Background
In order to conduct credit-card transactions, merchants must meet the security standards set by the Payment Card Industry (PCI) Security Standards Council. The PCI Security Standards Council is an open global forum that was launched in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. It is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (DSS) which governs cardholder data that is stored, processed, or transmitted by merchants and other organizations. These security standards were devised to give merchants a robust and unified framework within which their credit-card customers would be protected from identity theft. Compliance is required of all merchants regardless of size or number of transactions. See https://www.pcisecuritystandards.org/.
Every year, the UC Berkeley Controller's office must submit an attestation to the UC Regents' merchant bank, First Data Merchant Services, confirming that campus merchants have implemented their credit-card acceptance solutions in a manner that adheres to the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures.
Each University of California campus is assigned a merchant level by our bank which is based on the campus's annual transaction volume. For the past four years, Berkeley's aggregated transaction volume requires Berkeley to submit a formal attestation with First Data that each Berkeley merchant has complied with the PCI DSS in its entirety. This year, Berkeley will need to comply with the PCI DSS v1.2 standards which took effect January 1, 2009.
The certification process
The Billing and Payment Services Office (BPS) coordinates more than 130 departmental merchant accounts. Working with IST, BPS determines each merchant's PSI DSS validation type based on its credit-card acceptance methods. The certification requirements for each type of merchant vary greatly. The validation types range from 1 to 5, with 1 being the lowest risk, cheapest infrastructure cost, and easiest to comply with. As validation types increase in rating, so does the complexity, rigor, risk, and infrastructure cost. The majority of our merchants can easily be classified into one of the five types. However, each year, a number of our merchants must be re-evaluated due to changes in compliancy regulations, requirement clarifications issued by the Security Standards Council, or a change in business practices or systems.
For merchants whose classification is under review, members of IST and BPS will meet with the Office of the President and First Data Merchant Services to analyze the merchant's business practices, assess the risk to the campus, and determine the appropriate solution to ensure compliancy. Once a solution has been identified, the merchant must implement it. Sometimes these changes are minor, such as updating policy and procedure documentation, and sometimes it means the merchant must purchase new equipment, change vendors, or completely revamp their business practice.
Once a merchant's validation type is identified, they can download their self-assessment questionnaire (SAQ) and begin their individual process of compliancy. Each SAQ outlines in detail what each merchant must do to achieve compliancy. A merchant must be able to answer "yes" to each question or provide compensating control documentation for each requirement that cannot be implemented explicitly as stated. Compensating controls are considered for legitimate technical or documented business constraints; however the compensating control implemented must meet the intent and rigor of the original PCI DSS requirement. All compensating controls must be reviewed by IST and BPS, who will submit them to our merchant bank for assessment. If a submitted compensating control is rejected, the merchant fails compliancy and must find a new solution, a better compensating control, or conform to the requirement as stated.
Monthly security compliancy scans
Merchants classified as validation type 4 or 5 must contract with the University's PCI DSS reviewer, Ambiron TrustWave, for monthly scans. Each month a merchant must pass the scan conducted by Ambiron; if a merchant fails a scan they are no longer compliant. A merchant will be given a limited amount of time to either fix the vulnerability identified by Ambiron or submit a formal appeal. If a merchant's failed scan is not addressed in a timely manner, the campus will be out of compliance and the merchant account may be suspended until its compliancy is restored.
Outsourcing Paperless Payment Processing and ePay
In 2008 it was determined that Berkeley had more than a dozen type-5 merchants, the majority of which were in-house web applications that provided real-time credit-card authorizations for customers. The validation type 5 is by far the most comprehensive and strictest classification type, and the highest risk. After evaluating the new PCI DSS regulations and the cost to Berkeley to adhere to these regulations, BPS decided to retire Paperless Payment Processing (a custom enterprise gateway solution to CyberSource) and ePay (a low-volume, low-cost web application that allowed smaller units on campus to take credit cards online). The customers of both ePay and Paperless Payment Processing now deal directly with CyberSource's Hosted Order Page (HOP), a solution that offers a secure order page hosted with CyberSource and provides these merchants with a type 1 validation classification. This outsourcing allowed Berkeley to re-classify 11 merchants from type 5 to type 1. It did not eliminate the need to be compliant, but, if properly implemented, the CyberSource HOP solution greatly reduced the campus's risk and exposure. The lower classification is easier to implement, maintain, and is more cost effective.
Conclusion
The formal attestation happens every September for the Berkeley campus. However, remaining compliant is a daily undertaking. If you have a merchant account, you must be PCI DSS compliant. Merchants will need guidance from IST, BPS, First Data Merchant Services, and Ambiron TrustWave to implement the requirements in their entirety. To be compliant, merchants may need to adjust their business practice, change their applications, or work with their application vendors to adhere to the PCI DSS. While Berkeley comprises more than 100 individual merchants, the Berkeley campus is classified as a single merchant for PCI DSS compliance. If one merchant fails or is breached, the entire campus is considered out of compliance. We are in this together.