Frequently Asked Questions

PCI (Payment Card Industry) compliance is essential for any university department that handles credit or debit card transactions. It ensures the security and integrity of payment data by requiring departments to follow established standards for protecting cardholder information. Here's why it matters:

• Protecting Sensitive Data: PCI compliance helps safeguard the personal and financial information of anyone who make payments to the university. By adhering to these standards, departments reduce the risk of data breaches and identity theft.
• Avoiding Financial and Legal Consequences: Non-compliance can lead to substantial fines, legal penalties, and even the loss of the ability to accept card payments. It can also result in costly investigations and remediation efforts if a data breach occurs.
• Maintaining Trust and Reputation: Security breaches can erode trust in the university’s ability to manage financial transactions responsibly. Compliance demonstrates a proactive commitment to data protection and institutional integrity.
• Supporting Institutional Accountability: As stewards of university resources, departments have a responsibility to follow best practices for financial transactions. PCI compliance is a standard that ensures consistency, accountability, and due diligence across all units.

In short, PCI compliance is not just an IT or finance issue—it’s a shared responsibility that supports the university’s mission, protects its community, and upholds its reputation.

Each year, departments are required to complete a Self-Assessment Questionnaire (SAQ) to validate adherence to PCI compliance standards. Additionally, all applicable employees must complete the annual PCI compliance training in Oracle to ensure they remain informed of and accountable for secure payment card handling practices.

Managing a third-party vendor’s PCI compliance involves ensuring that any external service provider handling payment card data on behalf of the department adheres to applicable PCI DSS (Data Security Standard) requirements. Specifically, departments should consider the following:

• Due Diligence During Vendor Selection: Before engaging a third-party vendor, confirm that they are PCI compliant. Request and review their Attestation of Compliance (AOC).
• Contractual Requirements: Ensure that all vendor contracts include specific language requiring the vendor to maintain PCI compliance for the duration of the engagement. The contract should also outline responsibilities related to data protection and breach notification.
• Ongoing Monitoring: Request updated compliance documentation annually (AOC) to verify that the vendor remains compliant.
• Coordination with University Offices: Work with the university’s Procurement team, IT, and PCI Compliance offices to ensure vendors are properly vetted and approved.
• Awareness of Changes: If the vendor changes its systems or services in a way that affects how cardholder data is handled, reassess the impact on PCI compliance and update documentation accordingly.  This information should be communicated to the university’s PCI Compliance office.

If you suspect that your department’s payment solution has been compromised or that there has been a breach involving payment card data, it is critical to act immediately. Follow these steps:

• Stop All Payment Processing: Immediately cease all payment card transactions through the suspected system to prevent further exposure.
• Notify the PCI Compliance Office: pcicompliance@vanderbilt.edu
• Do Not Attempt to Investigate Internally: Avoid making any changes to the system or attempting to investigate the issue on your own. This could compromise evidence needed for a formal investigation.
• Document Observations: Record what you observed, including the date, time, and nature of the suspected compromise. This information will assist the investigation.