University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C-VT

hamburgerfensuckedΑσφάλεια

20 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

114 εμφανίσεις

University of Maine System

Payment Card Industry Data Security Standard (PCI DSS)

Guide for Completing Self Assessment Questionnaire (SAQ)

SAQ C
-
VT

All university merchant departments accepting credit cards must comply with the Payment
Card Industry Data Security Standard (PCI DSS), which is intended to ensure the safe handling of
cardholder data.

To validate PCI DSS compliance, a self
-
assessment qu
estionnaire must be completed for each
merchant ID assigned by the university’s merchant acquirer. (e.g., Glob
al Payments). A
completed self
-
assessment questionnaire (SAQ) is required annually. It is the responsibility of
the merchant department to compl
ete the questionnaire when due. There are 5 different
versions of the SAQ. The required SAQ for a merchant depends on the manner in which credit
cards are processed.

Category

Description

Examples

SAQ Category A

For card
-
not
-
present merchants where
all c
ardholder data functions are out
-
sourced. There are no face to face
transactions.

TouchNet marketplace e
-
commerce
uPay , uStore or Bill+Pay.

SAQ Category B

For merchants using imprint or
standalone dial
-
up terminals connected
by phone line. There must b
e no
electronic cardholder data storage.

Verifone VX570 connected only to
phone line.

SAQ Category C

For merchants with payment applications
connected to the internet. There must
be no electronic data storage and no
connection to other systems.

Point
-
of
-
sale systems with card
present, face to face transactions.
Cardholder data environment isolated.

Verifone VX570 connected to internet.

SAQ Category C
-
VT

For merchants using only web
-
based
virtual terminal applications.

TouchNet Payment Gateway S
ingle
Authorizations or office entry on behalf
of others, using self service solutions.

SAQ Category D

All other merchants not included above.

Point
-
of
-
sale systems with card
present, face to face transactions.
Cardholder data environment is not
isolated

from other functions.



To obtain a copy of the SAQ’s and the PCI DSS visit this web site:

https://www.pcisecuritystandards.org/security_standards/index.php

Before
beginning your SAQ, please read the following documents:

The PCI Data Security Standard

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Instructions and Guidelin
es provided by the PCI Security Standards Council

https://www.pcisecuritystandards.org/documents/pci_dss_SAQ_Instr_Guide_v2.1.pdf

This guide is for merchant
departments who process credit card transactions using virtual
terminals on personal computers connected to the internet. A virtual terminal is a web
-
browser based access to a processor or third party service provider website that allows manual
entry and
authorization of credit card transactions.

Examples of virtual terminal use would include:



TouchNet Payment Gateway Single Authorizations



Use of TouchNet Marketplace uStores or uPay sites to enter and process payments on
behalf of others.



Global Transpor
t VT

For 2012, merchant departments eligible to complete SAQ C
-
VT must complete SAQ C
-
VT
version 2.0 using TrustKeeper. In order to use this guide to complete SAQ C
-
VT for your
merchant, all of the following criteria must be met:



Merchant’s only payment p
rocessing is done via a virtual terminal accessed by
an internet web browser, or a combination of e
-
commerce self service and
virtual terminal;



The virtual terminal solution is provided and hosted by a PCI DSS validated third
-
party service provider;



The me
rchant department accesses the PCI
-
DSS compliant virtual terminal
solution via a computer that is isolated in a single location, and is not connected
to other locations or systems within the university environment (connected to
your campus PCI Compliant N
etwork);



The merchant department’s computer does not have software installed that
causes cardholder data to be stored (for example, there is no software for batch
processing or store
-
and
-
forward);



The merchant department’s computer does not have any attac
hed hardware
devices that are used to capture or store cardholder data (for example, there are
no card readers attached);



The merchant department does not otherwise receive or transmit cardholder
data electronically through any channels (for example, via a
n internal network or
the Internet);



The merchant department does not store cardholder data in electronic format;



If merchant department does store cardholder data, such data is only in paper
reports or copies of receipts and is not received
electronically.


