The Payment Card Industry (PCI) Data Security Standards (DSS) are a mandated set of security controls created by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB International). These controls provide a complete, unified approach to safeguarding cardholder data for all payment card brands. The PCI DSS applies to all payment card network members, merchants, and service providers that process, store, or transmit cardholder data, as well as to all methods of credit card processing, whether manual or computerized.
PCI DSS requirements, in conjunction with the UAB Payment Card Processing and Security Policy, apply to all UAB employees, contractors, consultants, temporaries, vendors, other third-party workers, and any unit that processes, stores, maintains, transmits, or handles payment card information in a physical or electronic format on behalf of the UAB enterprise, or in use of the UAB brand name. Hereafter, these groups shall be referred to as “PCI Entities.”
What constitutes PCI?
The PCI DSS defines the following elements as either cardholder data or sensitive data that are classified as Restricted under UAB’s Data Classification Rule:
- Primary account number (PAN)
- Cardholder name
- Expiration date
- Service Code
- PINs or PIN blocks
- Full track data (magnetic stripe data or the equivalent residing on a card’s chip)
- CAV2, CVC2, CVV2, or CID codes appearing on the back of the card
In addition to the PCI DSS requirements, UAB has established policies and standards that govern cardholder data. For example, the storage of cardholder data by any UAB entity is strictly prohibited. Also, the transmission of cardholder data via an unsecured channel, such as unencrypted email, is strictly prohibited.
Required Security Controls
The PCI DSS defines 12 information security requirements spread across six goals. These goals and requirements, which consist of recognized security best practices, are:
| Goals | PCI DSS Requirements | 
|---|---|
| Build and Maintain a Secure Network and Systems | 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. | 
| Protect Cardholder Data | 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. | 
| Maintain a Vulnerability Management Program | 5. Protect all systems against malware and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. | 
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need to know. 8. Identify and authenticate access to system components. 9. Restrict physical access to cardholder data. | 
| Regularly Monitor and Test Networks | 10. rack and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. | 
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel. | 
Every goal and requirement must be met in order to attest to PCI compliance and gain approval to conduct credit card transactions. Failure to meet the standard of even one requirement can negatively impact a merchant and lead to penalties, including added fees that must be paid to conduct credit card transactions or even the revocation of a merchant’s ability to process such transactions.
SAQ
An SAQ is a classification type for each Entity, as determined according to the following guidelines:
- SAQ A
- Card‐not‐present merchants; all cardholder data functions are outsourced
- SAQ A-EP
- E-commerce merchants who outsource all payment processing to PCI DSS validated third parties. Websites do not directly receive cardholder data with no electronic storage, processing or transmission of any cardholder data.
- SAQ B
- Imprint‐only or stand‐alone dial‐up terminal merchants with no electronic cardholder data storage.
- SAQ B-IP
- Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
- SAQ C-VT
- Web-Based Virtual Terminals, No Electronic Cardholder Data Storage.
- SAQ C
- Merchants with payment application systems connected to the Internet with no electronic cardholder data storage.
- SAQ P2PE-HW
- Hardware payment terminals included in a PCI SSC-listed, validated, P2PE solution with no electronic cardholder data storage.
- SAQ D for Merchants
- All merchants not included in descriptions for the above SAQ types.
- SAQ D for Service Providers
- All service providers defined by a payment brand as eligible to complete a SAQ.
Each PCI Entity will receive a compliance certificate once they have completed and passed the following requirements:
- The completion of an annual SAQ and Attestation of Compliance (AOC) provided on-line by TrustKeeper, a certified PCI vendor. This questionnaire provides a means for assessing an Entity’s compliance to PCI standards.
- Successful completion of remote network vulnerability monthly scans of all outward facing IP addresses on the same subnet as computers dealing with payment cards (for SAQ-C and SAQ- D Entities Only) by Trustwave, a PCI Approved Scanning Vendor (ASV).
- Submission of the SAQ, evidence of a passing scan (where applicable), and the Attestation of Compliance, along with any other requested documentation.
Becoming an approved PCI merchant
Each UAB PCI Entity must be approved by, and registered with, the Office of the Chief Financial Officer (CFO) to receive and operate a payment card account. The UAB CFO’s office has been designated as the administrative focal point for handling the PCI Entity approval and registration process. Requests for new accounts should be made early enough to allow for sufficient time to achieve compliance.
