PCI-DSS Card Security

PCI-DSS Stands for the Payment Card Industry Data Security Standard. This is the worldwide security standard for credit card data, and adherence is required by the card brands, state law, and university policy. The security standard can be found at pcisecuritystandards.org.

Training on PCI-DSS can be found in TrainTraq. Just search for "PCI-DSS".

Merchants within the Texas A&M University System are required to perform an annual security self assessment using a tool called the Self Assessment Questionnaire. Different versions of the questionnaire exist for different types of card acceptance, such as for e-commerce, countertop card readers, or complex point of sale systems. University Accounting Services can help determine which questionnaire you should complete.

Consequences of Non-Compliance

Merchants found to be out of compliance with security standards will be given a reasonable amount of time to correct the problem and be re-audited. If PCI-DSS non-compliance is due to documentation, procedure, or training, the merchant will be given 30 days from notification to reach compliance. If the non-compliance is related to IT security, a compliance date will be established by mutual agreement between the merchant and IT Security. Failure to reach compliance by deadline may result in the suspension of the merchant's account by Texas A&M's card processor. Requests for deadline extensions must be approved by the Vice President of Finance and Operations.

Individuals who fail to complete the mandatory annual PCI training by the deadline are automatically suspended from accessing cardholder data or systems that support the processing of such data. Merchants with < 20% overall training compliance will be given 5 business days to complete online training. Failure to reach minimum compliance will result in the suspension of the merchant's account by Texas A&M's card processor.