Click here to download a MS Word file.
Division of Information Technology
University of North Carolina at Pembroke
PCI Data Security Standard Compliance: Requirements for Offices Seeking to Outsource Payment Card Processing
The University of North Carolina at Pembroke, as an agency of the State of North Carolina, has a contractual obligation to remain compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). Under the PCI DSS requirements, if the University of North Carolina at Pembroke outsources storage, processing, or transmission of cardholder data to a third-party service provider/merchant, the University’s annual Report on Compliance (ROC) must document the role of each service provider or merchant that processes payment card transactions on behalf of the university. This documentation must clearly identify which PCI DSS requirements are the responsibility of UNC Pembroke and which requirements are the responsibility of the service provider/merchant.
In order to meet the PCI DSS reporting requirements, UNC Pembroke requires each service provider/merchant who stores, processes or transmits cardholder data on behalf of UNC Pembroke to submit evidence of their PCI DSS compliance on an annual basis.
There are two options for third-party service providers/merchants to validate their compliance with PCI DSS:
- They can undergo a PCI DSS assessment on their own and provide evidence to UNCP to demonstrate their compliance; https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_instr_guide.pdf page 8) OR
- Their services are reviewed during the course of their customers’ PCI DSS assessments. (UNCP does not extend PCI DSS assessment services to third-party service providers/merchants)
Source: Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures, Version 2.0, October 2010
Accessed from https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Those vendors who are eligible to complete a PCI DSS self assessment questionnaire may submit their most recent Attestation of Compliance. Those vendors that are required to be PCI DSS certified by a Qualified Security Assessor must submit their most recent certification. In either case, the evidence must be dated within the last year.
Offices at UNC Pembroke desiring an agreement with a third party service provider/merchant to store, process or transmit cardholder data must obtain the required PCI DSS evidence and submit it to the Division of Information Technology (DoIT). Offices with ongoing agreements must obtain and submit the evidence of PCI DSS compliance on an annual basis as it must be included in the University’s annual Report on Compliance. It shall be the office’s responsibility to resolve any missing service provider/merchant compliance documentation. An attestation of scan compliance only addresses section 11.2 of the PCI DSS and will not be accepted as evidence of full service provider/merchant PCI DSS compliance.