PCI Equipment or System Review

Accepting Credit Card Payments (PCI)

Any campus department wanting to accept credit card payments must comply with Payment Card Industry Standards (PCI). The campus guidelines below outline the department requirements, and the IT support structure necessary to enable the department to proceed with credit card processing at CSUMB.

Department Responsibility

Identify the Business Process Owner
  • Identify the point of contact responsible and able to respond to inquiries about the department’s requirements and the credit card payment system and process overall.
  • The Business Process Owner or department representative must attend an annual review meeting with IT to confirm and report any changes to the PCI process, equipment, or users.
Identify the Business Application used to process credit card payments
  • Be able to provide the application contract details (new contracts must go through the campus contract review process), including:
    • Business contact and application information (description, version, spec sheets, etc.)
    • URL that will be used for connecting to the payment process
    • Technical contact that supports the department for issues with the application
Identify all equipment required for the transaction process (quantities, types, models, spec sheets, etc.)
  • Computers
  • Printers
  • Peripheral devices (card readers, etc.)
Identify the location of all equipment being used for the PCI process
  • Building, room, specific location in room
  • Describe the security of the location (lockable room, private office, shared space, etc).
Identify all the users of the equipment designated for the PCI process
  • Provide the names and titles of all users who will log in to the PCI system.
  • Any changes (even temporary) to users needs to be submitted to IT on the appropriate PCI ticket.
  • PCI users must not log in for anyone else.
  • All approved users of PCI equipment will be required to complete PCI training in SumTotal annually.

Requirements for the PCI Processing Equipment

  • All equipment used for PCI processes must be dedicated to PCI only and cannot be used for other purposes at any time.
  • All ports identified for PCI equipment will be dedicated and no other equipment can be plugged into these ports at any time.
  • PCI designated equipment must never be relocated or plugged into ports not designated specifically for PCI use by that equipment.
  • All PCI designated computers must be left on at all times to enable scans and updates.

What IT Will Provide

  • TSS will provide delivery of computers to be setup by a PCI Technician with software as needed to enable the PCI process.
  • Identification and recording of required information about the computers.
  • Installation of the appropriate applications, as needed.
  • Monitoring of the traffic on the computers.
  • Network Operations will provide configuration of the network ports and ensure that the PCI processing machines are put into the appropriate (PCI) network.
  • Running of the required monthly internal and external scans.
  • Monitoring of the traffic over the network.

Reporting System or Process Changes, or PCI Incident

  • Any change to the PCI processing system (computers, vendors, process, users) must be reported to IT on the appropriate PCI ticket, and during the annual review meeting with the campus PCI users.
  • To report any PCI related incident (e.g., data loss or system failure) please submit an IT ticket immediately.

Troubleshooting PCI Vendor and Asset Issues

When the IT-PCI Technician is troubleshooting a ticket:

  • The PCI user with the vendor login and merchant ID number is expected to be present. 
  • The IT-PCI technician does not have the ability to process a credit card in order to validate a transaction. 
  • The PCI user should be ready to test the transaction process.
  • The IT-PCI Technician may:
    • Make some changes to update the workstation security.
    • Ask to look at other devices required per the vendor agreement or the business process.
    • Apply PCI local group policy to prevent the saving of credit card information.
    • Apply BIOS configurations or updates.
  • Processing transactions should not be affected unless it involves a change addressing a security issue which may result in a fine if not corrected.
  • The IT-PCI Technician may require access to the following:
    • Agreement with vendor and Merchant ID number.
    • Department contacts including roles.
      • Names and roles of users to add or remove from local groups on the workstation.
    • Vendor training material
      • Any software required
      • URL required
      • URL technical contact
      • Any network information provided by vendor
      • Browsers supported Edge, Explorer, and Chrome Enterprise, but only if required.



Submit IT Ticket


Service ID: 24038
Thu 11/2/17 10:13 AM
Tue 10/17/23 10:24 AM