Payment Card Industry Data Security Standards (PCI DSS) Compliance, Policy on

Posted on by
Title: Payment Card Industry Data Security Standards (PCI DSS) Compliance, Policy on
Policy Owner: Office of the Bursar Cash Operations, UConn Information Security Office
Applies to: Workforce Members
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: June 17, 2026
Effective Date: July 1, 2026
For More Information, Contact: Director of Cash Management & University Bursar, Chief Information Security Officer
Contact Information: cashoperations@uconn.edu
Official Website: https://bursar.uconn.edu/departments/cash-operations/

PURPOSE

To provide requirements for safeguarding Customers’ payment card data and cardholder information. Failure to protect this information may result in financial loss for Customers, suspension of credit card processing privileges, fines, and damage to the reputation of the University.

APPLIES TO

Workforce members involved with payment card handling which includes but is not limited to collection, processing, transmission, or storage of payment card data in any form on behalf of the University.

DEFINITIONS

Attestation of Compliance (AOC): A formal document certifying an organization’s compliance with Payment Card Industry Data Security Standards (PCI DSS).

Cardholder Data (CHD): Elements of payment card information that must be protected, including the primary account number (PAN), cardholder name, expiration date, and security code.

Customer: Any individual or entity conducting a financial transaction with the University that involves the collection, processing, transmission, or storage of their payment card data.

Department: A University unit approved by the PCI Team to accept payment cards without maintaining a designated unique merchant identification number.

Merchant: A department or unit approved by the PCI Team in accordance with University policy to be assigned a designated unique merchant identification number for payment card acceptance.

Payment Card Industry Data Security Standards (PCI DSS): Technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The standards globally govern all merchants and organizations that store, process, or transmit this data. Compliance with the PCI set of standards is mandatory and enforced by the major payment card brands who established the Council.

Payment Card Industry Security Standards Council (PCI SSC): A global forum that brings together industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

PCI Responsibility Matrix: A framework that clearly defines and allocates specific PCI DSS tasks and requirements among different parties, such as a merchant and its service providers. It maps each PCI DSS requirement to the responsible party, which can be the merchant, a service provider, or a shared responsibility.

PCI Team: Group composed of representatives from Office of the Bursar Cash Operations and the UConn Information Security Office.

PCI Violation: Any action, inaction, or condition that results in non-compliance with PCI DSS requirements.

Point of Interaction (POI) Devices: Any hardware used to capture payment card data (e.g., card readers, PIN pads, kiosks)

Point-to-Point-Encryption (P2PE): A PCI-listed solution that cryptographically protects cardholder account data from the point where a merchant accepts the payment card to the secure point of decryption.

Point-to-Point Encryption Self-Assessment Questionnaire (P2PE SAQ): Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment specific to PCI-validated Point-to-Point Encryption (P2PE) solutions. The P2PE self-assessment document is maintained by the PCI Security Standards Counsel.

Self-Assessment Question (SAQ): Validation tool to assist merchants report the results of their self-assessed PCI DSS compliance.

Third Party Service Providers: Business entities that are not a payment brand, directly involved in the processing, storage, or transmission of cardholder data and/or sensitive authentication data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.

POLICY STATEMENT

The University of Connecticut is committed to protecting Cardholder Data (CHD) and maintaining compliance with the Payment Card Industry Data Security Standards (PCI DSS). All payment card activities conducted on behalf of the University must be performed in a manner that minimizes risk to cardholders and the institution, limits the handling of Cardholder Data, and ensures consistent compliance with PCI DSS requirements.

Storing of CHD

University workforce members must never record or store Cardholder Data in any physical or electronic format, including paper or electronic documents.

Appropriate Use of Payment Channels

Electronic Payments

Customers must be directed to complete electronic payments online using their own device and must not be directed to use a University device to enter CHD.  CHD must not be entered by staff on University computers or workstations.

In-Person Payments

The cardholder must always maintain their physical card when making payment in-person.  University workforce members must never take possession of the Customer’s physical card.

