Payment Card Processing Newsletter
MAY, 2020 ISSUE
University of Nebraska—Lincoln
PCI Compliance Team
The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.
Contact Information
Information Technology Services (ITS)
Chris Cashmere phone: 402 472-1423
Office of the Bursar
Jennifer Hellwege phone: 402-472-9003
Lisa Hilzer phone: 402-472-9004
Download the printable PDF version of this newsletter here.
Due May 15th (if possible) — PCI Compliance Paperwork
The first step in compliance is to collect each merchant account’s compliance paperwork. The same documentation as in past years will be required: a Merchant Profile and a Procedures Document including a Cardholder Data (CHD) flowchart. Merchants will also need to do the SAQ (see page 2). PCI DSS version 3.2.1 is the current PCI version, and a wealth of information can be found on the PCI DSS website: https://www.pcisecuritystandards.org/document_library
How do you get started? For each merchant number, you need to review, update and submit:
- Merchant Profile –forms available here: http://pci.unl.edu/merchant-profile
- Procedures Document (including a current CHD flowchart) -narrative (no standard form)
Please Note: Do not combine merchant accounts on these documents. We need a completed profile and procedures document for each merchant account.
Create a PCI 2020 folder for retaining your documents. Access last year’s PCI files. Review your 2019 paperwork, update the information as needed to accurately reflect this year’s processes, and save a copy for this year’s documentation. New merchants will need to create all documentation. The procedures document is a narrative of your processes and should incorporate the following:
- make, model, serial number and location of all equipment*
- details of all payment channels
- individuals involved in payment processing
- storage/purge details of cardholder data (if appl.)
- staff training requirements
- demonstration of segregation of duties in place
- information on reconciliation process
- flowchart of cardholder data -signature of department head
* Many departments have recently purchased new terminals. Be sure your PCI documentation is updated to reflect your new terminals and processes. The new stand-alone terminals are purchased with Elavon’s Safe-T to encrypt the data and allow for processing via Ethernet.
Each merchant must have a detailed description of the processes in place for their card activity. These procedures are not only necessary for us to gain an understanding of your CHD environment but are needed so you, in the department, have an understanding of the process and ensure all necessary safeguards are in place for safe cash handling and security. They are also essential to meet PCI documentation requirements. PLEASE NOTE: If your procedures are altered at this time because of remote work, include both your regular operations and a section for your short-term operations as well.
We understand these are unusual times, and you may face challenges in completing this documentation at this time. If possible, please submit your updated documentation by Friday, May 15th to:
Jordan Bergman, Associate Bursar at jbergman4@unl.edu
PCI Compliance Self Assessment Questionnaires
The next step in compliance is the Self-Assessment Questionnaires (SAQs). Each merchant account has to submit an SAQ to Elavon. Elavon utilizes PCI Compliance Manger for this process. It is a tool which allows us to submit our SAQ information online. Similar to last year, we expect to accumulate the information for the SAQs for those departments using only stand-alone terminals. The PCI Team will then submit the information electronically for the group rather than each merchant account having to do the compliance separately. For those with other setups (i.e. online, POS), we will schedule meetings with our PCI Team again to assist with the SAQ(s) you must complete. We expect these meeting to take place through Zoom at this time.
We will continue with the goal of completing our compliance efforts by June 30th of each year. This is consistent with efforts on the other campuses as well.
PCI Terminal Changes
Per our November newsletter, UNL’s existing terminals were set to expire this month. A 4.X certification or higher would be needed for all terminals going forward. This meant terminals would need to be replaced soon if you have not already done so. We have approximately 50% of the campus converted to the new terminals. The exciting news with the new terminals is they have Elavon’s Safe-T encryption which eliminates the need for them to be connected via analog phone lines. Now, you can connect via Ethernet using a data port and still be PCI compliant.
Recently the PCI Council, extended the expiration date of the 3.x devices due to the COVID-19 situation. They still encourage the deployment and use of the next generation terminals, but the 3.x devices will not expire until April 31, 2021.
A terminal listing is attached with pricing and options. Please send your terminal purchase orders to Jordan in the Bursar’s Office at jbergman4@unl.edu
After your new terminal(s) are operational: Reach out to Elavon’s Premier Services (800-725-1245) and ask them to walk you through removing the programming from the obsolete terminal(s). This will ensure the terminal is no longer linked to your merchant account. Once this is complete, you can dispose of the terminal by sending it to Inventory
Welcome WCREC
We are excited to welcome West Central Research and Extension Center (WCREC) as our newest merchant account.
Located in North Platte, WCREC is a research and extension facility of UNL’s Institute of Agriculture and Natural Resources (IANR). They serve as the site for field-based research and extension involving faculty and graduate students in eight IANR Departments.