TrustKeeper Log
-
in

If your merchant processes transactions consistent with the SAQ C
-
VT requirements, you must
log
-
in to TrustKeeper to complete your SAQ. Log in to TrustKeeper

at trustkeeper.net. Contact
your credit card campus coordinator to obtain your user ID and password.







TrustKeeper Home Page

From the TrustKeeper home page, click on “Learn about the Program” do obtain the “Getting
Started G
uide” with instructions on how to proceed. Follow the instructions to complete your
merchant profile and SAQ. More specific instructions or information that you might need is
available later in this document.

Click on the “Merchant Profile” link to edit/
complete the Merchant Profile.








Merchant Profile

Your merchant profile may indicate a complete status when you first log in. If you have not
already done so, you should verify the Merchant Profile information, correct the a
nswers, if
necessary, and save. To see help context for a question, click on the question mark that follows
each question.


If you are uncertain about an answer to a question, contact your campus credit card
coordinator.



Merchant Profile

(continued)


Click “Save” on the final page to save your profile and return to the home page.







Edit Compliance Questionnaire

From the home page, click on “Edit Compliance Questionnaire” to begin the SAQ.





SAQ Selection

Click on the “Edit Compliance Questionnaire” link to complete the SAQ. SAQ 2.0 Form C
-
VT
should be selected. If it is not, review the merchant profile and check your answers. Click
“Begin” to go to the SAQ quest
ions.







Completing the SAQ

When you log in for the first time, you may find that some of the questions have already been
completed. You should review all of the questions and answers by clicking on the “All
Questions” tab. I
nformation you may need about each question is contained in the remaining
pages of this guide. An Administrative Practice Letter (APL) IV
-
F “Credit Debit Card Standards”
has been issued by the University of Maine System Office of the Treasurer to create s
tandards
for credit and debit card processing. You may want to reference that APL as you complete your
SAQ. You can find it on the web at:


http://www.maine.edu/pdf/APLCreditDeb
itCardStandards.pdf



Eligibility Criteria

Answer all eligibility questions. You are certifying your eligibility to complete SAQ C
-
VT.




E.7
-

The merchant’s only payment processing is via a virtual terminal accessed by
an
internet connected web browser.

Answer
YES

if your only payment processing is only done using TouchNet
Payment Gateway single authorization, TouchNet uPay or uStore or similar
virtual terminal

or

Your payment processing is done using a virtual terminal on
a TouchNet uPay,
uStore or other e
-
commerce site that is also used for self
-
service e
-
commerce.



E.8
-

Merchant accesses the virtual terminal via a computer that is isolated in a
single location, and is not connected to other locations or systems within you
r
environment.

Answer
YES
if the device used for payment processing is connected to the
University’s PCI compliant network.



E.9
-

Merchant’s virtual terminal solution is provided and hosted by a PCI DSS
validated third party service provider.

Answer
YES
if you use TouchNet or another PCI DSS validated service provider.
All service providers must be approved by the UMS Office of the Chief
Information Security Officer (CISO).



E.10
-

Merchant's computer does not have software installed that causes
cardholde
r data to be stored (for example, there is no software for batch
processing or store
-
and
-
forward).

Use of such a system does not meet the criteria for SAQ C
-
VT, but may be
acceptable for SAQ C or SAQ D.



Merchant's computer does not have any attached hardw
are devices that are used
to capture or store cardholder data (for example, there are no card readers
attached).

Use of such a system does not meet the criteria for SAQ C
-
VT, but may be
acceptable for SAQ C or SAQ D.

If you
-

are unable to answer all questi
ons
YES
, SAQ C
-
VT is not the correct questionnaire.

