure department compliance with device inspections and must communicate any changes to risk assessment to UND Treasury to update the documented risk assessment.
Departments are required to complete a PCI DSS Self-Assessment Questionnaire (SAQ) on an annual basis, at the time any changes are made to the method of processing, and/or as requested by UND Treasury or UND PCI DSS Compliance Committee.
Failure to provide valid, compliant documents may result in the revocation of the authorization to accept credit/debit card transactions.
Once per year, typically in the fall, the department Merchant ID contact will receive specific directions from UND Treasury on the deadline for completion of the annual SAQ.
FAQs
A cardholder data environment (CDE) is a computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. A CDE also includes any component/equipment that directly connects to or supports this network.
Although the PCI DSS requirements are developed and maintained by an industry standards body called the PCI Security Standards Council (SSC), the standards are enforced by the five payment card brands: Visa, MasterCard, American Express, JCB International and Discover.
- technical and operational system components
- equipment included in or connected to cardholder data
Cardholder data is defined as any sensitive data associated with the credit card account. This includes:
- Primary account number
- Cardholder names,
- Expiration date
- Service code (three-digit or four-digit value)
Merchants ignoring the adoption of PCI DSS do so at their own risk:
- Non-PCI DSS compliant merchants and payment processors can face fines from $5,000
to $500,000, depending on a variety of
factors. - Credit card companies may also revoke the right of a merchant to process credit card transactions.
- Reputational damage, lost business and reduced consumer confidence and trust are just some of the after-effects of a data breach.
In the credit card industry, data breaches occur when hackers obtain credit card information that could be used to commit fraud or identity theft. PCI DSS compliance provides protection for both merchants and cardholders.