Merchant's Role in PCI Compliance
USU works to ensure that all Merchants are 100% PCI compliant and must perform various assessments and vulnerability scans in order to maintain our PCI Compliance status. As USU's compliance is dependent on everyone's efforts, it is important that Merchants understand their roles in maintaining USU's PCI Compliance.
What is the Merchant's Role in Completing an Annual Self-Assessment Questionnaire?
USU submits multiple self-assessment questionnaires to our merchant service providers and service sponsors annually. The Self-Assessment Questionnaire (SAQ) forms indicates our compliance status per each of the PCI Data Security Standard requirements. A Merchant's SAQ form is determined by types of devices used to process payments, encryption levels on transmission, how credit card information is routed to the gateway, business controls, and several other security controls. As all merchants are tied together in our attestation, USU attests collectively as a Merchant Level 3 SAQ D to our main Merchant Service Provider.
- Merchants must designate a Primary PCI Contact for each credit card processing environment and a data management group of individuals, as appropriate, who are assigned various PCI component responsibilities within the department/unit. The PCI Contact and all other individuals assigned will assist with completing the self-assessment questionnaire for their merchant.
- To comply with PCI DSS, a Merchant must certify their compliance by completing an annual self-assessment questionnaire (SAQ). While each merchant is responsible for managing their compliance, the PCI Compliance Officer will assist with completing the SAQ documentation.
- PCI Attestation of Compliance reports are attestations annually at a single point-in-time; however, Merchants are obligated as part of their conditions of accepting credit cards, to be compliant at all times (24x7x365).
- Changes to the processing environment (e.g., changing POS security settings, changing terminals, etc.) might affect the PCI Attestation of Compliance questionnaire and general overall security of the system and credit card processing. Before upgrading a PCI system, software and hardware securityty validations must be procured. Vendors must provide Merchants with the appropriate PCI validations for the new application and hardware prior to an upgrade. Once an upgrade occurs, the PCI Compliance Officer will request that IT perform a PCI penetration test against the modified system to ensure that all security controls are in place.
What documentation needs to be maintained by a Merchant?
Merchants are responsible for creating and maintaining the following items as part of their ongoing PCI documentation:
- Cash Handling Proceduresapproved by Treasury Services; including details for:
- Refund method
- Reconciliation
- Gateway management
- Workforce Asset Inventory
- Training of all employees, vendors, contractors, volunteers, etc. who have access to cardholder data or cardholder environment.
- Hardware Asset inventory
- Information Security Plan, including details for:
- Roles of individuals access cardholder data
- Access Management
- Hardware inspection procedures
- Physical Security of safe and physical cardholder data
- Network Diagram of PCI environment
- Vendor compliance validation(s); PA DSS, PTS, PCI validations, etc.
What is a PCI Assessment and how does it impact a Merchant?
Assessments are used to verify that the PCI DSS security controls are being satisfied. The PCI Compliance Officer will coordinate assessments with the PCI Contact personnel and other individuals as appropriate, annually or after a significant change. An assessment is to verify documentation, training and business processes for each of the security requirement questions are being satisfied. As USU has many Merchants that may share the same technology, an in-person assessment sampling of Merchants may be conducted annually for each of the SAQ form types. Assessments may consist of a combination or all of the following:
- Request documentation for hardware inventory, employees access, and training history
- Request copy of information security plan;
- Request last 90 days of transaction history;
- Request for Merchant to complete a new PCI self-assessment questionnaire;
- Request for an in-person visit to learn more about credit card procedures;
- Evaluating credit card needs, system use, and business processes; and/or
- Exploring ways to reduce scope and improve business efficiencies.