Merchant Support FAQs

General Information
Merchant Account Information
PCI DSS
PCI Fall Attestation
Third Party Service Provider (TPSP) Compliance
E-Commerce/ Card-not-present
Credit Card Devices/ Card-present or MOTO
Incident Response

General Information

What is an acquiring bank?
An acquiring bank, also known as a merchant acquirer, is a financial institution that processes credit and debit card transactions on behalf of merchants.
Who is the credit card acquiring bank for UC Davis?
Bank of America.
What is a credit card payment processor?
A payment processor is a company or service that handles the technical aspects of processing electronic transactions.
Who is the credit card payment processor for UC Davis?
FISERV (formerly First Data).
What is a credit card payment gateway?
A payment gateway is a technology that facilitates the processing of credit card and debit card transactions for both online and in-person purchases.
What credit card payment gateways does UC Davis have contracts with?
Merchant Support maintains contracts for the following services:

1) TouchNet Marketplace - Supports e-commerce/card-not-present transactions
2) Cybersource - Supports e-commerce/card-not-present Transactions
3) STOVA (formerly Aventri) - Event registration platform
4) Bluefin - Supports card present/mail order-telephone order (MOTO) transactions via P2PE devices.

Questions regarding implementing one of these solutions? Contact merchantsupport@ucdavis.edu.
What is an SAQ?
An SAQ, or Self-Assessment Questionnaire, is a tool used by merchants and service providers to assess their compliance with PCI DSS. There are different types of SAQs depending on how transactions are processed. For a list and description of each SAQ Type, visit our Merchant SAQ Types webpage.
What is P2PE?
Point-to-Point Encryption (P2PE) is a security standard established by the PCI Security Standards Council to protect payment card data during transactions. P2PE enhances security by encrypting card data at the point of interaction and keeping it encrypted throughout the transaction process, P2PE significantly reduces the risk of data breaches and fraud.
Can I partner with a third party service provider (TPSP) who does not work with the acquirer or processor of UC Davis?
No. UC Davis is only allowed to work with TPSPs who connect to our acquiring bank and processor.
What is a VAR sheet and how do I obtain one for a third party service provider (TPSP)?
A VAR sheet, or Value-Added Reseller sheet, is a document that contains essential information about a business's merchant account and payment processing setup. It helps establish a connection between the merchant account and the payment gateway. Email merchantsupport@ucdavis.edu to obtain a copy for your merchant account.
What is a TID and how do I obtain one for a third party service provider (TPSP)?
A Terminal Identification Number (TID) is a unique code assigned to a payment terminal by a credit card processor. It helps identify the source of a transaction and is used in conjunction with the Merchant Identification Number (MID) to facilitate the processing of credit and debit card transactions.
If I outsource all payment processing to a third party service provider (TPSP) and the TPSP is the merchant of record (MOR), do I still need to comply with PCI DSS?
If a TPSP is the MOR, you are not required to complete a self assessment questionnaire. The TPSP is required to meet all applicable PCI DSS requirements. You are responsible for ensuring that your third-party service providers are PCI DSS compliant by ensuring their attestation of compliance (AoC) is validated by a qualified security assessor (QSA). Failure to ensure TPSPs are PCI DSS compliant may result in reputational impact to your business operation and UC Davis.
If I outsource all payment processing to a third party service provider (TPSP), but UC Davis is the merchant of record (MOR), do I still need to comply with PCI DSS?
Yes. Even if you outsource payment processing, you are still responsible for ensuring that your third-party service providers are PCI DSS compliant and for annually completing a self-assessment questionnaire to ensure that your own systems and processes that interact with these providers are secure.
How often is PCI training required?
Annually. To access the training, go to LMS, and enter Credit Card Handling in the Search field and the training will be available for viewing. The training takes approximately 20 minutes.
Who is required to complete PCI training?
1) Employees Handling Cardholder Data: Anyone who processes, stores, or transmits cardholder data should be trained on PCI DSS requirements to ensure they understand how to protect this sensitive information.
2) IT and Security Staff: These individuals need to be well-versed in PCI DSS to implement and maintain the necessary security measures and controls.
3) Management and Executives: Leaders should understand PCI compliance to support and enforce security policies and procedures within the organization.
6) Anyone Involved in PCI Compliance: This includes roles such as compliance officers, auditors, and any staff involved in the compliance process
Can I store cardholder data (CHD)?
Storing cardholder data is highly regulated and should be minimized. You can store CHD if you have a legitimate business need, but it must be protected according to PCI DSS requirements and approved by Merchant Support. CHD includes:

