Payment Card Processing Newsletter
April, 2019 issue
University of Nebraska—Lincoln
PCI Compliance Team
The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.
Contact Information
Information Technology Services (ITS)
Office of the Bursar
Download the printable PDF version of this newsletter here.
Due May 17th — PCI Compliance Paperwork
The first step in compliance is to collect each merchant account’s compliance paperwork. The same documentation as in past years will be required: a Merchant Profile and a Procedures Document including a Cardholder Data (CHD) flowchart. Merchants will also need to do the SAQ (see page 2).
PCI DSS version 3.2.1 is the current PCI version, and a wealth of information can be found on the PCI DSS website: https://www.pcisecuritystandards.org/document_library
How do you get started? For each merchant number, you need to review, update and submit:
- Merchant Profile –forms available here: http://pci.unl.edu/merchant-profile
- Procedures Document (including a current CHD flowchart) -narrative (no standard form)
Please Note: Do not combine merchant accounts on these documents. We need a completed profile and procedures document for each merchant account.
Create a PCI 2019 folder for retaining your new documents. Access last year’s PCI files. Review all your 2018 paperwork, update the information as needed to accurately reflect this year’s processes, and save a copy for this year’s documentation. The procedures document is a narrative of your processes and should incorporate the following:
- make, model, serial number and location of all equipment
- details of all payment channels*
- individuals involved in payment processing
- storage/purge details of cardholder data (if appl.)
- staff training requirements
- demonstration of segregation of duties in place
- information on reconciliation process
- flowchart of cardholder data
- signature of department head
* We’ve heard more and more that campus is converting from the standard analog line to a VoIP phone line. The type of phone line your payment terminal connects to should be documented and will determine the questions on your SAQ.
We’ve worked hard the past several years to ensure each merchant has a detailed description of the processes in place for their card activity. These procedures are not only necessary for us to gain an understanding of your CHD environment but are needed so you, in the department, have an understanding of the process and ensure all necessary safeguards are in place for safe cash handling and security. They are also essential to meet PCI documentation requirements.
Submit your updated documentation by Friday, May 17th to:
Jordan Bergman, Bursar’s Office, 121 Canfield Admin, Lincoln, NE 68588-0412
Changes to PCI Team
Lyda Snodgrass retired as Bursar
We recently had to say farewell to Lyda Snodgrass, Bursar. She retired in December.
Jennifer Hellwege was hired as Bursar starting January 1st.
Please welcome our new Associate Bursar
Jordan Bergman joined the Bursar’s Office on April 8th as our Associate Bursar. Jordan was Branch Manager for the Union Bank & Trust branch in the Nebraska Union prior to coming to the University. We are excited to have him join our team.
Jordan will soon be training on credit cards and becoming involved in all card activity on campus.
PCI Compliance Self Assessment Questionnaires
The next step in compliance is the Self-Assessment Questionnaires (SAQs). Each merchant account has to submit an SAQ to Elavon. Elavon utilizes PCI Compliance Manger for this process. It is a tool which allows us to submit our SAQ information online. Similar to last year, we expect to accumulate the information for the SAQs for those departments using only stand-alone terminals. The PCI Team will then submit the information electronically for the group rather than each merchant account having to do the compliance separately. For those with other setups (i.e. online, POS, ethernet), we will schedule meetings with our PCI Team again and sit down with your department to assist with the SAQ(s) you must complete.
We will continue with the goal of completing our compliance efforts by June 30th of each year. This is consistent with efforts on the other campuses as well.
Fiscal Year End - Posting June Card Sales and Fees
The June sales and fees will be booked in FY 2019. Please submit your sales reports for June as soon as possible after year end. We cannot allocate out the sales until all reports are received, and we know departments are anxious to see those figures at year end.
As in past years, we will be sending the June sales spreadsheet to Accounting at year end as well. They post any amounts in the “Amts Not Yet Posted by Bank” column as FY 2019 sales along with a corresponding receivable so all sales are accurately captured in the correct fiscal year. If you do not submit your sales report and have FY 2019 sales which are not included in our entry, you will need to contact Accounting directly to make this entry.
Any questions, please contact Jordan Bergman at:
jbergman4@unl.edu