- UC Business and Finance Bulletin BUS-49 Policy for Cash and Cash Equivalents Received;
- Payment Card Industry Data Security Standard (PCI DSS);
- UCLA Policy 404, Protection of Electronically Stored Personal Information;
- UCOP, IR&C Guidelines: Protecting University Data Through Agreements or Contracts with Third-Party Vendors.
The purpose of this policy is to ensure that the appropriate minimum security standards for processing credit and debit card information at UCLA are identified and adhered to, and that prior approval is secured before credit and debit card (hereinafter payment card) transactions can be executed.
This policy applies to all employees who process payment card information, including students, full time, part-time and temporary employees, the workforce of the UCLA Health System; and all third parties who process payment card information whose conduct in the performance of their work for UCLA is under the control of UCLA or the Regents of the University of California.
For the purposes of this Policy, the following terms shall apply:
Attestation of Compliance (AOC) means a self-certification that a unit or department has signed attesting to the fact that it has adhered to Payment Card Industry Data Security Standard.
Cardholder Data means the primary payment card account number, the cardholder name, the expiration date and the service code as defined in the Payment Card Industry Data Security Standard.
Payment Coordinator is the Director of Student Financial Services in Corporate Financial Services.
Self-Assessment Questionnaire (SAQ) means a validation tool to assist a unit or department in self-evaluating itself to verify that it adheres to the Payment Card Industry Data Security Standard.
The proper collection and security of personal information gathered in the course of University business is of paramount importance. The University is obligated by policy and law to protect such information (see UCLA Policy 404 for more information).
Any credit or debit card cardholder information collected, stored, or transmitted as part of a card transaction is further regulated under the Payment Card Industry (PCI) Data Security Standards (DSS). Compliance with these standards is mandatory for all University units accepting credit/debit cards for payment. Failure to comply can result in significant fines and loss of the ability to process such transactions. University units processing card transactions must understand the data security rules applicable to their processing environment. The Credit Card/Internet Payment Gateway Coordinator assists in that training as part of authorizing the unit to process cards.
No UCLA employee or third party payment processor engaged by UCLA may process or accept payments by payment card without prior approval of the campus Credit Card/Internet Payment Gateway Coordinator (hereinafter Payment Coordinator) which will be dependent upon meeting the following requirements:
- Completing the appropriate Self-Assessment Questionnaire (SAQ).
- Completing the appropriate Attestation of Compliance (AOC).
- Payment Coordinator approval of the SAQ and AOC.
- Completing annual training of all personnel with access to Cardholder Data. This includes, but is not limited to, programmers, front line cashiers, back office personnel, and anyone with access to Cardholder Data.
- For areas requiring SAQ C, C-VT or D, completing annual audits by UCLA Internal Audit and Advisory Services in order to retain PCI certification.
- If an area has a valid business need to use a third party processor which is not currently UC approved, obtaining a variance to policy from the Payment Coordinator. In addition, the third party processor must be listed as compliant on the PCI or VISA website or provide quarterly compliance updates, after approval by the Payment Coordinator.
A. Roles and Responsibilities
Unit or Department Head
Unit or Department Heads may delegate authority for administering the PCI DSS for their areas of responsibility, but are ultimately responsible for compliance with this Policy.
Unit and Department Heads must ensure that affected staff and third party vendors are thoroughly trained, that related IT support systems are tested and verified, that corrective action is taken on a timely basis to bring any processes into compliance which are found to be deficient.
Any fines or costs that are assessed related to non-compliance will be borne by the affected unit or department.
The Payment Coordinator has sole authority for approving or denying requests for the acceptance of payment for goods or services via payment cards. She or he may rescind the acceptance of payment card transactions of a unit or department found to be non-compliant.
The Payment Coordinator is the final authority for determination of the appropriate SAQ and AOC for completion by the unit. This may be done after consultation with the Director, IT Security.
Employees and Third Party Vendors
Employees and third party vendors must comply with all requirements of the PCI standard, specifically following established campus and departmental policy, annual training, and completion of the required SAQ and AOC, as appropriate.
IT Support Staff
IT support staff must also adhere to the PCI requirements, which include compliance with established campus and departmental policy, annual training, completion of the required SAQ and AOC, as appropriate.
B. Consequences of Non-Compliance
Failure to comply with PCI DSS requirements carries severe consequences including:
- the loss of the ability to process payment card transactions;
- litigation, insurance claims, regulatory notification requirements, potential financial liabilities (regulatory and other fees and fines);
- reputational damage and loss of customers.
Any fines and/or penalties associated with non-compliance with the PCI DSS, and/or confirmed security breaches are defined by each of the payment card brands. For more specific information, the individual payment card brand may be contacted, or by consult with the Payment Coordinator.
A lapse in compliance that results in a security breach of Cardholder Data or other covered personal information must be reported to the Director, IT Security immediately. See UCLA Policy 420 for more information.