April 2023 Newsletter

Payment Card Processing Newsletter

APRIL, 2023 ISSUE 1

University of Nebraska—Lincoln
PCI Compliance Team

The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.

Contact Information
Information Technology Services (ITS)

Chris Cashmere                  phone: 402 472-1423

Office of the Bursar

Jennifer Hellwege               phone: 402-472-9003

Lisa Hilzer                          phone: 402-472-9004

Download the printable PDF version of this newsletter here.

PCI Compliance Paperwork Due Friday, May 19th

The first step in PCI compliance is to collect each merchant account’s compliance paperwork. The same documentation as in past years will be required: Merchant Profile and Procedures Document with Cardholder Data (CHD) Flowchart. Merchants will also need to do the SAQ coming soon (see page 2). PCI DSS v3.2.1 is the current PCI version, however we will be transitioning to PCI DSS v4.0 over the next year (see page 2).


How do you get started? For each merchant account, you need to review, update, and submit:

  • Merchant Profile – FY 2022-23 forms are available here: http://pci.unl.edu/merchant-profile (please use the current forms as fields may have changed)
  • Procedures Document with a current CHD Flowchart – narrative (no standard form)

REMINDER: Do not combine merchant accounts on these documents. We need a completed profile and procedures document for each merchant account/number.

Create a PCI FY 22-23 folder for retaining your documents. Download the current Merchant Profile form here: http://pci.unl.edu/merchant-profile


Access last year’s PCI FY 21-22 files. Review last year’s documents and update information to accurately reflect this year’s processes. Save the updated documents in your new folder. New merchants will need to create all documentation. The procedures document is a narrative of your processes and should incorporate the following:

  • make, model, serial number and location of all equipment*
  • details of all payment channels
  • individuals involved in payment processing
  • storage/purge details of cardholder data (if appl.)
  • staff training requirements
  • demonstration of segregation of duties in place
  • information on reconciliation process
  • flowchart of cardholder data
  • signature of department head

*Be sure your PCI documentation is updated to reflect new equipment and processes. The standalone terminals have Elavon’s Safe-T to encrypt data and allow for processing via Ethernet.

Each merchant must have a detailed description of the processes in place for their card activity.  These procedures are not only necessary for us to gain an understanding of your CHD environment but are needed so you, in the department, have an understanding of the process and ensure all necessary safeguards are in place for safe cash handling and security. They are also essential to meet PCI documentation requirements.


Please submit your updated documentation by Friday, May 19th to: bursar@unl.edu

New Contact for Cvent Setup

Laura Tharnish recently joined IANR Cooperative Extension and can assist you with Cvent information and setup. Contact Laura at ltharnish2@unl.edu

As a reminder:  Cvent, also known as the University of Nebraska Event Registration merchant, may be a great option for your next event. Cvent is a robust registration management system available to the entire University community.  Using Cvent can save your department time because registration payment transactions are run securely through this one system, which means the accounting and compliance are taken care of for you.

COMING SOON: PCI Compliance Self-Assessment Questionnaires (SAQs)

One of the most important merchant responsibilities for maintaining PCI compliance is completing and submitting the yearly Self-Assessment Questionnaire (SAQ). To meet this responsibility, each University merchant account is required to submit a SAQ thru the Elavon PCI Compliance Manager portal. If your department uses only P2PE stand-alone terminals, the PCI Team will collect the necessary information for the SAQs and submit the SAQ on your behalf as a single group. For merchants with substantial changes from last year, unique operations, or non-P2PE setups (such as online stores or point of sale systems) we will schedule Zoom meetings, primarily in June, with those merchants to aid with completing and submitting the required SAQs.


ATTN NEW MERCHANTS: If your merchant account is new this year, you may have done a mid-year Self-Assessment Questionnaire (SAQ). We will still ask you to repeat the SAQ process in June to align your compliance reporting with the rest of the University merchants.


We will continue with the goal of completing our compliance efforts by June 30th of each year. This is consistent with efforts on the other campuses as well.

PCI DSS Transition from v3.2.1 to v4.0

We anticipate that PCI DSS v4.0 will contain some new requirements, but we have not identified any substantial changes for our P2PE merchants or SAQ-A merchants. A summary of changes document is attached to this Newsletter email.
There is a wealth of information on the PCI DSS website: https://www.pcisecuritystandards.org/document_library

PCI v4.0 timeline


Summary of Changes from PCI DSS Version 3.2.1 to 4.0