



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The purpose of this policy is to ensure that the appropriate minimum security standards for processing credit and debit card information at UCLA are ...
Typology: Exercises
1 / 5
This page cannot be seen from the preview
Don't miss anything!




Issuing Officer: Associate Vice Chancellor, Corporate Financial Services Responsible Dept: Corporate Financial Services Effective Date: October 19, 2011 Supersedes: New
I. REFERENCES II. PURPOSE III. DEFINITIONS IV. STATEMENT V. ATTACHMENTS
The purpose of this policy is to ensure that the appropriate minimum security standards for processing credit and debit card information at UCLA are identified and adhered to, and that prior approval is secured before credit and debit card (hereinafter payment card) transactions can be executed
This policy applies to all employees who process payment card information, including students, full time, part-time and temporary employees, the workforce of the UCLA Health System; and all third parties who process payment card information whose conduct in the performance of their work for UCLA is under the control of UCLA or the Regents of the University of California.
For the purposes of this Policy, the following terms shall apply:
Attestation of Compliance (AOC) means a self-certification that a unit or department has signed attesting to the fact that it has adhered to Payment Card Industry Data Security Standard.
Cardholder Data means the primary payment card account number, the cardholder name, the expiration date and the service code as defined in the Payment Card Industry Data Security Standard.
Payment Coordinator is the Director of Student Financial Services in Corporate Financial Services.
Self-Assessment Questionnaire (SAQ) means a validation tool to assist a unit or department in self- evaluating itself to verify that it adheres to the Payment Card Industry Data Security Standard.
UCLA Policy 314 Page 2 of 3
The proper collection and security of personal information gathered in the course of University business is of paramount importance. The University is obligated by policy and law to protect such information (see UCLA Policy 404 for more information).
UC Business & Finance Bulletin, BUS-49, Appendix B states in part:
Any credit or debit card cardholder information collected, stored, or transmitted as part of a card transaction is further regulated under the Payment Card Industry (PCI) Data Security Standards (DSS). Compliance with these standards is mandatory for all University units accepting credit/debit cards for payment. Failure to comply can result in significant fines and loss of the ability to process such transactions. University units processing card transactions must understand the data security rules applicable to their processing environment. The Credit Card/Internet Payment Gateway Coordinator assists in that training as part of authorizing the unit to process cards.
No UCLA employee or third party payment processor engaged by UCLA may process or accept payments by payment card without prior approval of the campus Credit Card/Internet Payment Gateway Coordinator (hereinafter Payment Coordinator) which will be dependent upon meeting the following requirements:
A. Roles and Responsibilities
Unit or Department Head
Unit or Department Heads may delegate authority for administering the PCI DSS for their areas of responsibility, but are ultimately responsible for compliance with this Policy.
Unit and Department Heads must ensure that affected staff and third party vendors are thoroughly trained, that related IT support systems are tested and verified, that corrective action is taken on a timely basis to bring any processes into compliance which are found to be deficient.
Any fines or costs that are assessed related to non-compliance will be borne by the affected unit or department.
Payment Coordinator
The Payment Coordinator has sole authority for approving or denying requests for the acceptance of payment for goods or services via payment cards. She or he may rescind the acceptance of payment card transactions of a unit or department found to be non-compliant.
The Payment Coordinator is the final authority for determination of the appropriate SAQ and AOC for completion by the unit. This may be done after consultation with the Director, IT Security.
UCLA Policy 314 ATTACHMENT A Page 1 of 2
Payment Card Industry (PCI) Data Security Standard (DSS) Self-Assessment Questionnaires and Attestations of Compliance
The Payment Card Industry Data Security Standard requirements vary depending on the method of credit and debit card processing being used. The different methods are defined in the Self-Assessment Questionnaires (SAQ) as follows:
UCLA Policy 314 ATTACHMENT A Page 2 of 2
o The organization’s computer does not have any attached hardware devices that are used to capture or store Cardholder Data. o The organization does not receive or transmit Cardholder Data electronically except through the virtual terminal. o The organization does not store Cardholder Data in electronic format. o If the organization does store Cardholder Data, it is only in paper records or copies of receipts and is not received electronically.