Office of Treasury Operations, Merchant Card Services

Data Security

Protecting customers’ payment card information is more than a nice idea—it’s a requirement. Two sets of standards apply to merchant card-processing units:

  • The Payment Card Industry Data Security Standard (PCI DSS) is technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. The PCI DSS applies to all business entities that store, process, or transmit cardholder data. The Council is responsible for managing these security standards, and compliance is enforced by the founding members' council: American Express, Discover Financial Services, Visa and MasterCard.
  • The System PCI DSS Policies are special policy additions that relate or “key” to the PCI DSS.

It is each merchant unit's responsibility to follow all policies and procedures in the PCI DSS, as well as those put in place by the University of Illinois. Merchant units that do not follow these policies and procedures may lose the ability to accept card payments.

Merchant Card Services is responsible for making sure that all University units that accept payment cards (for the sale of goods or services) comply with all applicable data security standards. We conduct periodic reviews of each unit's processing environment to ensure that all policies and procedures are being followed. As always, any business operation is subject to formal review by the Office of University Audits.