Quarterly and Annual Monitoring Requirements Procedure

Quarterly Processes

At a minimum quarterly, departments must perform the following processes :

  1. Perform a programmatic (automatic or manual) removal of stored cardholder data that exceeds requirements defined in the data retention policy
  2. Change user passwords
  3. Run internal and external network vulnerability scans, if the applicable UF implementation(s) trigger an according PCI DSS requirement (contact Merchant Services for more details)

Annual Processes

At a minimum annually, departments must perform the following processes:

  1. Test Incident Response Plan
  2. Ensure all workforce members (employees, students or volunteers) who work with (process, store, or transmit) credit/debit cards successfully complete the applicable annual training TRM125: Payment Card Security Awareness Training
  3. Require personnel to acknowledge that they have read and understood the University’s security policy and procedures, as documented by signature on the Credit Card Security Ethics Certification, as included in the training course TRM125.
  4. Submit documentation of the following actions to Merchant Services:
    • Completed PCI DSS Self-Assessment Questionnaire
    • Monitor and report on PCI status of third-party service providers
    • Review the departmental payment card procedures and update as needed
  5. Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment

Note: The UF Office of Information Security and Compliance has the authority to perform such assessments

All departments that accept credit or debit cards are required to meet with a representative from Merchant Services on an annual basis.  The agenda will include, but is not limited to, credit and debit card security, inventory analysis and PCI compliance.  The meeting will be scheduled at the department and unit’s availability.  For the meeting, departments will need to have accessible:

  • All documentation detailed for the annual processes above
  • All credit and debit card accepting terminals, devices, and implementations to confirm and verify the inventory
  • All departmental credit and debit card processing procedures
  • Network Diagram (PDF)

Resources

UF Credit Card Merchant Policy

PCI Security Standards Council

VISA Operations & Procedures

UF Privacy Office

Training

TRM125 – Payment Card Security Awareness Training

Contacts

Banking & Merchant Services: (352) 392-9057

Treasury-creditcards@ad.ufl.edu

Page Contents