Payment Card Industry Data Security Standards (PCI DSS)

CSU Bakersfield maintains high standard for ensuring the protection and security of its data. This endeavor encompasses our payment processing practices.  To ensure the protection of our payment processing practices, CSU Bakersfield adheres to the data standards established by the Payment Card Industry Security Standards Council (PCI SSC).  

The PCI SSC has developed the Payment Card Industry Data Security Standards (PCI DSS) for safeguarding the handling of payment card transactions.  The PCI DSS is a tool that assists with PCI DSS compliance. As such, CSU Bakersfield requires all payment card processing for products and services on behalf of the university to comply with the PCI DSS.

Scope
Compliance with the PCI DSS applies to any university department, on-campus vendor, project, program, fund raising activity, or auxiliary that accepts payment cards for products and services on behalf of the University. Additionally, payment cards, which are not limited to credit cards, bank debit cards, check authorization cards, cards used for cash-less transactions, or other forms of payment, must comply with the PCI DSS. 

Getting Started
To get started with the PCI DSS, you will need to identify your entity as a campus merchant by completing the PCI Identification Form.  Once the form is submitted and subsequently reviewed, you will be contacted by a member of Fiscal Services or Information Technology Services.

Responsibilities and Involvement
In complying with the PCI DSS, you will need to adhere to specific procedures.  These procedures require you to:

  • Identify your entity as a merchant
  • Know your roles and responsibilities as it relates to PCI requirements
  • Determine the scope of your cardholder data environment annually
  • Identify and document the existence of cardholder data environment
  • Identify and document business processes in relation to cardholder data environment
  • Documentation of device inventory and user inventory
  • Annual PCI security awareness training through the bank/acquirer
  • Conduct annual risk assessment of your cardholder data environment (See pcisecuritystandards.org for information)
  • Re-determine the scope of your cardholder data environment annually, to lessen the scope
  • Work with your bank representative for merchant requirements
  • Complete appropriate annual PCI Self-Assessment Questionnaire as determined by the bank/acquirer
  • Contribute department/entity/program payment card information toward campus-wide PCI requirements
  • Provide the campus Information Security Officer with annual access to your documentation for review

Due to the dynamic nature of technology and information security, the requirements for specific procedures and documents are subject to change without notice.  Please review the PCI DSS Resources, or contact the Information Security Officer for additional recommendations, assistance, or questions toward compliance.

Resources
To assist you with understanding and implementing the PCI DSS, you may find the following links helpful.

PCI Identification Form

CSUB Credit Card Acceptance Policy - Contact Fiscal Services

PCI Getting Started

Glossary of Terms, Abbreviations, and Acronyms

PCI DSS Data Storage Do's and Don'ts

Skimming Prevention

Protecting Telephone-based PCI

Self-Assessment Questionnaires (SAQs)

PCI Support