May 2025 Newsletter | PCI Compliance

Payment Card Processing Newsletter

MAY, 2025 ISSUE

University of Nebraska—Lincoln
PCI Compliance Team

The PCI Compliance Team is a collaboration between Information Technology Services (ITS) and the Office of the Bursar. It is a cross-functional team responsible for administering the University of Nebraska-Lincoln payment card policies and procedures, monitoring payment card activity, and educating merchants.

Contact Information

Information Technology Services (ITS)

Chris Cashmere phone: 402 472-1423

Office of the Bursar

Jennifer Hellwege phone: 402-472-9003

Lisa Hilzer phone: 402-472-9004

Download the printable PDF version of this newsletter here.

Newsletter Contents

PCI Compliance Paperwork Due Friday, May 23rd
PCI Data Security Training 2024-2025
Coming Soon: PCI Compliance Self-Assessment Questionnaires (SAQ)
Knowledge Base Article - PCI Scanning and Scan Attestations: Guidance for Merchant Representatives

PCI Compliance Paperwork Due Friday, May 23rd

The first step in PCI compliance is to collect each merchant account’s compliance paperwork. The same documentation as in past years will be required: Merchant Profile and Procedures Document with Cardholder Data (CHD) Flowchart. Merchants will also need to do a SAQ, coming soon (see page 2).

How do you get started? For each merchant account, you need to review, update, and submit:

• Merchant Profile – FY 2024-2025 forms are available here: https://pci.unl.edu/node/155/(please use the current forms as fields may have changed)
• Procedures Document with a current CHD Flowchart – narrative (no standard form)

REMINDER: Do not combine merchant accounts on these documents. We need a completed profile and procedures document for each merchant account/number.

Create a PCI FY 24-25 folder for retaining your documents. Download the current Merchant Profile form https://pci.unl.edu/node/155/

Access last year’s PCI FY 23-24 files. Review last year’s documents and update information to accurately reflect this year’s processes. Save the updated documents in your new folder. New merchants will need to create all documentation. The procedures document is a narrative of your processes and should incorporate the following:

- make, model, serial number and location of all equipment*
- details of all payment channels - individuals involved in payment processing
- storage/purge details of cardholder data (if appl.) - staff training requirements
- demonstration of segregation of duties in place - information on reconciliation process
- flowchart of cardholder data - signature of department head

*Be sure your PCI documentation is updated to reflect new equipment and processes. The popular Stand-alone Ingenico Desk 3500 terminals connect via Ethernet with Safe-T Solo solution to encrypt data.

Each merchant must have a detailed description of the processes in place for their card activity. These procedures are not only necessary for us to gain an understanding of your CHD environment, but are needed so you, in the department, have an understanding of the process and ensure all necessary safeguards are in place for safe cash handling and security. They are also essential to meet PCI documentation requirements.

Please submit your updated documentation by Friday, May 23rd to: bursar@unl.edu

PCI Data Security Training - 2024-2025

All personnel involved with card processing need to annually complete card data security training. To satisfy this requirement, Firefly-Bridge course PCI - Payment Card Data needs to be completed.

Firefly-Bridge link:
https://nebraska.bridgeapp.com/learner/programs/5e897251/enroll

Complete Course 1 PCI - Payment Card Data. (Best viewed in Google Chrome)

Since your department knows which individuals are involved with card processing, the monitoring and documentation of this training is the department’s responsibility.

COMING SOON: PCI Compliance Self-Assessment Questionnaires (SAQ)

One of the most important merchant responsibilities for maintaining PCI compliance is completing and submitting the annual Self-Assessment Questionnaire (SAQ). To meet this responsibility, each University merchant account is required to submit a SAQ thru the Elavon PCI Compliance Manager portal.

If your department uses only Stand-alone terminals, the PCI Team will collect the necessary information on a SAQ form and submit the SAQ on your behalf as a single group. Watch for the DocuSign SAQ form email.
For merchants with unique operations or non-Stand-alone terminal setups, such as eCommerce stores or Point of Sale Registers, we will schedule Zoom meetings to aid in completing and submitting the required SAQ. The Zoom meetings will primarily occur in June. Watch for a Zoom meeting setup email.

ATTN New Merchants: If your merchant account is new this year, you may have done a mid-year SAQ. We will still ask you to repeat the SAQ process in June to align your compliance reporting with the rest of the University merchants.

We will continue with the goal of completing our compliance efforts by June 30th of each year. This is consistent with efforts on the other campuses as well.

Knowledge Base Article - PCI Scanning and Scan Attestations: Guidance for Merchant Representatives

SAQ-A eCommerce merchants have been required to submit an Attestation of Scan Compliance document quarterly since PCI DSS v4.0 went into effect last spring. IT Security has provided instructions and guidance for merchant representatives in the following article: https://nusupport.nebraska.edu/TDClient/33/Portal/KB/ArticleDet?ID=543

Review this article to be certain you are taking the appropriate actions to obtain and submit your eCommerce site Attestation of Scan Compliance.

Direct questions to ITS-Security-Compliance at its-sec-compliance@nebraska.edu