The remaining questions must all be answered
YES

or
Not Applicable (N/A)

for your merchant
to be PCI DSS compliant and to pass the SAQ. All N/A answers must be explained in the
comments section for that question. If you are unable to answer
YES

or
N/A
,

you are
likely
need to make some changes in your credit card processing.

Generally, if your merchant uses a
virtual terminal application or an e
-
commerce site to process credit card payments on behalf of
others, you should complete an SAQ C
-
VT using this guide.




Firewall Configuration



Is inbound and outbound traffic restrict
ed to that which is necessary for the
cardholder data environment, and are the restrictions documented? (SAQ #1.2.1.a)

All personal computers used to access virtual terminals for credit card processing
must be single use devices connected to your campus PC
I Compliant Network.
Answer
YES
only if your computer is connected to your campus PCI Compliant
Network.



Is all other inbound and outbound traffic specifically denied (for example by using an
explicit “deny all” or an implicit deny after allow statement)?

(SAQ #1.2.1.b)

Answer
YES
only if your computer is connected to the campus PCI Compliant
Network.



Are

perimeter firewalls installed between any wireless networks and the cardholder
data environment, and are these firewalls configured to deny or control (i
f such traffic
is necessary for business purposes) any traffic from the wireless environment into the
cardholder data environment? (SAQ #1.2.3)

Answer
YES

if the personal computer
(s) used to connect to virtual terminals are
connected to your campus’s
secure PCI Compliant Network.

Does the firewall configuration prohibit direct public access between the Internet and any
system component in
the cardholder data environment

as follows:



Are direct connections prohibited for inbound or outbound traffic betwe
en the
Internet and the cardholder data environment? (SAQ #1.3.3)

Answer
YES

if the personal computer
(s) used to connect to virtual terminals are
connected to your campus’s secure PCI Compliant Network.



Is

outbound traffic from the cardholder data
environment to the Internet explicitly
authorized? (SAQ #1.3.5)

Answer
YES

if the personal computer
(s) used to connect to virtual terminals are
connected to your campus’s secure PCI Compliant Network.



Is stateful inspection, also known as dynamic packet f
iltering, implemented (that is,
only established connections are allowed into the network)? (SAQ #1.3.6)

Answer
YES

if t
he personal computer
(s) used to connect to virtual terminals are
connected to your campus’s secure PCI Compliant Network.




Is personal f
irewall software installed and active on any mobile and/or employee
-
owned computers with direct connectivity to the Internet (for example, laptops used
by employees), which are used to access the organization's network? (SAQ #1.4.a)

Answer
YES

if the perso
nal computer(s) used to connect to virtual terminals are running
software based firewalls that that deny inbound connections as the default policy.

If you
are not familiar with
how to check your s
ystem’s firewall configuration,
ask your IT
administrator.

Firewall Configuration (continued)



Is the

personal firewall software configured to specific standards, and not alterable by
mobile and/or employee
-
owned computer users? (SAQ #1.4.b)

Answer
YES

if the personal computer(s) used to connect to virtual terminal
s are
running software based firewalls and non
-
administrative users cannot alter firewall
settings.

System Settings



Are vendor
-
supplied defaults always changed before installing a system on the
network? Vendor
-
supplied defaults Include but are not limited

to passwords, simple
network management protocol (SNMP) community strings, and elimination of
unnecessary accounts.(SAQ #2.1)

Virtual terminal users should not be using accounts with default passwords. Each
user should be using an individual account provided specifically to that user. Answer
YES

only if you follow those practices.

For wireless environments connected to the card
holder data environment or transmitting
cardholder data, are defaults changed as follows:



Are encryption keys changed from default at installation, and changed anytime
anyone with knowledge of the keys leaves the company or changes positions? (SAQ
#2.1.1.a
)

The device you use as for virtual terminal access should not have wireless access
enabled. Answer:
Not Applicable
and

Comments: Wireless devices are not
permitted at this time.



