eCommerce Compliance Resources

All UMASS merchants that accept credit or debit cards are required to comply with PCI DSS, the Payment Card Industry Data Security Standard, in its entirety. See the links in the PCI DSS section to view the PCI DSS v3.0 and other related documents.

Campus eCommerce Representatives

Campus eCommerce representatives work with their individual campus merchant contacts to ensure that the Merchant is compliant with PCI DSS (Payment Card Industry Data Security Standard).  The campus representatives represent their respective campus on the University eCommerce Group, are the primary point of contact for their campus, and are responsible for disseminating all relevant policies, standards, and guidelines to ensure merchants are knowledgeable in PCI DSS requirements and Incident Management.

  • UMass Amherst:  Jake Cunningham, Patty Roper, Jacqui Watrous, and Erin Zuzula
  • UMass Boston:  Lisa Moriarty, Katherine Nung, Terry Phalen, and Jimmy Sam
  • UMass Dartmouth:  Suzanne Audet, Holger Dippel, Kathy Eubanks, and Rich Pacheco
  • UMass Lowell:  Norma Clark, Amy Kirchner, and John Perroni
  • UMass Medical School:  Yi Chen, Sandy Flynn, and Cathy Stolarczyk
  • UMass President’s Office IT:  Martha Johnson, Wendy Mulcahy, and Larry Wilson
  • University Treasurer’s Office:  Terri O’Neil and Kathey White

Required Language for Contract Services

All University Contracts that allow for payment processing via credit or debit card must include language that the vendor acknowledges their responsibilities to maintain PCI compliant practices.

Service Providers and third party providers and the “UMASS merchant” represent and warrant to the other party that it is Payment Card Industry Data Security Standard (PCI DSS) compliant and shall remain compliant during the term of the agreement. In the case of a third party application, the application will be listed as PA DSS compliant at the time of implementation by the University. In either situation, should either party become non-compliant during the term, the non-compliant party shall promptly notify the other party of its non-compliance status. Both parties are responsible for the security of the cardholder data that is in such party’s control or possession, as mandated by PCI DSS in the performance of their individual and mutual responsibilities under this Agreement.

Security Awareness Training

Merchants are responsible for the security of Cardholder Data (CHD). Any person who has access to CHD must complete annual PCI Awareness Training.  For more information contact your eCommerce representative or email

Related Resources

For guidance with which SAQ to complete select the Understanding SAQs for PCI DSS v3 under Supporting Documents.


For more information contact your eCommerce representative or email