Payment Card Processing Newsletter
APRIL, 2021 ISSUE
University of Nebraska—Lincoln
PCI Compliance Team
The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.
Contact Information
Information Technology Services (ITS)
Chris Cashmere phone: 402 472-1423
Office of the Bursar
Jennifer Hellwege phone: 402-472-9003
Lisa Hilzer phone: 402-472-9004
Download the printable PDF version of this newsletter here.
PCI Compliance Paperwork—Due May 21st
The first step in compliance is to collect each merchant account’s compliance paperwork. The same documentation as in past years will be required: a Merchant Profile and a Procedures Document including a Cardholder Data (CHD) flowchart. Merchants will also need to do the SAQ (see page 2). PCI DSS version 3.2.1 is the current PCI version, and a wealth of information can be found on the PCI DSS website: https://www.pcisecuritystandards.org/document_library
How do you get started? For each merchant number, you need to review, update and submit:
- Merchant Profile –forms available here: http://pci.unl.edu/merchant-profile
- Procedures Document (including a current CHD flowchart) -narrative (no standard form)
Please Note: Do not combine merchant accounts on these documents. We need a completed profile and procedures document for each merchant account.
Create a PCI 2021 folder for retaining your documents. Access last year’s PCI files. Review your 2020 paperwork, update the information as needed to accurately reflect this year’s processes, and save a copy for this year’s documentation. New merchants will need to create all documentation. The procedures document is a narrative of your processes and should incorporate the following:
- make, model, serial number and location of all equipment*
- details of all payment channels
- individuals involved in payment processing
- storage/purge details of cardholder data (if appl.) - staff training requirements
- demonstration of segregation of duties in place - information on reconciliation process
- flowchart of cardholder data -signature of department head
* Many departments have purchased new terminals recently. Be sure your PCI documentation is updated to reflect your new equipment and processes. The new stand-alone terminals are purchased with Elavon’s Safe-T to encrypt the data and allow for processing via Ethernet.
There have been many changes on campus this year. Any equipment or procedural changes need to be reflected in your documentation.
Each merchant must have a detailed description of the processes in place for their card activity. These procedures are not only necessary for us to gain an understanding of your CHD environment but are needed so you, in the department, have an understanding of the process and ensure all necessary safeguards are in place for safe cash handling and security. They are also essential to meet PCI documentation requirements. PLEASE NOTE: If your procedures are altered at this time because of remote work, include both your regular operations and a section for your short-term operations as well.
Please submit your updated documentation by Friday, May 21st to: bursar@unl.edu
Bursar’s Office Staffing Change
Jordan Bergman has resigned from his position as Associate Bursar. Communications or requests you would normally send to Jordan should be sent to:
You may also reach out to Jennifer Hellwege, Bursar.
Welcome to our new merchant: 4H Horse Shows
PCI Compliance Self Assessment Questionnaires
The next step in compliance is the Self-Assessment Questionnaires (SAQs). Each merchant account has to submit an SAQ to Elavon. Elavon utilizes PCI Compliance Manger for this process. It is a tool which allows online submission of our SAQs. Similar to last year, we expect to accumulate the information for the SAQs for those departments using only stand-alone terminals. The PCI Team will then submit the information electronically for the group rather than each merchant account having to do the compliance separately. For those with other setups (i.e. online, POS), we will schedule meetings with our PCI Team again to assist with the SAQ(s) you must complete. We expect these meeting to primarily take place in June. They will be conducted through Zoom.
ATTN: New merchants—If your merchant account is new this year, you may have done a mid-year attestation. We will still ask you do one at this time to bring your compliance in line with the remainder of the University’s compliance dates.
We will continue with the goal of completing our compliance efforts by June 30th of each year. This is consistent with efforts on the other campuses as well.
Security Awareness Training –PCI DSS Requirement 12.6
All personnel connected in any way with cardholder data need to annually complete security awareness training at https://its.unl.edu/services/security-awareness-training/securing-human-training-request.
Departments can contact Robby Debevoise with a listing of employees who need to complete the training if you’d like to request access for several instead of individual requests. Robby can also provide reporting so departments can ensure all employees have complied with this requirement.