Payment Card Industry Data Security Standard (PCI DSS) Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.  This standard is designed to minimize both the chance of a card member data compromise and the effects if a compromise does occur

PCI DSS applies to all organizations that accept payment cards as a method of accepting financial gifts or in exchange for goods or services.  PCI DSS also applies to all types of payment card activities transacted in-person, over the phone, via fax, mail or Internet.

New credit card handling security standards and a credit card security self assessment questionnaire have been developed which require campus departments (both state and auxiliaries organizations) taking credit or debit cards for payment to notify the Information Security Office and conduct a yearly self assessment.  

CSU, Chico Annual Credit Card Assessment Questionnaires

PCI compliance consists of business (or accounting) and technical components.  With this in mind we have separated the survey into administrative, business process, and technical assessments.  PCI business requirements consist of the processes involved with the actual acceptance of credit cards and the accounting procedures required for cash handling.  PCI technical requirements are centered around the electronic storage and processing of credit cards. To prepare for the onsite visit, all campus divisions, departments, and centers are requested to complete the attached survey forms which will be reviewed during the meetings.

Attachment A (PDF): Chico Credit Card Acceptance Survey is a high level certification that should be completed by the appropriate administrator of each division or department that accepts credit cards. 

Attachment B (PDF): Chico Credit Card Business Process Inventory should be completed by each business unit or for each business process involved in the collection of credit cards.  This form is intended to capture how credit cards are accepted, especially business processes associated with the collection of credit cards.  Areas that do not electronically store or process credit card numbers are not required to continue.

Attachment C (PDF): Chico Credit Card PCI-DSS Risk Assessment.  This document should be completed for each business unit that electronically stores or processes credit card numbers.  Examples of electronic storage or acceptance include any process where credit card numbers are entered using a CSU, Chico computer, a card swipe connected to a CSU, Chico computer, or the use of a web site to collect or store credit card numbers.   Areas that do not use computers to store or process credit card numbers should not complete this form.  Examples of acceptance methods that are exempt from this form are the use of a PCI certified 3rd party hosted solution, such as a Cash Net storefront, or use of a credit card terminal utilizing telephone or cellular connections.  All other electronic acceptance methods should use this form.