Payment Card Processing Newsletter
December, 2016 issue
University of Nebraska—Lincoln
PCI Compliance Team
The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.
Contact Information
Information Technology Services (ITS)
Office of the Bursar
Download the printable PDF version of this newsletter here.
Due January 6th—PCI Compliance Paperwork
Now that the conversion to Elavon is complete, we need to return our focus to PCI Compliance and related documentation. As with everything else, PCI Compliance is a bit different under Elavon. For merchants though, we expect to follow much the same process as has been done in the past. The documentation will consist of departments submitting a Merchant Profile, Procedures Document (including CHD flowchart), and an SAQ. PCI DSS version 3.2 is the current PCI version, and a myriad of information can be found on the PCI DSS website:
https://www.pcisecuritystandards.org/document_library
The first items we need from each merchant are an updated Merchant Profile and an updated procedures document (including a current CHD flowchart). These are generally just updates to previous documentation done by merchants. We have new forms for the Merchant Profiles so please use the forms available at our website: http://pci.unl.edu/merchant-profile The procedures document is a narrative of your processes, and per our spring 2015 correspondence, it should incorporate your flowchart and your staff training requirements as well.
Please submit your updated Merchant Profile and procedures document (including CHD flowchart) by January 6th to:
The SAQs will be collected at a later date and will be discussed at training that will be held soon.
Are You Reconciling Your Card Activity?
Every merchant must reconcile their card activity regularly and at least monthly. The monthly sales and fee allocation and merchant statement should be included in this reconciliation. The Bursar’s Office sends out a spreadsheet after completing the allocations each month. It is based on the sales activity reported by the department and the monthly merchant statement. It shows how the amount allocated was calculated and if there is any carry forward to the next month.
What you should be doing? You should:
- Review your MerchantConnect daily activity against the figures in your register or sales system.
- Confirm the amount on your SAP ledgers is correct and ties to the Bursar allocation spreadsheet and also your departmental sales figures.
- Download your monthly merchant statement in MerchantConnect each month. Review it for accuracy and completeness. We understand it is not very user friendly, but a review should still be done. Call the Bursar’s Office if you have trouble looking at, opening up, or understanding the MerchantConnect content.
PCI Scans
Dan Buser coordinates the PCI scans for the UNL PCI Team. Scans are regularly done on any IPs in scope—which includes any redirects to a payment gateway. This is required by the most current PCI DSS regulations. Per PCI regulations, we are required to scan weekly and also to submit a quarterly scan to our acquiring bank.
UNL utilizes QualysGuard for our PCI scans. Within QualysGuard we have an Asset Group set up for each merchant account that requires scanning. We also have Operator Accounts set up so merchants can access the scanning information. Keeping this information up to date is a challenge. Dan has been working on updating the IP addresses and users in QualysGuard and may be reaching out to your department for information on your current setups. We will also use the information you provide in your Merchant Profile and procedures documents (flow charts) to update QualysGuard. So it is important this information be as complete as possible to properly identify all pieces of your card processing environment.
Batch Reports for Multiple Terminals in MerchantConnect
If you have multiple terminals under your merchant account, it may be useful to pull your batch information out of MerchantConnect by the Terminal ID, or TID. Once logged into MerchantConnect, go to “My Reports” > “Settlement” > “Settlement and Batch”. You will see a number of options to narrow down your report. Select the date range, sub-chain (Merchant ID), and sort parameters (not pictured) applicable to your search. If you check the “Breakout TID” box, you will see information by terminal. This can be helpful in reconciling your card activity.
Two New Elavon Fees
You may notice a new fee on your November monthly statement, an MC Location Fee. The $7.50 is a new annual per MID fee charged by MasterCard. The fee will be assessed annually each November. You will not incur the fee on a monthly basis.
On December’s monthly statement, another fee of $49.99 will be assessed to offset other new costs Elavon is seeing from the card brands. This is a one-time fee assessed per MID.
There was a message on your October and November monthly statements advising each MID of these new fees. We understand the Elavon statements are not very user friendly. The messages appear right before the “Summary” on page 1 of your statement.