What are the requirements if we are using a University contracted vendor (usually a $0.00 PO) who collects revenue on our behalf via credit cards?

With PCI 3.0 (effective December, 2013) the University became responsible for annually verifying the payment card data flow and PCI compliance for all third- party contracted vendors and their external service providers (either AOC (Attestation of Compliance or ROC (Report of Compliance) for each vendor who touches payment card data). As the units renew agreements with vendors, and as we are made aware of their relationship with the University, we are then bound to verify compliance. If we the University have offered up services or payment vehicle to our community, then we are compelled to verify that the process is secure and compliant. It won’t just be the vendors name in the news, the lead will be “UVA Breached and card and personal data exposed”.

The individual unit will then be obligated to update the compliance documents (payment Flow document and AOCs or ROAs) annually with Payment Card Services as part of the University wide annual PCI review. These compliance documents also have a direct consequence to University’s ability to continue to purchase Risk Insurance (see What can happen if we fail to meet PCI compliance?)