The objective of CSU, Fullerton PCI DSS Standard is to establish payment card requirements for all areas within the campus community that process, transmit or store confidential cardholder information. The provisions of this policy and PCI DSS apply to the entire University, including its auxiliary organizations, as well as all third party service provider that processes, transmits and stores cardholder data on behalf of the University, or provide services that could affect the integrity of cardholder data.


Securing information protected by federal and state law as well as California State University (CSU) policies and procedures, is essential. As such, the University will:

  • Comply with all federal and state laws and regulations, as well as CSU policies and procedures, concerning the collection, use, maintenance, and release of protected information.
  • Develop, implement, and monitor administrative, technical, and physical safeguards to mitigate unauthorized intrusion, malicious misuse, or inadvertent compromise of protected information.
  • Ensure all individuals working with protected information are responsible for collecting, using, maintaining, and releasing it do so in accordance with federal and state laws or regulations, as well as CSU policies and procedures.


Several federal and state laws, as well as CSU policies, govern access to information collected, used, maintained, and released by the University, including but not limited to the:

  • Family Education Rights and Privacy Act
  • California's Information Practices Act
  • Title V
  • California's Public Records Act
  • Gramm-Leach-Bliley Act
  • Health Information Portability and Accountability Act
  • CSU Information Security Policy
  • CSU Board of Trustee Executive Orders
  • PCI SSC Requirements

Information Security Implementation

This Directive applies to the collection, use, maintenance, and release of protected information by the University or, when applicable, by any of its auxiliary or affiliate organizations.

Roles and Responsibilities

Payment Card Industry Implementation Members

Payment Card Industry Implementation Members


  • University Controller
  • Auxiliary Financial Managers
  • Auxiliary Information System Officer
  • Information Security Officer
  • Internal Security Assessor

PCICC is responsible for the implementation and oversight of university policy and general compliance with the PCI Goals and Requirements.

The following are university PCI Standards and Guidance