Joyce Sturm, Financial Services
In January 2005, recognizing the need for a common set of security requirements and a single validation process, Visa collaborated with MasterCard to create the Payment Card Industry (PCI) Data Security Standard. Other payment-card brands, such as American Express and Discover Card, have also endorsed this Standard within their respective programs. The Standard addresses areas such as building and maintaining a secure network, protecting cardholder data, implementing strong access-control measures, and maintaining an information security policy.
PCI applies to all merchants who capture, process, or store cardholder data. Due to the aggregated e-commerce activity of campus merchants, the Berkeley campus was determined to be a Level 3 merchant for compliance requirements. This classification calls for all merchants to complete and submit an annual self-assessment questionnaire and to successfully pass quarterly network scans by a qualified independent scan vendor.
UC Office of the President (UCOP) has issued policies requiring that all merchants document their compliance with PCI and has negotiated a systemwide contract with Ambiron Trustwave (ATW) to assist campuses in this effort. ATW hosts a web portal, known as Trustkeeper, which provides an online version of the self-assessment questionnaire, and an interactive means for managing the scans and viewing the results. ATW is also responsible for reporting compliance certification to our acquiring bank, Chase Merchant Services.
Campus merchants were classified in one of three categories:
Merchants in categories 1 and 2 must register with Trustkeeper in order to document their compliance with the Standard. Merchants outsourcing credit-card acceptance to a third-party must ensure that the vendor they are using is PCI compliant and is contractually obligated to maintain compliance.
Financial Services, who oversees the cash-handling aspects of merchant activity, and IST—Communication and Network Services worked closely with campus merchant departments to assist them with meeting the compliance requirements. Other units consulted for their expertise in applying PCI to campus business, policy, and computing environments included Systems and Network Security, IST's IT Policy group, and IST's Central Computing Services department. The Departmental Technology Solutions unit in IST—Administrative Systems Department was responsible for the compliance of e-Pay and Paperless Pay Process (PPP), and assisted the Controller's Office with helping other campus departments to meet compliance requirements.
In 2004, campus merchants processed more than $70 million in credit-card transactions. Customers who entrust their cardholder data to a campus merchant can now be assured that our systems are protecting that data from inappropriate access.
For more information on PCI, see Visa's Cardholder Information Security Program: Merchants web page (http://www.usa.visa.com/business/accepting_visa/ops_risk_management/ cisp_merchants.html?it=l2|/business/accepting_visa/ops_risk_management/ cisp%2Ehtml|Merchants).
For information concerning campus merchant compliance, contact Campus Credit Card Coordinator Joyce Sturm,
[ iNews | Search | IST | UC Berkeley Computing | UC Berkeley ]
iNews: UC Berkeley information technology news channels
Copyright 2005, The Regents of the University of California