Third-Party Service Providers (TPSPs)
A Third-Party Service Provider is any external entity that stores, processes, transmits, or can impact the security of cardholder data on behalf of UC Davis. This includes services such as payment gateways, web hosting applications, point-of-sale (POS) systems, data center hosting, managed firewall services, and secure media destruction.
UC Davis currently maintains contracts with the following TPSPs for credit card acceptance:
- TouchNet Marketplace
- Supports e-commerce/card-not-present transactions.
- Cybersource
- Supports e-commerce/card-not-present transactions.
- STOVA (formerly Aventri)
- Event registration platform.
- Bluefin
- Supports card-present and mail order/telephone order (MOTO) transactions via P2PE devices.
Departments must use one of these approved providers unless a business case is made and approved for an alternative by the PCI Team. UC Davis is only allowed to engage TPSPs that are connected to our acquiring bank (Bank of America) and payment processor (FISERV). Before partnering with a TPSP, departments must ensure a vendor risk assessment (VRA) has been completed and the TPSP is compliant with PCI DSS.
Required Documentation of TPSPs
When considering the use of any third-party service provider for credit card processing, it is essential that departments ensure the provider demonstrates compliance with PCI DSS.
Regardless of the service or platform being considered, departments must obtain the following documentation from the provider:
- An Attestation of Compliance (AoC) validated by a Qualified Security Assessor (QSA) confirming their PCI DSS compliance
- A PCI DSS Responsibility Matrix that clearly outlines which party (UC Davis or the TPSP) is responsible for each applicable PCI DSS requirement
Contractual Requirements for PCI Service Providers
All third-party service providers with responsibilities related to PCI DSS compliance must have a written agreement in place that includes specific PCI-related language. This ensures that both UC Davis and the service provider understand and formally acknowledge their respective roles in maintaining PCI DSS compliance.
As part of this requirement, the UCOP Appendix – Data Security must be attached to the agreement. This appendix outlines the minimum data protection standards expected of service providers and reinforces the university’s commitment to safeguarding payment card data.
Departments are responsible for ensuring these contractual elements are included before engaging any service provider with PCI responsibilities. For assistance with contract language or reviewing agreements, please contact merchantsupport@ucdavis.edu.
TPSP Response Evaluation Grid
| TPSP Response | Flag | Explanation |
|---|---|---|
| “We have a QSA-validated AOC and a PCI Responsibility Matrix.” | ✅ Green Flag | Indicates formal validation and clear outline of responsibilities. |
| “We handle cardholder data but do not have an AOC.” | ❌ Red Flag | Handling cardholder data without formal validation is a serious compliance risk. |
| “An AOC can be provided upon request and under NDA.” | ✅ Green Flag | Willingness to share documentation is a positive sign of transparency. |
| “We are PCI compliant but do not have documentation to prove it.” | ❌ Red Flag | Claims without evidence are insufficient for due diligence. |
| “We are listed as a PCI DSS Level 1 Service Provider and undergo annual assessments.” | ✅ Green Flag | Demonstrates commitment to compliance and regular review. |
| “We only host the website and redirect payment traffic, so we don’t have any PCI responsibilities.” | ❌ Red Flag | Redirection does not eliminate PCI responsibilities; must still be assessed. |
| “We do not currently have an AOC, but we are open to becoming validated.” | ⚠️ Caution | Shows potential willingness to comply, but services should not be used until formal validation is completed. |
| “You must sign a merchant sub-agreement to open your account with our acquiring bank.” | ❌ Red Flag | Merchant accounts must be established only through UC’s designated acquirer (Bank of America) and processor (FISERV). |
| “Our contract will include PCI language and the UCOP Data Security Appendix.” | ✅ Green Flag | Shows alignment with UC policy and contractual best practices. |
| “We don’t sign contracts with PCI language because we’re not directly involved.” | ❌ Red Flag | Avoiding contractual obligations is a compliance and legal risk. |
| “We are willing to integrate with your preferred payment gateway.” | ✅ Green Flag | Demonstrates flexibility and alignment with UC’s required acquirer/processor, supporting compliance and operational consistency. |
| “We do not support integration with any other payment gateway besides our own.” | ❌ Red Flag | Limiting gateway options conflicts with UC’s required acquirer/processor and restricts flexibility in meeting PCI and institutional standards. |
| “We use a validated Point-to-Point Encryption (P2PE) solution.” | ✅ Green Flag | P2PE significantly reduces PCI scope and risk when properly implemented. |
| “Our devices are more secure than P2PE because we use tokenization.” | ❌ Red Flag | Tokenization is valuable, but it does not replace the scope-reducing benefits or validation requirements of a PCI-listed P2PE solution. |