To process payment cards using a third-party service provider, UCI merchants must either use service providers approved by the campus or go through the approval process for a new service provider. All service providers must be approved before use.
- All third-party service providers must be approved before being used for payment card processing.
- The use of all third-party service providers must adhere to the requirements of the Payment Card Industry Data Security Standard (PCI DSS), UC policies including UCI Policy 704-14 and UC Policy BUS-49 Appendix DS must be included in all contracts.
- All third-party service providers must provide an annual service provider Attestation of Compliance (AOC) and a description of services provided with clear roles and responsibilities defined for all parties involved in payment card processing. Appendix DS must be included in all contracts.
- Existing UCI approved third-party service providers such as TouchNet Marketplace, Authorize.Net and Bluefin, should be used when possible.
- If the use of existing UCI approved third-party service providers is not possible, UCI Merchants must seek approval from the UCI PCI Committee.
- UCI Merchants are responsible for paying all fees associated with, but not limited to, payment card processing and QSA evaluation costs.
- When engaging a new third-party service provider, UCI Merchants must:
- Complete a Request to Use a Third-Party Payment System and provide all information requested. Failure to provide complete documentation including a network and cardholder dataflow diagram may delay the project.
- Provide the third-party’s current PCI service provider AOC.
- Provide a copy of the Third-Party’s contract.
- Submit request to the PCI Committee for review at firstname.lastname@example.org
- Merchants must have the appropriate documentation, approvals and security measures in place to assist in a smooth launch.
- As determined by the Campus PCI Committee, additional evaluation of the third-party service provider may be required and may include:
- UCI's Qualified Security Assessor (QSA).
- The Assistant Vice Chancellor of Accounting & Fiscal Services.
- The UC Office of the Chief Investment Officer.
- Contracts must be reviewed by the Contracts unit in Procurement Services, OIT Security, and/or the PCI Committee for the appropriate data security language. Service providers may be asked to append the contract with specific language required by the UC such as Appendix DS (Data Security) if it is not included in the original contract.
- The approval and setup process may require an assessment by UCI's QSA so be sure to allow ample time (may take several weeks to several months for a major system implementation). The cost of QSA services will be charged to your department if such services are required in the assessment of the project.
- If your department is requesting to become a new merchant or is an existing merchant needing a new Merchant ID (MID) or equipment, contact Payment Services at email@example.com
- Departments needing a payment gateway setup using the UC's preferred service provider should contact Payment Services at firstname.lastname@example.org who can assist with this process. Setups can take up to four weeks.
The PCI Committee will evaluate the third-party service provider request and supporting documentation. If the use of the third-party service provider is approved, UCI Merchants must:
- Attest PCI compliance annually by completing the appropriate SAQ as determined by the UCI campus credit card coordinator. All supporting documentation must be provided as required by the SAQ.
- Complete annual PCI DSS Security Awareness Training on UCLC.
- Maintain documentation of the third-party service provider’s current PCI compliance including:
- Annual AOC.
- A description of services provided.
- Roles and responsibilities defined for both UCI and the third-party service provider.
Service provider solutions presented by merchants that are questionable and/or cannot be verified as being PCI compliant may require one or more of the following:
- Extensive review by the campus PCI Committee and other individuals/parties as necessary.
- Additional documentation as required.
- Evaluation by the UC’s QSA at the merchant’s expense.
- If this is necessary, Payment Services will make the arrangements for the assessment with the QSA.
- Consultation with the university’s acquiring bank and the UC Office of the Chief Investment Officer.
The above steps do not guarantee that use of the third-party service provider by the merchant will be approved.