Home > PCI/DSS Compliance

PCI/DSS Compliance

Overview

Departments of Georgia Southern University, if approved, may accept credit/debit cards for payment of services rendered and goods sold. Acceptance of Credit cards in lieu of cash or checks is strongly encouraged.

Why is this important

PCI/DSS stands for Payment Card Industry/Data Security Standards. While not a law, compliance with the PCI Data Security Standard is required to accept major credit cards for business transactions on campus. PCI DSS defines protected customer financial information, and establishes security best practices to safeguard that information. Expensive fines may result from mishandling of financial data, as well as potential revocation of credit card processing services.

Requirements

Any authorized University unit wishing to accept credit/debit cards as a form of payment should contact the Banking and Investment Manager within Financial Services. You will be required to complete a Merchant Application for approval. If you are considering using a 3^rd party vendor or 3^rd party software application, you must complete the 3^rd party vendor application as well. Approval must be granted from Finance and IT security prior to signing any agreements or purchasing such software.
All in-person credit card processing must be P2PE compliant. Departments are not permitted to set up their own merchant accounts or purchase their own credit card terminals without going through the University’s PCI committee.
All e-commerce credit card processing must be compliant with PCI/DSS SAQ A-EP. When reviewing vendor proposals, departments should ensure that the vendor is capable of annually proving compliance with PCI/DSS through an Attestation of Compliance (AOC)
The two approved vendors for Georgia Southern University are TransAct and TouchNet. If a department is wishing to accept e-commerce payments and does not have an approved vendor, they will be directed to setup their site through TouchNet Marketplace as either a UStore or UPay site.

To comply with the Data Security Standards, University of Georgia has contracted with a third party company, CampusGuard. All approved merchants must register with CampusGuard when issued an account. Using the third party assessor site, each department will complete a PCI Self-Assessment Questionnaire (SAQ) on an annual basis and will be required to review and close a quarterly network vulnerability scan. Quarterly scans need to be satisfied and closed before the next scan is completed.
Upon hire and annually, training is also required for anyone who handles cardholder data. This can be physically processing payments, having access to cardholder information through third party software, or maintaining networks or hardware related to credit card processing. Be sure to email banking@georgiasouthern.edu Full name, eagle id, employee email address for each employee needing access to training through Folio.