To begin the PCI Entity evaluation process at UAB, first conduct these steps:
- Familiarize yourself with an overview of the PCI DSS and its requirements, the PCI Self-Assessment Questionnaires in TrustKeeper and UAB’s PCI DSS policy.
- Discuss your objectives with the CFO’s office and Enterprise Information Security. This will include a review of your business processes and a determination of which payment alternative will best suit your business need.
- Review the UAB PCI Entity Handbook, which provides a wealth of information regarding PCI compliance at UAB.
Detailed steps for requesting an account
Requests for new accounts should be made early enough to allow for sufficient time to achieve compliance.
- Contact the CFO’s office to request the PCI Entity Payment Card Account Request Form. Complete the form and have it reviewed and signed by the Entity Department Head and Dean/Associate Vice President. Additional instructions for completing the Account Request Form can be found on the PCI Compliance web site. Submit completed and signed form to CFO’s office for review and approval.
- The CFO’s office will submit the request form to First Data (the payment processor for Compass Bank, UAB’s acquiring bank) and Compass Bank, and notify the Entity when approval has been received. If the Entity will use a swipe terminal, an order for a terminal is included in the account request.
- When established, First Data will notify the CFO’s office of the new merchant account number, indicating the Entity can begin processing payments, and the CFO’s office will notify the Entity.
- If the new merchant is accepting payments on-line, the CFO’s office will email the Applications and Consulting Services office to assist the Entity with TouchNet setup. The CFO’s office will also visit the Entity to explain the depositing process, including accessing TouchNet, and completing and submitting deposit forms.
- If the new merchant is using a swipe terminal, the CFO’s office will notify the Entity when the terminal arrives and set up a time to deliver the terminal and explain how to operate the terminal and the depositing process.
- Meet with CFO’s office after verification that the account has been approved and set up by First Data and the bank. The purpose of the meeting is to explain the requirements of PCI compliance, the Entity’s responsibilities for PCI compliance, information concerning the online PCI training course, and gather information regarding the business process for the merchant account.
- Complete UAB’s online PCI training course, which can be accessed on the UAB Faculty & Staff Learning System web site at. The Entity is responsible for listing all individuals who will need to complete the PCI training on the Cardholder Data Flow and Fact Sheet form; and for notifying the CFO’s office when new individuals are hired and need to complete the training. The CFO’s office is responsible for assigning the PCI training course and verifying completion of the course by each individual assigned.
- The CFO’s office will create a merchant account in the TrustWave/TrustKeeper portal, using the Merchant ID information provided by First Data and the bank. The individual in the Entity who will be responsible for completing the SAQ and PCI documents will be designated on the account.
- Log on to the TrustKeeper portal (TrustKeeper will send a link when an account is set up) and complete the account registration information within three (3) business days from the time the email and link are received from TrustKeeper.
- Log on to the TrustKeeper portal and complete the on-line Self-Assessment Questionnaire (SAQ) within five (5) business days from the time the email and link are received from TrustKeeper. If applicable, identify systems that need to be included in monthly scans and successfully pass the first scan before accepting payment cards. For help in completing the SAQ, contact the CFO’s office.
 Note: the registration and SAQ can be done at the same time.
- The CFO’s office will log on to the TrustKeeper portal, access the merchant account, review the updated information provided by the merchant contact and the completed SAQ. The SAQ and PCI Certificate (which includes the completion date and name of the person completing the SAQ) will be saved and uploaded to the merchant account’s folder in the PCI Compliance web site Merchant Library.
- The CFO’s office will send the required PCI documents for completion to the contact person for the merchant account. The completed forms are to be returned to the CFO’s office via email within five (5) business days. The CFO’s office will review the forms and upload them to the merchant account’s folder in the PCI Compliance web site Merchant Library.
- Based on information gathered during the initial meeting between the merchant account contact and the CFO’s office, the CFO’s office will prepare a draft of the business process for the account regarding processing payment card transactions.
- The draft will be emailed to the merchant account contact for review, and revisions, if necessary, then sent back to the CFO’s office. Once the draft is final, the CFO’s office will upload a copy to the PCI Compliance web site Merchant Library and send a copy to the Entity contact.
- Contact the CFO’s office for any additional assistance on use of terminals, or the AskIT Help Desk for assistance on the setup and use of the TouchNet gateway. Training for payment applications should be requested through your application provider.
