The Payment Card Industry (PCI) Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. 

Per PCI Data Security Standards (PCI DSS) policy, we must:

  • Establish, publish, maintain and disseminate security policy.
  • Develop daily operational security procedures that are consistent with PCI DSS requirements.
  • Develop usage policies for critical technologies.
  • Ensure the security policy and procedures clearly define information security responsibilities for all personnel.
  • Assign to an individual or team the following information security management responsibilities:  
    • Establish, document and distribute security policies and procedures.
    • Monitor and analyze security alerts and information, and distribute to appropriate personnel.
    • Establish, document and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
    • Administer user accounts, including additional, deletions and modifications.
    • Monitor and control all access to data.
    • Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security
    • Educate personnel upon hire and at least annually.
    • Require personnel to acknowledge at least annually that they have read and understand the security policy and procedures
    • Screen potential personnel prior to hire to minimize risk of attacks from internal sources.
    • If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers.
    • Implement an incident response plan. Be prepared to respond immediately to a system breach.

Credit Card Training

PCI DSS states that to accept credit card payments you must be PCI compliant. One of the mandated requirements of PCI states that PCI and security awareness training must be conducted upon hire and at least annually. Any official, administrator or affiliate with responsibilities for managing University cardholder transactions and employees or personnel entrusted with handling or processing cardholder payments must complete training upon hire and annual training thereafter. IT Directors and designated staff must also complete the PCI and security training and also comply with University Computing Security Standards. 

You would complete one of the online trainings listed.

  • If you are regular staff or student employee you must take the training, "PCI Compliance Essentials."
  • If you are a Hospital employee, you must complete and pass the "PCI-25" course through the Saba Learning Management System.
  • If you are not enrolled into either of these courses, please notify John Layman, laymanj@umsystem.edu, to enroll.
    • If you cannot be enrolled in either the Percipio or the Saba courses, you will be enrolled in the MakeITSafe training through .

Dos and Don’ts

There are a few key things you should do to ensure you are compliant with PCI’s standards. This simple list of Dos and Don’ts should get you started down the path of PCI compliance.

PCI Compliance Dos

  • Change the default password on your computer to a complex password.
  • Supervise all visitors in areas where credit card information is maintained.
  • Ensure all cardholder data is unreadable during transmission. In other words, strong encryption must be used for transmission.
  • Cross-cut shred handwritten credit card information immediately after use.
  • Store documents or media with credit card information in a locked drawer or filing cabinet accessible only by authorized personnel.
  • Report immediately to your supervisor and the Information Security Officer for your campus if you suspect credit card information has been lost, stolen, exposed, or otherwise misused.
  • Submit a quarterly scan report, completed by an Approved Scanning Vendor (also called an ASV). DoIT and the Office of the Treasurer can facilitate your scan
  • Complete and maintain your PCI Merchant Manual to ensure PCI compliance.
  • Attend the university PCI training class upon hire and also annually. Contact the Office of the Treasurer for on-site training or to learn more about the University PCI training.
  • Maintain a copy of the PCI-specific policies and procedures commensurate with their merchant category.  
  • Contact UM PCI-DSS Core Team by email at PCI@missouri.edu if you are making a change to your cardholder data environment. 
  • All merchants must have a current data flow diagram on file specific to their merchant environment.  

PCI Compliance Don’ts  

  • Never physically write down any credit card information unless you are explicitly required to do so as part of your business processes.
  • Never acquire or disclose any cardholder’s credit card information without the cardholder’s consent, including but not limited to:
    • The partial sixteen (16) digit card number.
    • The CVV/CVC (three- or four-digit validation code on the back of the card).
    • The PIN (personal identification number).
  • Never transmit or accept any of the above cardholder information via e-mail, fax, scan (image now or other), or by end-user messaging technologies.
  • Never store any sensitive authentication data on a University computer, server, or on paper, including:
    • The card’s storage chip or magnetic stripe.
    • The CVV/CVC (the three- or four-digit validation code on the back of the card) post authorization.
  • Never use an imprint machine to process credit card payments (unless you must as part of your business processes).
  • Never leave unsettled batches in terminals at the end of a business day. You set up auto-settle programming or ensure that batches are settled manually each night.
  • Never share the password to your computer or any computer you access.
  • Never leave sensitive information unattended on my desk, screen, or in any public area.