Are default SNMP community strings on wireless devices changed? (SAQ
#2.1.1.b)

The device you use as for virtual terminal access should not have wireless access
enabled. Answer:
Not Applicable

and Comments: Wireless devices are not
permitted at this time.



Are default passwords/passphrases on access points changed? (SAQ #2.
1.1.c)

The device you use as for virtual terminal access should not have wireless access
enabled. Answer:
Not Applicable

and Comments: Wireless devices are not
permitted at this time.



Is firmware on wireless devices updated to support strong encryption fo
r
authentication and transmission over wireless networks? (SAQ #2.1.1.d)

The device you use as for virtual terminal access should not have wireless access
enabled. Answer:
Not Applicable

and Comments: Wireless devices are not
permitted at this time.



Are o
ther security
-
related wireless vendor defaults changed, if applicable? (SAQ
#2.1.1.e)

The device you use as for virtual terminal access should not have wireless access
enabled. Answer:
Not Applicable

and Comments: Wireless devices are not
permitted at thi
s time.


System Settings (continued)

Do system configuration standards include the following:



Are only necessary services, protocols, daemons, etc. enabled as required for the
function of the system (services and protocols not directly needed to perform
the
device's specified function are disabled)? (SAQ #2.2.2.a)

Answ
er YES if the personal computer
(s) used to connect to virtual terminals
have
been customized by your IT administrator to
include only those services
needed for
the authorized payment
activities.

Stored Data Protection

Do all systems adhere to the following requirements regarding storage of sensitive
authentication data after authorization (even if encrypted)?



The card verification code or value (three
-
digit or four
-
digit number printe
d on the
front or back of a payment card) is not stored under any circumstance? (SAQ #3.2.2)

Virtual terminal devices should not be storing credit card data. APL IV
-
F
“Credit/Debit Card Standards” prohibits storage of card
-
validation codes in any
format.

Answer:
YES



Is the PAN masked when displayed (the first six and last four digits are the maximum
number of digits to be displayed)? (SAQ #3.3)

Verify that your virtual terminal application masks the display of the card number
for on
-
screen and printed re
ports. Answer:
YES

Transmitted Data Protection



Are strong cryptography and security protocols, such as SSL/TLS or IPSEC, used to
safeguard sensitive cardholder data during transmission over open, public networks?
(SAQ #4.1.a)

Answer
YES

if your web browse
r implements SSL/TLS or other strong
cryptographic protocols when accessing the virtual terminal.
Https: prefix will
proceed all URL’s where encryption is being used to protect the transmission of
your sensitive information, including cardholder data.




Are

only trusted keys and/or certificates accepted? (SAQ #4.1.b)



SSL certificates must be signed by a trusted Certificate Authority. Your browser has a
built
-
in mechanism to accept only trusted certificates. Answer YES only if you NEVER
accept certificates th
at your web browser warns you could be invalid (e.g. expired,
self
-
signed, wrong hostname). These are likely signs of malicious activity. Answer:
YES




For SSL/TLS implementations:



Does HTTPS appear as part of the browser Universal Record Locator (URL)?



Is

cardholder data required only when HTTPS appears in the URL? (SAQ #4.1.e)




Are policies in place to preclude the sending of unprotected PANs by end
-
user
messaging technologies (for example, e
-
mail, instant messaging, chat)? (SAQ #4.2)

APL IV
-
F “Credit/De
bit Card Standards” prohibits the use of such messaging
technologies for sending or receiving credit card data. Answer:
YES

Anti
-
Virus Protection



Is anti
-
virus software deployed on all systems, commonly affected by malicious
software? (SAQ #5.1)

Verify that your PC used for virtual terminal transactions has the appropriate anti
-
virus software installed. Answer:
YES



Are all anti
-
virus programs capable of detecting, removing, and protecting against all
known types of malicious software? (for

example, viruses, Trojans, worms, spyware,
adware, and rootkits)? (SAQ #5.1.1)

Verify that your PC used for virtual terminal transactions has the appropriate anti
-
virus software installed. Answer:
YES

Is all anti
-
virus software current, actively running,

and generating audit logs as follows?



