Accepting credit card payments comes with a significant security risk. Departments considering this method of payment must be willing to accept certain system and configuration restrictions to protect the security of the UC network as a whole. Alternatively, departments may elect to shift the responsibility for compliance by using a UCSD-approved third party to manage their e-commerce transactions.
The UCSD guidelines for accepting credit card payments are modeled after the Payment Card Industry (PCI) Security Standards created by the Visa, MasterCard, American Express and Discover corporations. Failure to comply with these guidelines may result in compromised security, on-site audits by independent auditors, and significant monetary fines for the individual department and University at large. Since the consequences for the entire UCSD community are severe if a department receives a fine or citation due to non-compliance, departments should strongly consider using a third party to process credit card payments or a simple, offline system.
All departments that wish to accept credit card payments, whether they have been doing so already or are creating a new account.
With the acceptance of credit card payments comes the responsibility for managing sensitive data. Security measures must be current and complete to prevent risk. Additionally, the credit card industry’s fines for non-compliance are costly and affect the entire campus community. One department in breach of compliance can incur fines of up to $500,000 per incident. The penalty for breach can also result in increased costs for the entire University and mandated third-party oversight of all the University’s credit card processing systems. Security incidents impact all departments on campus, not just the compromised one.
Any machine involved with e-commerce at UCSD must meet Minimum Network Security Standards and be appropriately registered with ACS/Network Operations with an up-to-date-contact.
The department must agree to all conditions of the rules of compliance detailed in the implementation guide, and review their compliance annually.
Redirecting Server: A department's Web server uses a gateway application (such as a Web page) from a third party who has obtained PCI certification to collect, store, and transmit data instead of retaining that data on the University Web server. The third party has responsibility for full PCI compliance, removing that burden (and its attendant risks) from the department. Most departments should use this method.
Offline System: A terminal or computer delivers data to the credit card processor over analog telephone lines. This departmental machine is never connected to a network other then the dial–up credit card processor. Because information is not transmitted over the network, this method requires fewer security precautions. This is the simplest method, but it is also the slowest and least flexible.
Client Processor: A terminal or computer transmits data to the credit card processor but does not offer any network services or store data. The terminal must be physically isolated and accessible only to authorized personnel.
Secure Infrastructure: An internal database or system (Web application, mail system, and file server, etc.) that collects, stores, and transmits credit card data. Security prerequisites for this type of system are extremely strict and the compliance requirements are not negotiable. Departments considering using this method must have the technical personnel and equipment required to comply with the security restrictions, annual checks, and regular updates as needed.
Every part of a department’s credit card acceptance system connected to any cardholder’s data.
Network components
Servers
Applications