Payment Card Processing Newsletter
February, 2018 issue
University of Nebraska—Lincoln
PCI Compliance Team
The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.
Contact Information
Information Technology Services (ITS)
Office of the Bursar
Download the printable PDF version of this newsletter here.
Due March 23rd — PCI Compliance Paperwork
It’s that time of year again. We learned a great deal during last year’s compliance efforts with Elavon. Hopefully this year’s will go more smoothly. We will again request the same documentation as in past years: a Merchant Profile and a Procedures Document including a Cardholder Data (CHD) flowchart. And then follow that up with the SAQ completion. For most terminal-only merchants, we will collect the SAQ information and submit the attestation on your behalf. For others, we will schedule visits to assist each department complete your own SAQ.
PCI DSS version 3.2 is the current PCI version, and a wealth of information can be found on the PCI DSS website: https://www.pcisecuritystandards.org/document_library
How do you get started? For each merchant number, you need to review, update and submit:
- Merchant Profile –forms available here: http://pci.unl.edu/merchant-profile
- Procedures Document (including a current CHD flowchart) -narrative (no standard form)
Please Note: Do not combine merchant accounts on these documents. We need a completed profile and procedures document for each merchant account.
Access last year’s PCI files, and save a copy labeled PCI 2018 for the current year. Review all your 2017 paperwork and update the information as needed to accurately reflect this year’s processes. The procedures document is a narrative of your processes and should incorporate the following:
- make, model, serial number and location of all equipment
- details of all payment channels
- individuals involved in payment processing
- storage/purge details of cardholder data (if appl.)
- staff training requirements
- demonstration of segregation of duties in place
- information on reconciliation process
- flowchart of cardholder data
- signature of department head
Last year, we worked very hard to get additional information included in each merchant’s documentation to make it a more complete picture of the process in place for each department. We referred to these this past year’s documentation in several situations when employees had left or were gone unexpectedly. These procedures are not only necessary for us to get an understanding of your cardholder data environment but are needed so you, in the department, have an understanding of the process and ensure that all necessary safeguards are in place for safe cash handling and security. They are also essential to meet PCI documentation requirements.
Submit your updated documentation by Friday, March 23rd to:
Jennifer Hellwege
Bursar’s Office
121 Canfield Admin
Lincoln, NE 68588-0413
Retraction “Paper Supplies –FREE” from January 2018 Newsletter
We apologize, but we have since been notified by Elavon that paper supplies are NOT free. The information provided in last month’s newsletter is incorrect.
Be Prepared for Issues
Does your terminal have a label on it with what you need if there is a problem? Be sure it includes the Customer Service phone number , your MID#, and any other information that will be needed when making the phone call to support. Test this by calling in so you are ready when the situation arises.
Conferences/Workshops — On Site Registrations
Are you holding conferences which accept online credit card payments? We understand it is nice to also take card payment in person at these types of events, but we must stress that care is taken when doing so. If we are providing the means to make the payment on-site, the setup must be PCI compliant. We cannot just provide computers for registration. Very strict controls must be in place. If not, the same issues as using our computers on campus would come into play i.e. bringing our network into scope, not providing a secure process. Any setup must be approved by the PCI Team.
We do have individuals with mobile card terminals that are PCI compliant and can be used for this type of activity. If interested, these options are outlined on our website at:
https://pci.unl.edu/becoming-a-merchant#mobile-payment
PCI Scans — Update IP Addresses / Users as Changes Occur
Vulnerability scans are regularly done on any IPs in scope for PCI which includes any redirects to a payment gateway. This is required by the most current PCI DSS regulations. We are required to scan weekly and also to submit a quarterly scan to Elavon.
UNL utilizes QualysGuard for our PCI scans. Within QualysGuard we have an Asset Group set up for each merchant account that requires scanning. We also have Operator Accounts set up so merchants can access the scanning information.
The information provided both in your Merchant Profile and procedures documents (flow charts) is reviewed against QualysGuard each year. This is another reason why it is important this information be as current and complete as possible, as it is needed to properly identify all components of your card processing environment. (But this is only done on an annual basis.) Keeping this information up to date is a challenge and relies heavily on each department doing it. Dan Buser coordinates the PCI scans for the UNL PCI Team. Please let Dan know any time a IP address change occurs so he can keep our scans information up to date. Also inform him if a change in staff occurs and a user’s access should be deactivated and/or new user accounts need to be set up. Dan can be reached at: dan.buser@unl.edu