Applicability: University of Washington

Standard Title: Third Party Service Providers - PCI Compliance

PDF Version: oms-standard-tpsp-pci-compliance.pdf

Purpose

This standard establishes requirements for all Third-Party Service Providers (TPSP) storing, processing, or transmitting payment card data on behalf of the University. All TPSP contracted by University merchants are required to comply with this standard, and applicable Payment Card Industry Data Security Standards (PCI-DSS), in accordance with Administrative Policy Statement APS 35.1.

Scope

This standard applies to all University merchants and TPSPs storing, processing, or transmitting payment card data on behalf of the University. This includes any TSPS that could affect the security of the University cardholder environment. The Office of Merchant Services (OMS) must approve any exceptions to this standard.

Requirements

1. University merchants must receive approval from OMS prior to contracting with any TPSPs.
2. TPSP provided applications must integrate with OMS approved Payment Processor University/State contracted payment processor. TPSP provided applications must be PA-DSS (Payment Application Data Security Standard) compliant.
3. TPSP must provide a current Attestation of Compliance (AOC) to OMS annually or upon request.  Level 1 TPSPs must have their AOC completed by a Qualified Security Assessor.
4. TPSP provided terminals must be a PCI Council certified P2PE (Point to Point Encryption) solution and must comply with the EMV standard.
5. TPSP contracts must include the PCI Compliance Rider
6. Subcontractors to the TPSP must also meet all PCI Compliance requirements if involved in the storing, processing or transmitting of payment card data, or can impact the security thereof

Glossary

• Merchant – Any office, unit, department, or organization at the University that accepts credit cards as a
  form of payment for goods and/or services. This includes temporary, seasonal, or one-time events.
• OMS – Office of Merchant Services
• PA-DSS – Payment Application Data Security Standard
• PCI-DSS – Payment Card Industry Data Security Standard
• P2PE – Point to Point Encryption
• EMV – "Europay, Mastercard, and Visa" – Payment cards that comply with the EMV standard are often called Chip and PIN or Chip and Signature cards.
• TPSP – Third-Party Service Providers
• TSYS – Total System Services (payment acquirer/processor that connects with Elavon)

Links

• OMS Glossary: https://finance.uw.edu/merchant-services/resources/glossary
• Payment Card Acceptance Administrative Policy Statement: http://www.washington.edu/admin/rules/policies/APS/35.01.html
• Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
• PCI Compliance Rider: https://finance.uw.edu/ps/sites/default/files/purchmanual/index_files/U…-
  2020%20%284%29.pdf

Administrative Information

Version: 1.7

Superseded Standards: None

Date Established: Apr 8, 2019

Date Effective: Apr 4, 2022

Next Review Date: Apr 4, 2023

Approved by: Kevin Doar – Director, Office of Merchant Services

Contact: Office of Merchant Services – pcihelp@uw.edu | https://finance.uw.edu/merchant-services/