Does the anti
-
virus policy require updating of anti
-
virus software and definitions?
(SAQ #5.2.a)

Verify that your PC used for virtual terminal transactions has the appropriate anti
-
virus software installed. Answer:
Y
ES




Are automatic updates and periodic scans enabled? (SAQ #5.2.c)



Confirm the anti
-
virus software is performing periodic scans, and that its
signatures are kept up to date.
Check the settings of your anti
-
virus software to
confirm this is true.
Answer: Y
ES




Are all anti
-
virus mechanisms generating audit logs, and are logs retained in
accordance with PCI DSS Requirement 10.7? (SAQ #5.2.d)

Ensure your anti
-
virus software is keeping logs of its activity for at least one year.
Check that your anti
-
virus setti
ng to confirm logs are not being deleted sooner
than one
-
year and that you have sufficient disk space where the logs are being
stored.
Answer: YES


Application and Systems Security



Are all system components and software protected from known vulnerabilities

by
having the latest vendor
-
supplied security patches installed? (SAQ #6.1.a)

Verify that security patches for your PC used for virtual terminal transactions have
the latest updates installed. (e.g., Windows, Internet Explorer) Answer:
YES



Are critical
security patches installed within one month of release? (SAQ #6.1.b)

Verify that security patches for your PC used for virtual terminal transactions are
regularly installed. (e.g., Windows, Internet Explorer) Answer:
YES

Access Restrictions

Is access to s
ystem components and cardholder data limited to only those individuals whose
jobs require such access, as follows:



Are access rights for privileged user IDs restricted to least privileges necessary to
perform job responsibilities? (SAQ #7.1.1)

APL IV
-
F “Cr
edit/Debit Card Standards” requires access limitations for paper
documentation containing cardholder data and restrictions to devices or
databases involved in processing, storing or communicating cardholder data.
Access to virtual terminal applications mu
st be limited to only the privileges
required to perform necessary job responsibilities. Answer:
YES



Are privileges assigned to individuals based on job classification and function (also
called "role
-
based access control" or RBAC)? (SAQ #7.1.2)

Physical A
ccess Controls



Are all media physically secured (including but not limited to computers, removable
electronic media, paper receipts, paper reports, and faxes)? (SAQ #9.6)

APL IV
-
F “Credit/Debit Card Standards” prohibits electronic storage of cardholder
dat
a. Verify that any paper media that contains cardholder data is properly
destroyed once the transaction is complete or is physically secure.



If proper procedures are in place, answer
YES
.



If paper documents containing cardholder data are never created in the
payment process, answer
N/A
, Comments: No media is created
containing cardholder data.



Is strict control maintained over the internal or external distribution of any kind of
media that
contains cardholder data? (SAQ #9.7.a)

APL IV
-
F “Credit/Debit Card Standards” prohibits electronic storage of cardholder
data. Verify that proper controls are used if paper documents containing
cardholder data are handled.



If proper procedures are in plac
e, answer
:

YES
.



If paper documents containing cardholder data are never created in the
payment process, Answer:
N/A
, Comments: No media is created
containing cardholder data.

Do controls include the following?



Is the media classified so the sensitivity
of the data can be determined? (SAQ #9.7.1)

APL IV
-
F “Credit/Debit Card Standards” states that when documents containing
cardholder data are moved from one place to another, they must be clearly
marked as confidential information.



If proper procedures are
in place, answer
YES
.



If paper documents containing cardholder data are never created in the
payment process, Answer:
N/A
, Comments: No media is created
containing cardholder data.

Physical Access Controls



Is media sent by secured courier or other deliver
y method that can be accurately
tracked?

APL IV
-
F “Credit/Debit Card Standards” states that when documents containing
cardholder data are moved from one place to another, they must be delivered
personally or by a trackable courier service.