1) Primary Account Number (PAN): The unique 16-digit number on the front of a payment card that identifies the cardholder's account.
2) Cardholder Name: The name of the individual to whom the card is issued, typically printed on the front of the card.
3) Expiration Date: The date until which the card is valid, usually displayed as a month and year (MM/YY).
4) Service Code: A three-digit code on the magnetic stripe that specifies acceptance requirements and limitations for the card (e.g., whether it can be used internationally or for ATM withdrawals). A service code is not the same as the card verification code.
What type of data is not allowed to be stored?
Storing sensitive authentication data (SAD) is not allowed because it poses a significant security risk. SAD includes:

1) Full Magnetic Stripe Data: This includes all data from the magnetic stripe or chip on the card.
2) Card Verification Codes (CVV, CVC): The three- or four-digit codes printed on the card used for verification.
3) PINs and PIN Blocks: Personal Identification Numbers and their encrypted equivalents.

Only the Primary Account Number (PAN), cardholder name, expiration date, and service code can be stored, and even then, they must be protected according to PCI DSS requirements and approved by Merchant Support.
What is the difference between a service code and card verification code?
Service Code:
Location: Encoded on the magnetic stripe of the card.
Purpose: Indicates usage restrictions and requirements for the card, such as whether it can be used internationally, if a PIN is required, or if it is restricted to certain types of transactions (e.g., ATM only).
Example: A service code might specify that the card can only be used domestically or that a PIN is required for all transactions.

Card Verification Code (CVC/CVV):
Location: Printed on the card, usually on the back near the signature strip (CVV2/CVC2) or on the front for American Express cards (CID).
Purpose: Used to verify that the person making the transaction has the physical card in their possession. It is commonly used for online and card-not-present transactions
Example: The three-digit code on the back of a Visa or MasterCard (CVV2) or the four-digit code on the front of an American Express card (CID).

Merchant Account

Can I collect credit cards as a method of payment?
Only departments with an approved merchant account can accept credit cards. For more information regarding accepting credit cards, visit our Credit Card Acceptance webpage.
How do I request to become a credit card merchant?
Please email merchantsupport@ucdavis.edu to initiate the request and visit our Credit Card Merchant Account Onboarding webpage for more information.
How do I close a merchant account?
To close a merchant account, email merchantsupport@ucdavis.edu. Include the merchant ID number and if applicable the device serial numbers of any equipment that needs to be returned as well as a statement requesting closure of the merchant account.

PCI DSS

What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
Why is PCI compliance necessary?
PCI compliance helps protect sensitive payment card information from breaches and fraud. Non-compliance can result in financial penalties, reputational damage, and loss of the ability to process credit card payments.
What are the main requirements of PCI DSS?
PCI DSS includes requirements such as building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
What is the timeline for transitioning to PCI DSS 4.0?
PCI DSS 4.0 was released on March 31, 2022. Organizations have until March 31, 2024, to transition from PCI DSS 3.2.1 to 4.0. After this date, all assessments must be conducted against PCI DSS 4.0.
When will PCI DSS v4.0 be retired?
PCI DSS v4.0 will be retired on December 31, 2024. After that point, PCI DSS v4.0.1 will be the only active version of the standard supported by PCI SSC. For a copy of PCI DSS v4.0.1, click here.
What is the current PCI DSS version?
PCI DSS v4.0.1. For a copy of PCI DSS v4.0.1, click here.
What is the difference between PCI DSS v4.0 and v4.0.1?
PCI DSS v4.0.1 refines v4.0 by addressing typographical errors and clarifies the focus and intent of some of the requirements and guidance. There are no additional or deleted requirements in this revision. For a full summary of changes, refer to the PCI DSS v4.0 to v4.0.1 Summary of Changes document.
Does PCI DSS v4.0.1 change the March 31, 2025 effective date of the current best practice requirements?
No. The limited revision of v4.0.1 does not impact the effective date of the requirements.
Where can I find more information about PCI DSS?
More information can be found on the official PCI Security Standards Council website. You can also download the PCI Quick Reference Guide.

