When can we use a third-party vendor for front-end data collection (i.e. someone who may provide a service or software)?

These services may include a registration form, manipulating the data into the reports, managing a conference, etc. If the vendor does not also collect credit card payment information or refer your customer to a third-party for payment card processing, then using these vendors do not bring your process under PCI compliance rules.

However, if payments via credit cards are collected and the department employs a third-party, then PCI does require that the University initially vet and annually verify the vendors’ PCI compliance if the vendor, service provider or Payment Application (PA-DSS) store, process, transmit cardholder data or other sensitive authentication data or if there may be an impact on the security of the cardholder data environment. A typical example could be a vendor who passes personal or sensitive data through to a payment page where card data is collected. The impact is a Man-in-the-Middle attack.
We recommend that credit card merchants utilize one of the University’s four preferred third-party credit card payment options:

  • web processing through Nelnet-CommerceManager@UVA
  • web processing through our processor, Elavon using “Converge”
  • shopping cart through Nelnet - eStore
  • Eventbrite through ITS at UVa.

With most of these processes, the customer is passed to an outside PCI compliant payment page where the card information is collected and verified. With extra coding from your IT staff, the customer can then be re-directed back to your website to continue their experience.

If the unit is not using one of the vetted vendors, then an application may be required as well as negotiation of the contract through Procurement. A review of the Third-Party Guidance document and completion of a Third-Party application and conversation with Payment Card Services are required.

See PCI “Best Practices for Securing E-Commerce Special Interest Group”