Navigate Up
Sign In
Click to show/hide contact information.

PCI-DSS: Security - Rules

What to Know
UCSC rules

All UCSC Merchants and employees must follow basic card acceptance rules for all electronic transactions. Careful and consistent adherence to the UCSC rules outlined in this section will help enhance customer satisfaction and increase your unit’s profitability. If you have any questions about any of the UCSC rules presented here, ask your supervisor for assistance.

Dollar minimums and maximums

Always honor valid credit cards, regardless of the dollar amount of the purchase. Imposing minimum or maximum purchase amounts is a violation of our Merchant agreement.

No surcharging

Always treat electronic transactions like any other transaction; that is, you may not impose any surcharge on over the counter credit card transactions.  You may, however, offer a discount for cash transactions, provided that the offer is clearly disclosed to customers and the cash price is presented as a discount from the standard price charged for all other forms of payment.


Include any required taxes in the total transaction amount. Do not collect taxes separately in cash.

Deposit time limits

Deposit forms are due to the Main Cashier’s Office on a weekly basis. Your credit card terminal is to be cleared out on a nightly basis. 

Data storage

Merchants should also be aware of the following data security requirements:

  • Magnetic-stripe data. Do not store magnetic-stripe data after receiving authorization. After a transaction is authorized, the full contents of track data, which is read from the magnetic stripe, must not be retained on any system. The account number, expiration date, and name are the only elements of track data that may be retained when held in a CISP compliant manner.
  • Avoid security code storage. The Security Code, also known as the Card Verification Value 2 (CVV2), is the 3- or 4-digit value that is printed on the back of most credit cards. The one exception is American Express who prints the CVV2 on the front of the card, above and to the right of the embossed account number. The CVV2 number must never be retained or stored after a transaction. If the CVV2 number is recorded on a form when collected by phone, that data must be destroyed once the transaction is completed. All UCSC Merchants and employees are prohibited from storing security code data. When asking a cardholder for their security code, merchants must not document this information on any kind of paper order form or store it in any database.
Cardholder information

Keep cardholder account numbers and personal information confidential. Cardholders expect you to safeguard any personal or financial information they may give you in the course of a transaction. Keeping that trust is essential to fraud reduction and good customer service. Cardholder account numbers and other personal information should be released only to your merchant bank or processor, or as specifically required by law.

University of California
UC Santa Cruz, 1156 High Street, Santa Cruz, Ca 95064
©2021 Regents of the University of California. All Rights Reserved.
Site Feedback