UCSF 650-16 Addendum E - PCI

Esther Silver's picture

Policy Type



UCSF 650-16 Addendum E - PCI outlines the requirements for information, locations, facilities, and devices processing, storing, or transmitting credit card information.


To comply with data security requirements defined by Payment Card Industry Data Security Standards 3.1/3.2 (PCI-DSS)


The policy addendum covers all UCSF PCI-in-scope information used by UCSF and its affiliates. The information can include data stored on any computer, transmitted across networks, printed out or written on paper, sent by fax, stored on tape, electronically scanned, media, or spoken in conversation or over the telephone, hereafter referred to as an “information asset.”

The policy addendum applies to any PCI-in-scope location or facility that is owned, leased, operated, or managed by UCSF housing any people, equipment, or information assets that are covered by this policy, hereafter referred to as “facility.”

The policy addendum covers all persons seeking access to or usage of any UCSF PCI-in-scope information asset and is required to be reviewed and acknowledged, including UCSF full- or part-time employees; UCSF affiliates; contract staff; consultants; third-party suppliers; any other external parties to whom access may be granted for any reason. For purposes of scope for this document and any policies referred to by this document, all individuals that meet the above criteria will be hereafter referred to as “employees.”

This policy addendum covers any piece of equipment or technology that is owned, leased, or managed by UCSF which is used to access any PCI-in-scope information asset, hereafter referred to as a “managed device.”

This addendum collectively refers to PCI-in-scope information, locations and facilities, persons seeking access to or usage of PCI-in-scope information, and managed devices as “PCI assets.”


The ownership of changes will be governed by the UCSF PCI-DSS Compliance PCI Oversight Committee. This team will be referred to in the remainder of this document as “PCI Oversight Committee.” The IT Security team will review, enforce, and propose changes to PCI Oversight Committee. This team will consist of the Controller, Chief Information Officer, and Director of Information Security at a minimum.


The full content of the Addendum is contained in the following document: (To open the document with indexing, open it from Chrome or Firefox.  Does not open properly in Safari.)

PDF iconucsf_650-16_addendum_e_-_pci.pdf