If proper procedures are in place, answer
YES
.



If paper documents containing cardholder data are never created in the
payment process, answer
N/A
, Comments: No media is created
containing cardholder data.



Are logs maintained to track all media that is move
d from a secured area, and is
management approval obtained prior to moving the media (especially when media is
distributed to individuals)? (SAQ #9.8)

APL IV
-
F “Credit/Debit Card Standards” requires that, if paper media exists with
cardholder information,
movement or transfer of that media must be approved by
management.



If proper procedures are in place, answer
YES
.



If paper documents containing cardholder data are never created in the
payment process, answer:
N/A
, Comments: No media is created
containing
cardholder data.



Is strict control maintained over the storage and accessibility of media that contains
cardholder data? (SAQ #9.9)

APL IV
-
F “Credit/Debit Card Standards” requires that stored media must be kept in
a locked file.



If proper procedures are in

place, answer
YES
.



If paper documents containing cardholder data are never created in the
payment process, answer:
N/A
, Comments: No media is created
containing cardholder data.



Is all media containing cardholder data destroyed when it is no longer needed

for
business or legal reasons? (SAQ #9.10)

APL IV
-
F “Credit/Debit Card Standards” states that paper documents containing
cardholder data should be kept only for as long as required for completion of the
transaction.



If proper procedures are in place, ans
wer
YES
.



If paper documents containing cardholder data are never created in the
payment process, answer:
N/A
, Comments: No media is created
containing cardholder data.

Physical Access Controls
(continued)

Is destruction performed as follows:



Are hardcopy
materials cross
-
cut shredded, incinerated, or pulped so that cardholder
data cannot be reconstructed? (SAQ #9.10.1.a)

APL IV
-
F “Credit/Debit Card Standards” requires that destruction of any paper
documents containing cardholder data must be done in such a
way to make
reconstruction of the data impossible. (e.g., cross
-
cut shredder, incineration)



If proper procedures are in place, answer
YES
.



If paper documents containing cardholder data are never created in the
payment process, Answer: N/A, Comments: No med
ia is created
containing cardholder data.



Are containers that store information to be destroyed secured to prevent access to
the contents? (For example, a "to
-
be
-
shredded" container has a lock preventing access
to its contents.)

APL IV
-
F “Credit/Debit Card

Standards” requires that destruction of any paper
documents containing cardholder data must be done in such a way to make
reconstruction of the data impossible. (e.g., cross
-
cut shredder, incineration)



If proper procedures are in place, answer
YES
.



If pap
er documents containing cardholder data are never created in the
payment process, Answer: N/A, Comments: No media is created
containing cardholder data.

Security Policies and Procedures



Is a security policy established, published, maintained, and dissemina
ted to all
relevant personnel? (SAQ #12.1)

APL IV
-
F “Credit/Debit Card Standards” defines credit card security practices to
comply with UMS Policy Section 901
-

Information Security and is required to be
distributed to all employees involved in handling ca
rdholder data. Answer:
YES




Is the information security policy reviewed at least once a year and updated as needed
to reflect changes to business objectives or the risk environment?(SAQ #12.1.3)

APL IV
-
F “Credit/Debit Card Standards” is required to be upd
ated and distributed
at least annually. Answer:
YES


Are usage policies for critical employee
-
facing technologies (for example, remote
-
access
technologies, wireless technologies, removable electronic media, laptops, personal
data/digital assistants [PDAs]
, e
-
mail, and Internet usage) developed to define proper use
of these technologies for all personnel, and require the following?



Explicit approval by authorized parties to use the technologies? (SAQ #12.3.1

Verify that personnel involved in payment card
transactions understand that they are
not authorized to use these devices in connection with payment card activities and must
not attach such devices with payment card devices unless specifically authorized.



A list of all such devices and personnel with ac
cess? (SAQ #12.3.3)

All devices used in connection with payment card activities must be specifically
identified.



