This site requires JavaScript to be enabled

Information Resources and Technology


Compliance Information for Sacramento State Payment Card Industry (PCI)

This article provides compliance information for vendors or business entities who process credit cards at Sacramento State.

Sacramento State Credit Card Acceptance Policy Number: ADM-0117

The University Chief Financial Officer and his/her designee, the University Bursar, are responsible for the process and enforcement of this policy. University auxiliaries accepting credit cards for payments are responsible for complying with the Payment Card Industry (PCI) Data Security Standard. This policy applies to any University department or auxiliary wanting to accept credit cards for goods or services provided. University departments may request authorization to accept credit cards via the Procedures hyperlink below. Auxiliary organizations of the University may establish their own procedures, so long as they remain in compliance with the PCI Data Security Standard.

What is PCI?

PCI was created are to protect cardholder information, reduce fraud and identify common security issues/vulnerabilities which could be then exploited for malicious use if the risk is not managed appropriately. Businesses and merchants that process, store and transmit transaction information must comply with the controls. PCI ensures that compliance with the following standards for American Express, Discover, MasterCard, and Visa security standards.

Who is affected by PCI?

Any type of business that processes, stores and transmits cardholder and transaction data must comply to PCI in order maintain membership status. If a business fails to comply with PCI then any breach of cardholder or transaction data may result in substantial fines, resulting in the privilege to accept credit card payments being revoked.

How to achieve PCI Compliance

In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity theft and other misuse. Visa outlined key security requirements, along with a program for validation and auditing.

In December of 2004, Visa and MasterCard joined forces to simplify compliance for merchants and payment processors with the jointly-developed, 12-point PCI standard. The scope of these requirements is quite broad, incorporating best practices for perimeter security, data privacy, and layered security. The 6 core areas and 12 requirements are listed below:

Build and maintain a secure network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

  • Requirement 3: Protect stored cardholder data.
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program

  • Requirement 5: Use and regularly update anti-virus software or programs.
  • Requirement 6: Develop and maintain secure systems and applications.

Implement strong access control measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

Regularly monitor and test networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

Maintain an information security policy

  • Requirement 12: Maintain a policy that addresses information security for employees and contractors
  • Please see our article, PCI Assessment Follow-Up and Training for documentation, templates, and guides.

News and Resources

Information Security - KB0011402 by Long Lim | Published:2016-02-26 | Updated:2017-10-13 10:47:13 | Views::129

Version 1.4.2 (release notes)