Accounting Services Financial Reporting & Analysis Student Financial Services UVA Home
Welcome to the Assistant VP for Finance and University Comptroller's Home Page
Comptroller Home Page
  
 
  UVA & Credit Cards

The ability to conduct credit card transactions has become a necessity for increased customer service, particularly with the increase in e-commerce. The University recognizes that use of credit cards may stimulate sales in certain types of transactions and may increase the cash collections efficiency. The need to protect our customer's credit cards data is essential. This page provides University units and departments with essential information regarding the requirements and best practices for payment card related activities.

 
  UVA Payment Card Documents  
 

 

University of Virginia Payment Card Requirements - This document identifies the requirements that departments, offices, and all other entities that accept or want to accept payments by credit cards must follow. These requirements also apply to departments that accept credit card information for activities such as fund raising to be passed on to another department for processing (revised June 2008).

  View Requirements (PDF)

U.Va. Primer on Credit Cards & PCI Data Security Standards Brochure - This brochure has been created to provide basic information about the payment card environment at the University of Virginia. It is a great starting place for faculty, staff, and others at U.Va. that may be considering credit card activities (revised May 2009).

  Obtain brochure (PDF)

The GOLDEN Rules:

1) Thinking of taking credit cards or changing your current process? Contact the University Banking Coordinator first!

2) Do NOT request or send any credit card information by e-mail. If someone e-mails their data to you, you should make them aware that, for their own safety, they should not do this again and you should delete the e-mail as soon as possible.

3) NEVER record data in any electronic format (Excel files, databases, etc.) unless you have been authorized to do so by the University Comptroller and in compliance with University Policy IRM-015 - Electronic Storage of Highly Sensitive Data.

4) Do NOT request, record, or store any of the magnetic stripe data or the credit card confirmation code (three digit on the back of many cards and 4 digits on the front of American Express. This is sometimes referred to as the "C V V 2" code).

5) Please do NOT offer to enter payment card data into a hosted (third-party) websites on behalf of a client. Doing so could expose your computer and every computer connected to it to keylogging, hackers, etc. We want to make sure that our client's data is safe!

We Recommend:

Controlling Cash, Checks, & Credit Cards at the University of Virginia - This course is designed for anyone at the University who handles or supervises cash, checks, and credit card activities at the University. Attendees will learn about cash handling best practices and topics that include: payment cards and PCI, expenditure credits, petty cash accounts, and e-commerce at UVA.

Register for these classes via the Integrated System Self-Service Application!   

Click HERE for the Human Resources Training Calendar.
  
     
  Payment Card Industry - Data Security Standards (PCI DSS)  
 

 

What is PCI? - These are national standards from the Payment Card Security Standards Council and apply to all organizations anywhere in the country that process, transmit or store credit cardholder data.  The University and all departments that process payment card data have a contractual obligation to adhere to the PCI Data Security Standard (PCI-DSS).  We must adhere to these standards to protect our customers and to continue to process payments using payment cards. Each year, departments and units that are conducting payment card activities must submit a Self-assessment Questionnaire (SAQ) to the University Banking Coordinator assuring their compliance with the PCI data security standards.

PCI Security Standards Council - The PCI Security Standards Council was founded by the major credit card industries (American Express, Discover Card, JCB, MasterCard, and Visa) to manage the continued development, communication, clarification, and implementation of the PCI standards. The PCI SSC site is the best resource for questions related to the standards.

PCI Self Assessment Instructions & Guidelines - This document (from the PCI SSC SAQ site) is designed to help answer questions related to the PCI standards. Please refer to the "Selecting the SAQ and Attestation that Best Apply to Your Organization" section to help you determine which Self-assessment Questionnaire you should complete.

  SAQ Instructions and Guidelines

Navigating PCI DSS: Understanding the Intent of the Requirements, v 1.2 - This document describes the 12 Payment Card Industry Data Security Standard (PCI DSS) requirements, along with guidance to explain the intent of each requirement. It is intended to provide a clearer understanding of the Payment Card Industry Data Security Standard, and the specific meaning and intention behind the detailed requirements to secure system components (servers, network, applications etc) that support cardholder data environments.

  Navigating PCI DSS

UVA Self-Assessment Questionnaires - These questionnaires have been adapted for University of Virginia use ONLY and should be used for departments or units that conduct payment card tranasctions and would qualify to submit SAQ A or SAQ B.

   UVA SAQs (Requires log-in. If you cannot access the site, contact Devin Herod or B.C. Worsley.)

PCI Self-Assessment Questionnaires - These are the official questionnaires developed and maintained by the PCI Council. These should be used by departments or units that do not qualify to submit the previous SAQs (A or B).

   Official PCI SAQs

  
     
  Contact Us  
 

  
  

  
     
 
E-mail comments to:
Last modified: 29-May-2009 17:46:51 EDT
by the Rector and Visitors of the University of Virginia