Payment Card Industry (PCI) Compliance

About PCI Compliance

University departments and third-party services acting on behalf of the university must follow the requirements outlined in the UNLV Payment Card Merchant Policy when accepting and processing credit card payments. This policy is in accordance with guidelines outlined in the Payment Card Industry Data Security Standard.

Adhering to this policy protects our customers’ payment card information, the university’s reputation, and reduces the financial costs associated with a breach of payment card information.

Request a New Merchant Account

Who Should Know This Information

Anyone responsible for managing, accepting, processing, or reconciling university payment card transactions that bear the logos (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services and all employees involved with handling cardholder data including program managers and systems managers.

To Whom This Information Applies

All merchants involved in payment card processing via a payment card terminal and online. Online transactions include links on UNLV websites redirecting customers to another website, as well as the use of Point-of-Sale software, or a third-party vendor to transmit, process, or store cardholder data.

A payment card merchant is a department or any other entity at the university that stores, processes, transmits, or affects the security of cardholder data (CHD).

These standards are enforced by the card associations and adherence is required in order for a merchant to accept card payments.

Responsibilities

Comply with the Payment Card Industry (PCI) Data Security Standards.
Receive approval from the Controller’s Office on new merchants or new purchases before entering into any contract, purchase, acquisition, or replacement of equipment, software, Internet provider, or wireless device that processes payment card transactions.
Maintain a department information security policy. Departments utilizing payment card merchant accounts must establish policies and procedures for physically and electronically safeguarding cardholder data. (PCI DSS)
Prevent unauthorized access to cardholder data and secure the data. Establish procedures to prevent access to cardholder data in all forms. (PCI DSS)
Communicate the policy to staff and obtain signatures. Supervisors including deans, fiscal officers, and systems managers must communicate this policy to their staff and maintain the Responsibilities of Payment Card Handlers and Processors (Page 7, Appendix A) for all personnel involved in payment card transactions. (PCI DSS)
Restrict access based on a business need-to-know. Access to physical or electronic cardholder data must be restricted to individuals whose job requires access. (PCI DSS)
Assign a unique ID to each person with computer access. A unique ID must be assigned to each person with access to computers that are used to process payment card information. Usernames and passwords should not be shared. (PCI DSS)
Transmitting cardholder data by email, chat, or fax is prohibited. Never send unprotected Primary Account Number (PAN) by end-user messaging technologies (for example, email, instant messaging, chat, etc.) (PCI DSS)
Electronically storing the CVV/CVV2 validation code, or PIN number is prohibited. Do not store the customer’s three or four-digit CVV or CVV2 validation code, or PIN, (personal identification number). (PCI DSS)
Segregation of duties. Establish appropriate segregation of duties between personnel processing transactions, issuing refunds to custody of assets, record keeping, and those assigned to the reconciliation function.
Mask the payment card number. Terminals and computers must mask everything but the first 6 digits and the last 4 digits of the primary account number (PAN). (PCI DSS)

Reporting a Security Incident

Immediately report a payment card security incident to the department supervisor and the PCI Compliance Team if known or suspected payment card information has been exposed, stolen, or misused.

Notification to the department supervisor should be in writing. Follow these steps to submit a report:

Include a department name and contact number
Do not disclose any cardholder data, three or four-digit validation codes, or PIN numbers in the written report
Include the following information in the report:
- Explanation of security incident
- Names of people involved
- Where, when, and why the incident happened

Notification to the Compliance Team should go through the following data breach form. Additional information on the policy can be found through the Office of Information Technology website at Breach of Information Notification Policy.

Fraud Prevention Procedures

Do not disclose or acquire any cardholder data without the cardholder’s consent.
Keep all cardholder data secure and confidential.
Limit access to cardholder data only to those employees who require access to do their job.
Cardholder data cannot be stored in any fashion on UNLV computers, networks, or related media.
Wireless networks cannot be used in the cardholder data environment.
Cardholder data must never be transmitted via email and departments are prohibited from soliciting cardholder data via email.
Cardholder data that is inadvertently received by email should be deleted immediately and should not be used for processing payments.
Payment card authorization forms must not contain references to an email address.
Payment card authorization forms must not contain a FAX number that refers to an unsecured FAX machine.
Payment card authorization forms must clearly show the following warning, “Please do not email this authorization form. Email is not a secure way of transmitting your card information.”
All documentation containing cardholder data must be destroyed in a manner that will render them unreadable (crosscut shredding or third party shred bin) after their useful life (180 days) has expired. All other departmental deposit and accounting records must be maintained for a period of seven (7) years.
A report of activity (by day and in total) is to be generated each month. This report should include your merchant name and number, the daily totals by batch, sales distribution, and the total for the month.
Reconcile daily activity to merchant statements at least monthly to ensure credit is received for all processed transactions. Verify amount to finance deposit postings. Documentation that a reconciliation was done should be retained by the department.
All business accepting payment cards will be required to complete an annual self-assessment questionnaire (SAQ).
Each department that processes payment card transactions must have written procedures specific to that organization. The procedures must include, but are not limited to, the following:
- Segregation of duties
- Reconciliation procedures – daily and monthly
- Physical security
- Disposal
- Instructions for processing transactions through all accepted payment channels
Departmental procedures should be reviewed, signed, and dated by the department head or business manager on an annual basis and submitted to the Controller’s Office along with other required PCI compliance documentation.

Questions and Submitting the Self-Assessment Questionnaire (SAQ)

If you have any questions, need help submitting your annual self-assessment questionnaire (SAQ), or need additional information, please contact pci@unlv.edu.

Resources

Information provided here does not replace or supersede requirements in any PCI SSC Standard.

Office of the Controller Office of the Controller

Office of the Controller

Find

Quick Links