PCI Fall Attestation

When is the PCI DSS Attestation of Compliance (AoC) due to our acquirer?
UC Davis is required to submit their AoC, attested by a qualified security assessor (QSA), every year in the month of September.
When are merchants required to submit their annually required SAQs?
Generally, merchants are given one month to complete their SAQs with SAQs being started every May 1st and due by May 31st.
Where are self assessment questionnaire's (SAQ) completed and submitted?
SAQs are completed and submitted via MegaplanIT. If you have questions related to your SAQ or the MegaplanIT portal, email merchantsupport@ucdavis.edu.

Third Party Service Provider (TPSP) Compliance

How can I validate PCI DSS status of a TPSP?
Request evidence of compliance by asking for additional evidence of their PCI DSS compliance, such as their Report on Compliance (RoC), Attestation of Compliance (AoC), or any other relevant documentation. As a second validation step, you may also check the VISA Global Registry of Service Providers and search for the TPSP by name.
How can I validate if a qualified security assessor (QSA) was authorized to sign a TPSPs Attestation of Compliance (AoC) or Report on Compliance (RoC) ?
The PCI Security Standards Council (PCI SSC) maintains a list of approved QSAs. You can verify the QSA's status by searching for their name or their company's name on the PCI Security Standards Council website. Ensure that the QSA's certification was valid at the time the AOC or ROC was signed. QSAs must renew their certification periodically, so it's important to confirm that their certification was current during the assessment.
How can I validate if an internal security assessor (ISA) was authorized to sign a TPSPs Attestation of Compliance (AoC) or Report on Compliance (RoC)?
The PCI Security Standards Council (PCI SSC) maintains a list of approved ISAs. You can verify the ISA's status by searching for their name or their company's name on the PCI Security Standards Council website. Ensure that the ISA's certification was valid at the time the AOC or ROC was signed. ISAs must renew their certification periodically, so it's important to confirm that their certification was current during the assessment.

E-Commerce/ Card-not-present

How often are e-commerce websites required to be scanned for external vulnerabilities?
Any e-commerce website with external-facing IP addresses and domains that are part of the cardholder data environment (CDE) must be scanned by an Approved Scanning Vendor (ASV) at least once every three months to identify potential vulnerabilities that could be exploited by malicious actors. Additionally, ASV scans are also required after any significant changes to the external-facing systems to ensure that new vulnerabilities have not been introduced. For all questions regarding ASV scans, email merchantsupport@ucdavis.edu.
What are acceptable forms of multi-factor authentication (MFA) for PCI DSS?
Multi-Factor Authentication (MFA) is defined as a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity. Specifically, MFA must include at least two of the following three factors: something you know (password), something you have (token or smart card), and something you are (biometric verification).
Have the requirements around password length changed for PCI DSS?
Yes. Under PCI DSS v4.0.1, the new minimum password length requirement is 12 characters. This update aims to enhance security by making passwords more resistant to brute-force attacks.

Credit Card Devices/ Card-present or MOTO

How do I add additional credit card devices to an existing merchant account?
To request additional equipment for an existing merchant, please email merchantsupport@ucdavis.edu please include the merchant ID number, shipping address as well as the number and type of terminals needed.
How do I replace a credit card devices?
To request replacement equipment, email merchantsupport@ucdavis.edu and include the merchant ID number, serial number of the device being replaced, and shipping address to where the new device should be delivered.
How do I return credit card devices?
To return credit card equipment (defective or no longer needed, etc.), please email merchantsupport@ucdavis.edu to request a call tag or to submit an RMA request. Include the merchant ID number, device serial number, and the reason for the return.
Is my P2PE device no longer PCI compliant after the expiry date?
Expiry dates listed in the PCI Security Standards Council website are not device termination dates. They are the dates the OEM has to re-certify the device. If the OEM decides not to renew the device, it is still PCI P2PE compliant for 5 years following the date listed. For example if a device has an expiry date of April 30, 2026, that device would still be PCI compliant until April 30, 2031.
How often should devices be inspected for tampering?
Tamper inspections are determined via a Targeted Risk Analysis (TRA) that factors in the risk and/or likelihood of credit card devices being compromised. The higher the risk, the more frequent tamper inspections are required. Email merchantsupport@ucdavis.edu to determine which TRA is applicable for your cardholder data environment (CDE).

Incident Response

Who do I contact if there is a suspected or confirmed credit card related incident/breach and/or suspected or confirmed risk to cardholder data?
Immediately, notify Merchant Support at merchantsupport@ucdavis.edu and the Information Security Office at cybersecurity@ucdavis.edu. Additionally, Merchant Support is available 24/7 by phone at 530-757-8738.

Questions? Contact merchantsupport@ucdavis.edu.