What is PCI and why should I care?

PCI stands for Payment Card Industry. PCI Data Security Standards are national standards issued by the Payment Card Security Standards Council and apply to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers. PCI also applies to all other entities that store, process or transmit cardholder data or may have an impact on the security of the cardholder data environment.


The University and all departments that process payment card data or have a relationship with an entity who collects payment card revenue on their behalf, have a contractual obligation through Elavon to adhere to the PCI Data Security Standard (PCI-DSS). We must adhere to these standards to protect our customers and to continue to process payments using payment cards. Each year, departments and units that are conducting payment card activities with an established merchant account through Elavon must submit a Self-Assessment Questionnaire (SAQ Documents) to the U.Va. Payment Card Services unit assuring their compliance with the PCI data security standards.

Departments and Units who work through a third-party who uses payment cards to collect revenue on their behalf are also obligated under PCI to provide card flow diagrams and verify annual compliance of all third-party vendors in the card data flow process.

PCI has governance over software vendors, payment applications, processors, and all devices including; swipes, POS, PIN pads, mobile, Smartphones and Tablets. (Approved Companies and Providers)


There are a great many resources available from the PCI-DSS homepage. The Resources For Small Merchants section provides a good overview of the operational requirements. There is also a link to the PCI FAQ’s and several interesting short videos. The PCI Glossary is available in the Standards and Documents section as are the SAQ’s referred to above.