Payment Card Processing Newsletter
March, 2017 issue
University of Nebraska—Lincoln
PCI Compliance Team
The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.
Contact Information
Information Technology Services (ITS)
Office of the Bursar
Download the printable PDF version of this newsletter here.
Merchant Meetings in March/April for all Merchants
The UNL PCI Team will be holding merchant meetings in March/April. All merchants are expected to have staff in attendance if possible. In an effort to provide a variety of times/locations to fit your schedule., we have three meetings available Please choose just one meeting as the same information will be covered in all three.
Merchant Meetings – Choose One to Attend
Wednesday, March 29th 9:00—11:00 East Union Goldenrod/Sunflower Rm
Thursday, March 30th 9:00—11:00 NE Union Regency Suite
Monday, April 3rd 1:30—3:30 Gaughan Center Ubuntu Rm #202
Target Audience:
- Business Managers
- Departmental PCI Contact (if different)
- Departmental IT Support Contacts
This meeting is geared toward all types of merchants. We will review what PCI is, go over University policy, discuss our overall approach to compliance, and talk about the Self-Assessment Questionnaires (SAQs). Scope reduction, checklists for redirects and change requests are among the topics up for discussion.
We are structuring the meeting topics so that merchants with simpler setups will not have to stay for the entire meetings. For instance, if you only operate with an analog phone line stand-alone terminal, you will not have to listen to the more complex discussion that will be around a POS system setup. Feel free to stay for the duration of the meeting, but if you choose to leave after your type of setup is covered, we will make that opportunity available.
PCI Documentation DUE IMMEDIATELY
If you have not finalized your paperwork yet, we are in need of the following now:
- Merchant Profile
- Procedures (including flowchart)
The next step in compliance is completing the Self-Assessment Questionnaires (SAQs). Having these completed first ensures we direct you to the correct SAQ.
MC Location Fee Assessment Change
In our December newsletter, we publicized a new fee, the MC Location Fee. At that time, we understood the fee would be assessed annually each November. Per this month’s statement message this has changed as follows:
Next month, MasterCard will begin assessing its annual per location fee for 2017. If you accepted MasterCard during Q1, you will be billed $3.75 on your March statement that you will receive in early April. Then you’ll be billed $1.25 per month each month you accept a MasterCard transaction.
PCI.UNL.EDU
Where should you look for information on PCI? PCI.UNL.EDU
We continually add and update the information on this website to give you the latest information and resources. Whether you are a department interested in becoming a merchant or have been a merchant for years, you will find useful information regarding your card processing activity.
It also provides a quick link to where you should report a breach if it were to occur. You’ll find the “Report a Breach” link in several places on the site for quick access if the need should ever arise.
Reminders to All
Create a PCI File and Retain Your Documentation
PCI compliance documentation is an annual requirement. It is needed each year and much simpler to just update from year to year rather than reconstruct. Be sure to create a PCI File for each of your merchant accounts and retain your documentation for easy access and updating. This would be a great place to keep your training documentation which must be retained in the Department as well.
No CVV Code on Paper
Per PCI requirements, the CVV code cannot be stored in any manner. If you are taking payment information over the phone and entering it directly into your terminal, you can ask for it. But we cannot ask for it on a form or have it written down anywhere.
All Merchant Accounts Take Discover
Under our Elavon contract, all merchants are set up to take Discover on top of Visa and MasterCard.
Report All Sales Monthly to Bursar’s Office
Each merchant account (MID) should report their monthly sales figures to the Bursar’s office. We would like the data in by the 5th of the month if possible but no later than the 10th. We use this information to book the sales allocation in SAP.
Please include the sales for each day from the first to the last day of the month. This should be sales date data not settlement date data.
Best Practices for Securing E-Commerce
The PCI Security Standards Council came out with an updated “Best Practices for Securing E-commerce” Informational Supplement in January 2017. Please find it attached. If you engage in eCommerce please refer to this document for guidance and best practices for securing your implementations.