The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit and debit card information maintain a secure environment. The goal is to protect card holder data, maintain strong access controls, and ensure anyone who has access to payment card information receives annual training.
EBRG Group Summary and Links
The E-Business Resources Group (EBRG) works with the University of Pittsburgh's Schools, Departments, Centers, and other internal groups to approve card processing activities, provide guidance on PCI-related matters, and enable them to accept credit card payments. Its members include representatives from the Office of the Treasurer, Pitt Digital, Purchasing Services, and Internal Audit.
University of Pittsburgh Merchants must accept payment cards securely, in compliance with PCI-DSS requirements for safeguarding cardholder data, applicable University policies, and Federal and State law.
Requesting a Merchant Account Process
Proposal Submission
Departments interested in accepting credit cards for goods or services should begin by reviewing the information in the Becoming a Merchant section of the EBRG website and submitting a Proposal to Accept Payment Cards to ebrg@cfo.pitt.edu. After submitting the proposal, a member of the EBRG will reach out with any questions about your proposal, discuss existing payment processing solutions, or set up time to discuss next steps, including primary and secondary contacts for the merchant account. For questions about merchant accounts or existing options for accepting payment cards, contact the E-Business Resource Group at ebrg@cfo.pitt.edu.
Vendor Reviews
If an existing payment processing solution cannot meet your department's needs, you must complete the vendor on boarding questionnaire per the Vendor Security Risk Assessment Operating Standard. Pitt Digital will then reach out to the vendor for compliance documentation, and review the vendor’s security and PCI documentation to ensure they are compliant with PCI standards and University policies.
Vendors are required to respond to Pitt Digital within 3 weeks of the vendor review kick off. Once the vendor responds, Pitt Digital will respond as soon as possible with follow-up questions or request additional documentation.
Self-Assessment Questionnaire
After the merchant account proposal and vendor reviews are completed, the department will need to complete a Self-Assessment Questionnaire (SAQ) to set up the merchant account, which covers PCI-DSS compliance. There are two different versions of the SAQ, the SAQ-A is for online credit card sales, and the SAQ-P2PE (Point-to-Point Encryption) covers physical terminals that process credit cards. Pitt Digital will send the SAQ out via their GRC platform, 6Clicks, and work with the department to complete the SAQ. Pitt Digital will then send out the SAQ annually, to ensure the account stays PCI compliant.
Pitt Digital also requires that all individuals accepting credit cards/payment cards on behalf of the University are required to take annual PCI security training, as part of setting up and maintaining the merchant account. Please see the annual training section below.
Once the SAQ is complete, Pitt Digital will forward it along with the proposal to Pitt's Treasury department, who will work with PNC to open the merchant account. Account setup typically takes 4–6 weeks. Upon completion, the department will receive a VAR (Value-Added Reseller) sheet containing the account number, tax ID, and primary contact for the account.
Annual Training
As part of the University’s annual PCI compliance program, all individuals accepting credit cards/payment cards on behalf of the University are required to take annual PCI security training.
Add all individuals in your area who handle credit cards to the Central Directory Services (CDS) group for your Responsibility Center (RC), using the naming convention XXX-TRAIN-PCIDSS (see the CDS PCI Group Chart below). This automatically enrolls them in the 18-minute KnowBe4 training. Please keep the CDS group updated year-round as staff join or transition into payment card handling roles. If you have questions about CDS group membership, please contact your Responsibility Center (RC) Account Administrator.
Individuals who handle payment cards but do not have University Computing Accounts must review the PCI Training PowerPoint and complete the training confirmation survey in Qualtrics.
All staff handling payment cards must complete training within 4 weeks of training enrollment date.
For questions or assistance with PCI training, contact the E-Business Resource Group at ebrg@cfo.pitt.edu.
Non-Compliance
Non-compliance may result in fines, increased transaction fees, reputational damage, and loss of card processing privileges for the University.
CDS PCI Group Chart
|
RC Group
|
CDS Group Name
|
|
Chancellor (01)
|
OTC-TRAIN-PCIDSS
|
|
Student Affairs (05)
|
STUDENTAFF-TRAIN-PCIDSS
|
|
Kenneth P. Dietrich School of Arts & Sciences (06)
|
AS-TRAIN-PCIDSS
|
|
SVC and Provost (10)
|
OTP-TRAIN-PCIDSS
|
|
Katz Graduate School of Business (21)
|
KATZ-TRAIN-PCIDSS
|
|
Education (22)
|
SOE-TRAIN-PCIDSS
|
|
Swanson School of Engineering (23)
|
SSOE-TRAIN-PCIDSS
|
|
Social Work (26)
|
SOCWK-TRAIN-PCIDSS
|
|
Dental Medicine (31)
|
DMED-TRAIN-PCIDSS
|
|
Nursing (32)
|
NURS-TRAIN-PCIDSS
|
|
Pharmacy (33)
|
PHARM-TRAIN-PCIDSS
|
|
Medicine (35)
|
MED-TRAIN-PCIDSS
|
|
SHRS (39)
|
SHRS-TRAIN-PCIDSS
|
|
Johnstown (41)
|
UPJ-TRAIN-PCIDSS
|
|
Greensburg (42)
|
UPG-TRAIN-PCIDSS
|
|
Bradford (44)
|
UPB-TRAIN-PCIDSS
|
|
UCIS (51)
|
UCIS-TRAIN-PCIDSS
|
|
SVC Philanthropic and Alumni Engagement (56)
|
PAE-TRAIN-PCIDSS
|
|
Libraries (60)
|
ULS-PCI-DSS
|
|
Pitt Digital (61)
|
PittDigital-TRAIN-PCIDSS
|
|
Athletics (80)
|
Athletics-TRAIN-PCIDSS
|
|
SOMD Administration (85)
|
SVCHS-TRAIN-PCIDSS
|
|
Chief Financial Officer (87)
|
CFO-TRAIN-PCIDSS
|
|
Business Hospitality and Auxiliary Services (92)
|
BHAS-TRAIN-PCIDSS
|
|
School of Computing and Information (94)
|
SCI-TRAIN-PCIDSS
|