Alternative Third Party Processing Options
USU departments will, whenever possible, use existing approved credit card accepting systems which have been previously vetted by Treasury Services to ensure security, PCI DSS compliance, and efficiency.
If an existing system can not meet the department's needs, the departments must ensure any and all purposed third-party vendors, service providers, software application, gateways, equipment, and outsourced payment services, are PCI DSS compliant. Furthermore, appropriate data security language must be included in all contracts with third party service providers involving payment card acceptance. All newly purposed third party payment solutions must be approved by the PCI Compliance Officer.
General Requirements of Third-Party Vendors
In general, if a department wants to work with an outside (third-party) vendor to sell goods and/or services, the supplier must meet the following requirements:
- Will use the University merchant account, whenever possible
- Will use a USU approved gateway
- Can demonstrate PCI compliance with evidence of passing PCI certification
- Is listed on the PCI approved Payment Applications (if appropriate)
- Will include PCI security language to maintain their PCI compliance ongoing.
- Willing to provide PCI documentation annually upon request.
- Is willing to negotiate terms and conditions as part of the contract process if necessary language is not include in their normal contract.
Payment Card Industry Standards (PCI)
Any vendor that offers credit card acceptance capability and wishes to do business with the University must agree to standard USU contract language about PCI compliance and provide evidence of their PCI validation. PCI validation must be verified by the Merchant or PCI Compliance Officer annually, and any vendor that fails to maintain compliance with PCI standards is subject to being discontinued as an approved vendor to USU merchants.
Payment Application Data Security Standard (PA-DSS)
Depending on the type of product offered by the vendor, the vendor may also have to certify their product was developed according to the PA-DSS. Vendors listed on the PCI SSC website’s List of Validated Payment Applications or Visa’s Global Registry of Service Providers are automatically accepted as being compliant with PA-DSS.