What is Payment Card Services

The University recognizes that the ability to accept credit card payments is necessary for modern e-commerce. Credit card payments provide a convenience to customers, help to stimulate sales, and contribute to increased operational efficiency.  Payment Card Services supports University departments and units that accept credit card payments by facilitating e-commerce payments, ensuring compliance with applicable laws and industry standards, and providing the training necessary to responsibly conduct payment card transactions.  Safeguarding of customer confidential information is of central importance in ensuring institutional compliance and protecting the security of University customers.


Responsibilities of UVA Payment Card Services

Payment Card Services assists departments and units by:

Payment Card Services helps departments and units with secure methods for accepting payment cards for:

  • Conferences and workshops;

  • Special events and fundraisers; and

  • Sales of goods and services.

Payment Card Services offers numerous ways that departments and units can accept payment cards, including through:

  • E-commerce websites;

  • Desktop payments;

  • Mobile payment devices; and

  • Third-party payment servicers.

PCI-DSS Compliance

The Payment Card Industry Data Security Standards (PCI-DSS) apply broadly to all payment card transactions. Payment Card Services is responsible for monitoring the University's compliance with the PCI-DSS standards.

The PCI-DSS standards apply to:

  • All payment transactions involving payment cards, regardless of method.

    • This includes situations where a department or unit directs customers to a third-party processor.

  • All devices used to process payment card transactions, including swipe machines, point-of-service systems, PIN pads, and mobile/wireless devices connected to a network (Smartphone, tablets and PC’s).

  • All vendor processes and products involved in payment card transactions, including payment application software, third-party providers, processors, website security and payment page accessibility.

    • Note:  The University is contractually obligated to assure compliance with the PCI-DSS standards if it directs a customer to a University-contracted vendor that accepts payment card transactions, even if the University does not directly benefit from the revenue.

PCI Compliance Training Opportunities:
  • Website Requirements

  • Desktop Procedures

  • Front-Line Training

  • PCI Coordinator Appointment and Training

  • Annual Self-Assessment Question Requirements

SAQ

A

Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced

SAQ

A-EP

Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing

SAQ A-Nelnet Only  

SAQ

B

Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals – No Electronic Cardholder Data Storage

SAQ

B-IP

Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage

SAQ

C-VT

Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage

SAQ

C

Merchants with Payment Application Systems Connected to the Internet – No Electronic Cardholder Data Storage

SAQ

P2PE

Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only – No Electronic Cardholder Data Storage

SAQ

D-Merchant

All other SAQ-Eligible Merchants

SAQ

D-Service Provider

SAQ-Eligible Service Providers

Related Policies and Resources

Medical Center Policy 0335: Use of Payment Cards at the Medical Center


For additional information related to Payment Card Services, email uva_payment_card_svcs@virginia.edu (uva_payment_card_svcs).