• Stand-alone terminals use an analog phone line for communication.  This is the most inexpensive option.  There are no specific security requirements with associated costs, other than an annual assessment for policies, procedures, and employee training.
  • Annual Assessment by a Qualified Security Assessor

An internet connection is used for communication to authorize and settle payment card transactions.  Security requirements are as follows:

• Annual Assessment by a Qualified Security Assessor
• Static IP address behind a firewall within the PCI environment
• Monthly vulnerability scans for each IP address
• Antivirus Monitoring
• File Integrity Monitoring
• Identity Finder

End to End encryption devices are the preferred method of processing transaction using a computer software or internet service through a PCI Certified Service Provider.  End to End Encryption encrypts the card holder data within the device before it passes through your computer or servers.  The cardholder data is only decrypted when it reaches the payment gateway used for authorizing and settling the transactions.  End to End encryption that has been assessed by the PCI Council is called Point to Point Encryption. Security requirements are as follows:

• Testing upon implementation for un-encrypted cardholder data and other sensitive data
• Annual Assessment by a Qualified Security Assessor

You may find a vendor that hosts a web service to charge payment cards along with other services for conference registration, ecommerce sales, or payments for other services you provide.  Payment card transactions are initiated by the cardholders, and your department never processes or touches cardholder data.  Such vendors must be certified with the PCI Council as a Service Provider.  Security requirements are as follows:

• Annual Assessment by a Qualified Security Assessor
• Annual validation of the vendor’s PCI Service Provider standing:  Attestation of Compliance

A virtual terminal is a service hosted by a Third Party Vendor who is a PCI Certified Service Provider.  A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes. Security requirements are as follows:

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing

A kiosk is a contained computer that uses a third party software or internet service that is PCI Certified.  The internet is used for communication.  The kiosk allows cardholders to initiate transactions for services or dispensed merchandise.  A kiosk without an end to end encryption device that encrypts the payment card number upon swipe has the following security requirements:

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing
• Multi-Factor Authentication for remote access (as applicable)

Software that is installed on a desktop computer or server may use a payment process that re-directs the user to a payment gateway to enter their payment card data.  Once the user is on the payment gateway web page, the University’s servers and computer are not touching the cardholder data.  However, the software and associated computers or servers have specific security requirements to protect that handoff from the software to the payment gateway.  Security requirements are all follows:

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing
• Multi-Factor Authentication for remote access (as applicable)

Approved 3^rd Party Software installed on a campus server must employ all of the following:

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing
• Multi-Factor Authentication for remote access (as applicable)

The University has a standardized e-commerce option available to departments via a shopping cart or a single checkout page.

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing
• Multi-factor authentication for remote access (as applicable)