Frequently Asked Questions

Payment Card Industry (PCI) FAQs

Q: What is PCI?
Q: What are the PCI DSS requirements?
Q: What is defined as cardholder data?
Q: To whom does PCI apply?
Q: When does GVSU have to be compliant?
Q: Is PCI compliance a law?
Q: What options do we have to accept credit card information and process it properly?
Q: What does this mean for GVSU employees who handle credit card information on behalf of a customer?
Q: If I only accept credit cards over the phone, does PCI still apply to me?
Q: If I process credit card payments on behalf of a customer on my work computer, what information do I need to know?
Q: Do organizations using third-party processors have to be PCI compliant?
Q: What are the penalties for noncompliance?
Q: Who represents PCI compliance for GVSU?
Q: Who should you contact to learn more about PCI compliance at GVSU?
Q. What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Q: What are the PCI DSS requirements?
A: See https://www.pcisecuritystandards.org/


Q: What is defined as cardholder data?
A: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Q: When does GVSU have to be compliant?
A: GVSU had to be compliant as of January 2011 and must review/implement compliance guidelines annually.

Q: Is PCI compliance a law?
A: The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade association to enact a federal law around data security and breach notification.

Q: What options do we have to accept credit card information and process it properly?
A: See PCI Processing, Procedures

Q: What does this mean for GVSU employees who handle credit card information on behalf of a customer?
A: All employees working in an environment that accepts credit card information on behalf of a customer will:

  • Be informed of PCI compliance by GVSU PCI Committee members or designated staff member within the department handling credit cards.
  • Have access to the PCI Security Policy manual
  • Acknowledge PCI responsibility as a GVSU employee. Employees will be required to sign off that they have read the PCI Security Policy manual annually.


Q: If I only accept credit cards over the phone, does PCI still apply to me
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

Q: If I process credit card payments on behalf of a customer on my work computer, what information do I need to know?
A: You must do the following:

  • Computer must have specific PCI image which limits outside access to computers.
  • Computer must be labeled as PCI so that maintenance done on the computer continues to provide proper security access.


Q: Do organizations using third-party processors have to be PCI compliant
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.

Q: Who represents PCI compliance for GVSU
A: The PCI Committee is comprised of representatives from Business & Finance, Information Technology, Student Accounts, University Marketing, Development, and the Bookstore.

Q: Who should you contact to learn more about PCI compliance at GVSU?
A: Luke DeMott, Chief Information Security Officer at [email protected]



Page last modified August 3, 2021