PCI Compliance FAQ’s
Click on the links below to find answers to frequently asked questions.
Q1: What is cardholder data or CHD?
A: Credit/debit card number, cardholder name, expiration date, and security code.
Q2: How should papers/printouts that contain cardholder data be handled?
A: They should be stored in a locked filing cabinet or drawer with access limited to only those who need the information. The CHD should be shredded if business use is complete or forwarded to Business Services as soon as possible for processing.
Q3: May I create a department deposit or other documents containing cardholder data on my computer?
A: No. Creating a document, even though it may not be saved on the computer, will create temporary copies of the CHD on the computer. Any paper document used for processing credit cards or handling cardholder data must remain in that form for creation, storage, and transmission.
Q4: May I use my work computer to store or transmit cardholder data for someone other than myself as a part of my work?
A: No. UMD computers may not be used to store or transmit cardholder data, even if the objective is to purchase University products or services. Only University-approved PCI- compliant hardware, as approved by the University's DIT may be used for these tasks.
Q5: May I use my work computer to enter cardholder data into a UMD web/online form as a part of my work?
A: No. UMD computers may not be used to enter cardholder data into a UMD web/online form for another person, even if the objective is to purchase University products or services.
Q6: May I take cardholder data over the telephone for a campus service or event?
A: Depending on the situation, this may be allowed. If this is part of your job responsibilities, you must complete the University PCI training (including periodic refreshers and updates) and/or consult with the PCI team to understand what is required to maintain PCI compliance.
Q7: May I take cardholder data via email for a campus product, service or event?
A: No. Cardholder data should never be sent, received, or stored via email systems due to security concerns.
Q8: May I take cardholder data via postal mail for a campus service or event?
A: Depending on the situation, this may be allowed.
Q9: My department needs a new online Nelnet link created to accept credit card numbers as payment for an event or service. What is the process to request this?
A: Contact the PCI team and request a link through eStores.
Q10: My department is considering a new software application that will accept credit cards as payment for an event or service. How should I proceed?
A: All new software applications being considered by campus departments must go through the PCI Compliance Team to evaluate the process, security and compliance and for information on how to proceed with the purchasing process.
Q11: What is a vulnerability scan?
A: A vulnerability scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. As provided by an Approved Scanning Vendors (ASV’s), the scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed
Q12: What is a payment gateway?
A: Payment gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, web-based connections or privately held leased lines.
Q13: What constitutes a payment application?
A: What constitutes a payment application as it relates to PCI compliance? The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale system in a restaurant to a Website e-commerce shopping cart are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.
Q14: What constitutes a Service Provider?
A: The PCI SSC defines a Service Provider this way:
“Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.” (Source: www.pcisecuritystandards.org)
The “merchant as a service provider” role is further specified by the PCI SSC as “a merchant that accepts payment cards as payment for goods and/or services…if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.”
Q15: What is the definition of ‘merchant’?
A: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. Source: PCI SSC
Q16: What is defined as ‘cardholder data’?
A: The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
- Cardholder name
- Expiration date
- Service code
Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks
Q17: Are debit card transactions in scope for PCI?
A: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.
Q18: Do organizations using third-party processors have to be PCI DSS compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS
Q19: Where can I find the PCI Data Security Standard (PCI DSS)?
A: The current PCI DSS documents can be found on the PCI Security Standards Council website.
Q20: To whom does the PCI DSS apply?
A: The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data
Q21: What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover).
Credit/debit card number, cardholder name, expiration date, and security code.
They should be stored in a locked filing cabinet or drawer with access limited to only those who need the information. The CHD should be shredded if business use is complete or forwarded to Business Services as soon as possible for processing.
No. Creating a document, even though it may not be saved on the computer, will create temporary copies of the CHD on the computer. Any paper document used for processing credit cards or handling cardholder data must remain in that form for creation, storage, and transmission.