Facebook pixel Payment Card Industry Data Security Standards (PCI DSS) | Pepperdine University | Pepperdine Community

Payment Card Industry Data Security Standards (PCI DSS)

The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements designed to ensure all merchants that process, store or transmit credit card information maintain a secure environment. All Pepperdine departments that provide credit card as a form of payment for their customers must certify compliance to this standard, regardless of size or number of transactions.

We recommend you attend the Information Security Briefing for Managers which is available each year in March. Also, you may watch the Payment Card Training Video  (requires login).

How to Meet the Mandatory Requirements for your Department's Acceptance of Payment Cards

Due by May 5th, departments much complete the following requirements for PCI DSS:

  1. Complete PCI DSS Cover Sheet to accompany your documents listed below
  2. Complete and sign the appropriate SAQ for each credit card processing method accepted in your department (see below for online forms)
  3. Attach your department's credit card handling procedures
  4. Attach appropriate PCI Compliance Certificate, if using an approved third party service provider other than CASHNet or Eventbrite. To locate a validated service provider, visit Visa's Global Registry of Service Providers. Additional requirements may include:
    • Quarterly perimeter scans conducted by the PCI approved security assessor
    • Quarterly internal penetration tests
  5. Submit completed Cover Sheet, SAQ and your departments credit card handling procedures to Jeremy Marrs via email OR mail to:
      • Controller's Office
        Calabasas Campus
        Mail Code 4497

SAQ Forms

Each SAQ contains an Attestation of Compliance, which must be signed by the Department Supervisor. Complete one Self-Assessment Questionnaire (SAQ), version 3.0, published February 2014, for each credit card processing method accepted in your department:

  • SAQ A – Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced. Use this SAQ when:
    • Submitting to Cashier's Office
    • Submitting to Advancement
    • Web – CASHNet
    • Web – Eventbrite
    • Web – Approved Third Party Service Provider
  • SAQ B – Merchants with Only Imprint Machines or Only Standalone, Dial-out / Cellular Terminals – No Electronic Cardholder Data Storage. Use this SAQ when you have:
    • Credit Card Terminal Using an Analog Line
  • SAQ C-VT – Merchants with Web-Based Virtual Payment Terminals-No Electronic Cardholder Data Storage. Use this SAQ when you have:
    • An approved Point-of-Sale System (i.e. CASHNet, TicketForce)
If you have any questions, please contact Jeremy Marrs, Director of Systems, Payables, and Purchasing at (818) 702-1383.

Last Updated: 04/19/2017