eCommerce Compliance Resources

All UMASS merchants that accept credit or debit cards are required to comply with PCI DSS, the Payment Card Industry Data Security Standard, in its entirety. See the links in the PCI DSS section to view the PCI DSS v3.0 and other related documents.

Campus eCommerce Representatives

Campus eCommerce representatives work with their individual campus merchant contacts to ensure that the Merchant is compliant with PCI DSS (Payment Card Industry Data Security Standard).  The campus representatives represent their respective campus on the University eCommerce Group, are the primary point of contact for their campus, and are responsible for disseminating all relevant policies, standards, and guidelines to ensure merchants are knowledgeable in PCI DSS requirements and Incident Management.

  • UMass Amherst:  Jake Cunningham, Patty Roper, Jacqui Watrous, and Erin Zuzula
  • UMass Boston:  Lisa Moriarty, Katherine Nung, Terry Phalen, and Jimmy Sam
  • UMass Dartmouth:  Suzanne Audet, Holger Dippel, Kathy Eubanks, and Rich Pacheco
  • UMass Lowell:  Norma Clark, Amy Kirchner, and John Perroni
  • UMass Medical School:  Yi Chen, Sandy Flynn, and Cathy Stolarczyk
  • UMass President’s Office IT:  Martha Johnson, Wendy Mulcahy, and Larry Wilson
  • University Treasurer’s Office:  Terri O’Neil and Kathey White

Required Language for Contract Services

All University Contracts that allow for payment processing via credit or debit card must include language that the vendor acknowledges their responsibilities to maintain PCI compliant practices.

PCI Compliance: If, in the course of its engagement by University, Contractor has access to or will collect, access, use, store, process, dispose of or disclose credit, debit or other payment cardholder information, Contractor shall at all times remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") and if applicable, Payment Application Data Security Standard ("PA DSS") requirements, including remaining aware at all times of changes to these standards and promptly implementing all procedures and practices as may be necessary to remain in compliance with these standards, including promptly notifying the University of its non-compliance, in each case, at Contractor's sole cost and expense. Both parties are responsible for the security of the cardholder data that is in such party's control or possession, as mandated by PCI Security Standards Council ("PCI SSC") in the performance of their individual and mutual responsibilities under this Agreement.

Security Awareness Training

Merchants are responsible for the security of Cardholder Data (CHD). Any person who has access to CHD must complete annual PCI Awareness Training.  For more information contact your eCommerce representative or email

Related Resources

For guidance with which SAQ to complete select the Understanding SAQs for PCI DSS v3 under Supporting Documents.


For more information contact your eCommerce representative or email