Skip to Content

Credit Cards and Payment Card Industry (PCI) Compliance


The ability to conduct credit card transactions has become a necessity for increased customer service, particularly with the increase in e-commerce. The University recognizes that use of credit cards may stimulate sales in certain types of transactions and may increase the cash collections efficiency. The need to protect our customer's credit cards data is essential.

This website provides University units and departments with essential information regarding the requirements and best practices for payment card related activities. Links to specific information on credit card options and PCI compliance are provided on the right hand side of this page and require NetBadge access. For answers to basic question about processing payment cards at the University before you get started, go to FAQ’s.

Payment Card Processing?

A University department or unit that is approved to host conferences or workshops, collect donations or gifts, and/or collect revenue from the sales of goods or services may choose to accept credit cards as a payment option. The requirements are also relevant to University revenues received from a third-party vendor that offers credit cards as a payment method. All of these methods must be approved by University Payment Card Services through the Comptroller’s Office.

The University is party to a State contract with a Payment Processor, Elavon to establish merchant accounts. The contract allows us to accept the major payment card brands: American Express, Discover, MasterCard, or Visa whether the card is a credit card, debit card or gift card. The processor supplies the mechanisms to verify the card, process the transaction to the customer’s account and move the funds via the settlement process to our bank, for a reasonable fee.

The contract obligates each merchant location to abide by the card brands Rules and Regulations. The card brands also protect their cardholders from fraud and provide a system to dispute charges with merchant locations.

What is PCI?

PCI stands for Payment Card Industry. PCI Data Security Standards are national standards from the Payment Card Security Standards Council and apply to all organizations anywhere in the country that process, transmit or store credit cardholder data.

The University and all departments that process payment card data have a contractual obligation through Elavon to adhere to the PCI Data Security Standard (PCI-DSS). We must adhere to these standards to protect our customers and to continue to process payments using payment cards. Each year, departments and units that are conducting payment card activities and an established merchant account through Elavon must submit a Self-Assessment Questionnaire (SAQ) to the U.Va. Payment Card Services unit assuring their compliance with the PCI data security standards. Departments and Units who work through a third-party who uses payment cards to collect revenue on their behalf are also obligated under PCI to provide card flow diagrams and verify annual compliance of all third-party vendors in the card data flow.

PCI has governance over software vendors, payment applications, processors, and all devices including; swipes, POS, PIN pads, mobile, Smartphones and Tablets. (Approved Companies and Providers)

There are a great many resources available from the PCI-DSS homepage. The For Merchants section provides a good overview of the operational requirements, a link to the PCI FAQ’s and several interesting short videos. The PCI Glossary is available from the Standards and Documents as are the SAQ’s referred to above and links to approved hardware (PTS Devices) and software vendors for payment applications (PA-DSS) and Point 2 Point solutions.

Questions about the University of Virginia's Credit Cards and Payment Card Industry compliance?
Contact U.Va. Payment Card Services at or view our staff listing.