Acceptable uses of the technologies? (SAQ #12.3.5)

APL IV
-
F “Credit/Debit Card Standards” states that UMS CISO approval is required for
use of

any wireless technologies in processing credit card data. Answer:
YES



Do the security policy and procedures clearly define information security
responsibilities for all personnel? (SAQ #12.4)

APL
IV
-
F “Credit Debit/Card Standards”
, APL VI
-
C “Information
Security” and UMS Policy
Section 901
-

Information Security define responsibilities for information security.
Answer:
YES


Are the following information security management responsibilities formally assigned to
an individual or team?



Establishing, document
ing, and distributing security incident response and escalation
procedures to ensure timely and effective handling of all situations?

APL VI
-
B


Information Security
Incident Response”
has established guidelines for
incident response. Answer:
YES



Is a
formal security awareness program in place to make all employees aware of the
importance of cardholder data security? (SAQ #12.6)

APL IV
-
F “Credit/Debit Card Standards” states that cardholder data security is a
required part of security awareness program f
or all employees. Answer:
YES

If cardholder data is shared with service providers, are policies and procedures
maintained and implemented to manage service providers, as follows?



Is a list of service providers is maintained? (SAQ #12.8.1)

APL IV
-
F “Credit/Debit Card Standards” has a requirement that a listing of all
service providers is maintained in the UMS Office of the Controller. Answer:
YES



Is a written agreement maintained that includes an acknowledgement that the service
providers a
re responsible for the security of cardholder data the service providers
possess? (SAQ #12.8.2)



APL IV
-
F “Credit/Debit Card Standards” has a requirement to obtain such a written
acknowledgement from service providers. Answer:
YES



Security Policies and P
rocedures
(continued)



Is there an established process for engaging service providers, including proper due
diligence prior to engagement? (SAQ #12.8.3)

APL IV
-
F “Credit/Debit Card Standards” requires that all new service providers
involved in processing, t
ransmitting or storing cardholder data must be approved
by the UMS Controller and UMS CISO. Answer:
YES



Is a program maintained to monitor service providers' PCI DSS compliance status at
least annually? (SAQ #12.8.4)

APL IV
-
F “Credit/Debit Card Standards”

has a requirement for service providers to
provide evidence of PCI DSS compliance at least annually. Answer:
YES

Confirmation and Acknowledgement

You must be able to answer all questions YES in order to have a passing SAQ.



PCI DSS Self
-
Assessment Questio
nnaire C
-
VT, Version 2.0, was completed according to
the instructions therein. (SAQ CA.1.C
-
VT)



All information within the above
-
referenced SAQ and in this attestation fairly
represents the results of my assessment in all material respects. (SAQ CA.2)



I hav
e confirmed with my payment application vendor that my payment system does
not store sensitive authentication data after authorization.



I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at
all times.



No evidence of magnet
ic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, or PIN
data storage after transaction authorization was found on ANY systems reviewed
during this assessment.

If your merchant uses only PCI compliant virtual terminal application(s) (e.g.,
TouchNet Payment Gateway), there should be no storage of CVV or PIN. You must
never store CVV or PIN on paper records.



Signature of Executive Officer (SAQ CA.S)

Enter the full name of your campus CFO, or designated officer.



Title of Executive Officer
(SAQ CA.T)

Enter the title of the officer from (S.) above.




Submitting your SAQ

After you have answered all of the questions, submit your SAQ by clicking the “Submit / Save”
button. From the home page, you can see your PCI status and expiration date at
the top of the
page. You will be notified when the expiration date approaches. You must complete an SAQ
each year.

You can view or print your report by clicking the “Report” link. This is the report that will be
submitted to the merchant acquirer as ev
idence of your PCI compliance. Notify your campus
coordinator for credit card processing if you have completed your SAQ and your status does not
show “Compliant”.

You can view your compliance certificate by clicking the “View Compliance Certificate” link

at
the bottom of the page.