Payment Card Industry Compliance Policy

CSUB Information Security Policy
Date in Effect: November 2009
Policy Title: Payment Card Industry Compliance (PCI Compliance)

Campus entities, including auxiliaries, that enter into contracts with third party vendors who process, store, or handle credit or debit card data on behalf of the University shall ensure the vendor (s) with which they contract is PCI compliant as well as contribute applicable payment card information toward campus annual compliance. The campus entity, including auxiliaries will ensure that the vendor (s) provide the University Procurement Office with a compliance statement or certification attesting to their compliance, annually. In addition, the campus entity, including auxiliaries, that have a Merchant ID must comply with PCI, conduct and document an annual risk assessment of compliance obligations, fill out applicable PCI self-assessment questionnaire annually, and have certification attesting to their compliance on file, annually and available for review.