(Approved by the Senior Vice President for Finance and Facilities by authority of Executive Order No. 5)
Departments and business units throughout the University of Washington (UW) have entered into merchant contracts with the Payment Card Industry (PCI) as part of their business transaction service sets. Because of rapidly evolving financial crimes and cyber-related security challenges, the payment industry, including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, has published specific "PCI Data Security Standards" in an effort to better secure payment account data in a globally consistent manner. All merchant contract holders are required to adopt and implement tools, practices, and policies to comply with these standards. Failure to comply may result in financial penalties, or security breaches.
This policy helps ensure PCI compliance requirements are met throughout all UW business units and departments. It also provides UW procedures for use, reporting requirements of contracted payment card services, and the process for obtaining and maintaining merchant contracts on the Acceptance of Credit Cards on Campus web page.
Merchant: Any office, unit, department, or organization at the University of Washington that accepts credit cards as a form of payment for goods and/or services.
Merchant Contract Holder (MCH): Any UW business unit or department that holds a merchant contract with any PCI service provider(s). This includes terminal-based payment system owners and online web-based application system owners.
Merchant Level: PCI security standards provide four different levels of compliance activities that must be completed annually. These levels, (merchant levels 1-4) are based on the transaction volumes of a merchant. Essentially, merchants with the most transactions have the most compliance work to perform to stay in compliance. The specific compliance requirements for each merchant level can be found on the Merchant Levels and Compliance Validation Requirements Defined web page.
of use, retention, and protection measures related to data that customers submit. It should also
state what, if any, electronic monitoring, and HTTP cookie use the UW intends to perform with a
visitor's electronic connection. The site must also provide contact information for customers to
OWASP Standards: Open Web Application Security Project (OWASP) secure coding standards are referenced in the PCI security standards for web application developers to use to avoid common coding vulnerabilities in the software development process.
PCI Security Standards: The information security standards, published by the PCI, that all MCHs are required to adopt and implement. Failure to comply may result in serious fines, penalties, and/or restrictions on merchant account activity.
Transaction Service Provider: The third party who provides a secured processing connection with the MCH's transaction processing bank.
All current and future UW MCHs or temporary transaction service setups to accept credit card transactions for a specific activity or event are required to comply with this policy.
Failure to comply with this policy may result in restrictions on use or closure of merchant account-related services, and disciplinary action.
For additional information, contact Student Fiscal Services:
April 30, 2009; May 13, 2009.