Mail Order Payments

Usage of mail order forms is prohibited unless otherwise approved by the PCI Team.  If usage of mail order forms is approved, all CHD must be physically destroyed in a manner that renders the data un-recoverable immediately after processing such as cross-cut shredding.  The remaining portion of the mail order form must be retained in compliance with University retention requirements.

Telephone Payments

Accepting card payment over the phone is prohibited unless otherwise approved by the PCI Team.  If acceptance of phone payments is approved, they must be taken over a physical phone only and cannot be accepted via Voice Over IP (VOIP) software.

Email

Receiving and processing CHD via email is prohibited. If CHD is received via email, the CHD must be deleted immediately from all Outlook folders including the deleted folder and the card payment must not be processed.

Point of Interaction (POI) Devices

All in-person, mail order, and telephone payment card transactions must be processed exclusively through PCI-validated Point-to-Point Encryption (P2PE) Point of Interaction Devices. POI Devices must be listed on the PCI Security Standards Council (PCI SSC) list of validated P2PE solutions.

Exceptions must be approved by the PCI Team and will only be granted for Merchants who have a business need to use a vendor that does not offer P2PE POI Devices.

Merchants and Departments, using POI Devices must meet the requirements outlined in the current Point-to-Point Encryption Self-Assessment Questionnaire (P2PE SAQ), including but not limited to:

  • restricting physical access;
  • provide training for awareness of POI Device tampering;
  • following POI Device log procedures; and
  • completing POI Device inspections, with frequency of inspection determined by a targeted risk assessment of the device environment.

Annual Self-Assessment Questionnaire (SAQ) Submission

All Merchants must submit an SAQ annually.  The SAQ type must align with the Merchant’s payment processing method(s) and business environment.  The PCI Team will coordinate with Merchants on the completion and submission of the annual SAQ.

Third Party Service Providers

Merchants and Departments may have a need to use Third Party Service Providers to provide functionality for processes such as event registration, non-credit programming, ticketing, and other services that cannot be accommodated through the University’s centralized e-commerce platform.

Using a Third-Party Service Provider does not transfer PCI DSS responsibility from the University. All Third-Party Service Providers must:

  • be contracted through the University’s procurement process;
  • be approved by the PCI Team;
  • demonstrate PCI DSS compliance through vetting and monitoring;
  • provide a PCI Responsibility Matrix and a current Attestation of Compliance (AOC).

Merchants and Departments must request the AOC annually as part of ongoing service provider management. The AOC must be submitted to the PCI Team for the annual SAQ submission.

Annual Training

Workforce members involved with the acceptance and processing of CHD must complete annual training on PCI DSS compliance and information security awareness in accordance with University policy.  The PCI Team is responsible for providing training to required workforce members.

Annual Policy & Procedure Review

Merchants and Departments must review all payment card processing policies and procedures on an annual basis.

Incident Response Reporting

Any actual or suspected unauthorized access or disclosure of  Cardholder Data must be reported immediately to the PCI Team by emailing security@uconn.edu and cashoperations@uconn.edu.   The UConn Information Security Office shall assess all reported events and when appropriate activate the University Incident Response Plan.

ENFORCEMENT

Failure to meet the requirements outlined in this policy may result in suspension of the physical and, if appropriate, electronic payment capability for the responsible Department(s) or Merchant(s). In the event of a PCI Violation, the payment card brands may assess penalties to the University’s merchant services bank, which may be passed on to the University. The responsible Department or Merchant will be financially accountable for any such penalties assessed and passed on to the University.

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

PROCEDURES/FORMS

POI Device Inspection Procedures

REFERENCES

Data Classification Policy
Incident Response Plan
Opening a Merchant Account for Credit Card Acceptance
PCI SSC Validated P2PE Solution Listing
P2PE SAQ
Records Management Policy
Security Awareness Training Policy

POLICY HISTORY

Policy created: June 17, 2026 (Approved by the University Senior Policy Council and President)