Financial Affairs
Creditcards

PCI-DSS COMPLIANCE

Payment Card Industry Data Security Standard (PCI-DSS) compliance is required. This standard was created by the Payment Card Industry Standards Council (Visa, MasterCard, Discover, American Express and the Japan Credit Bureau) to increase controls around cardholder data to mitigate data breeches and prevent cardholder data fraud. Failure to be PCI-DSS compliant can result in reputational risk to the university and fines and penalties imposed by the payment card industry. A data security breach can also result in the payment card industry denying DePaul the right to process payment cards.

IMPORTANT COMPLIANCE DATES

August 1st of each year:
The Treasurer's Office will notify qualifying university departments to start filling in the PCI-DSS questionnaire to attest to their PCI-DSS compliance.

December 1st of each year:
Departments must complete and submit their annual PCI-DSS questionnaire to the Treasurer's Office no later than this date.

PCI-DSS INFORMATION   

  • PCI DSS Requirements and Security Assessment Procedures Version 3.2 (PDF)
  • PCI DSS Summary of Change (PDF)

  • SAQ A (PDF) - SAQ A was developed to address requirements applicable to departments whose cardholder data functions are completely outsourced to validated third parties, where the department only retains paper reports or receipts. This can be for ecommerce or mail order/telephone order transactions.

  • SAQ A-EP(PDF) - SAQ A-EP was developed to address requirements applicable to departments with an ecommerce website that does not itself receive cardholder data but which website does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data. All processing of cardholder data is outsourced, but DePaul controls how customers, or their cardholder data, are redirected to the third party processor.

  • SAQ B (pdf) - SAQ B was developed to address requirements applicable to departments who process cardholder data via imprint machines or stand alone, dial-out terminals connected via a phone line, and not an IP connection.

  • SAQ B-IP (pdf) - SAQ B-IP was developed to address requirements applicable to departments who process cardholder data via stand alone, PTS-approved point-of-interaction (POI) devices with an IP connection to the payment processor.

  • SAQ P2PE-HW (pdf) - SAQ P2PE-HW was developed to address requirements applicable to departments who process cardholder data via hardware payment terminals included in a validated and PCI-listed Point-to-Point Encryption (P2PE) solution.

  • SAQ C (pdf) – SAQ C was developed to address requirements applicable to departments whose payment application systems are connected to the internet.

  • SAQ C-VT (pdf) – SAQ C-VT was developed to address requirements applicable to departments who process cardholder data via isolated virtual terminals on a PC connected to the internet. A virtual payment terminal is web browser based access to a third party service provider or processor website to authorize payment card transactions, where department personnel manually enters payment card data via a securely connected web browser.

  • SAQ D (pdf) - SAQ D was developed to address requirements applicable to departments not meeting the criteria for any other SAQ type.

CONSEQUENCES OF NONCOMPLIANCE
FAILURE TO COMPLY WITH PCI-DSS MAY RESULT IN SEVERE CONSEQUENCES TO DEPAUL UNIVERSITY:

Just one incident can severely damage the university’s reputation and our ability to conduct Payment Card business. Account data breaches can lead to catastrophic loss of revenue, business relationships and standing in our community. Possible negative financial consequences also include:

  • Cancelled accounts
  • Government fines
  • Insurance claims
  • Lawsuits