Compliance Requirements for Departments Processing Credit Cards

UB departments processing credit cards must comply with the following requirements:

  • Completed PCI Self-Assessment Questionnaires are required annually from all UB merchants who accept credit card payments. The questionnaire provides an assessment of a unit's compliance with PCI standards.
  • All employees handling credit card data must complete the UBlearns PCI Tutorial and Assessment annually.

Step-By-Step Instructions for Accessing the PCI Tutorial

  • Security scans of all outward-facing IP addresses on the same subnet as any computer dealing with credit cards (for e-commerce merchants or terminal merchants that use IP-based instead of dial-up terminals) by a PCI-approved scanning vendor are also required to validate compliance with the PCI DSS. See PCI Security Scanning Procedures. UB has contracted with Security Metrics to provide these scans.
  • The Payment Card Industry Data Security Standards were updated in April 2008 to clarify what required penetration testing must cover: "Penetration testing is different than the external and internal vulnerability assessments. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing should include network *and* application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network." [TOP OF THE NEWS, SANS NewsBites Vol. 10 Num. 34]
  • Finally, all employees handling credit card data must comply with the Financial Services Credit/Debit Card Merchant Requirements.