Jump to Navigation ▼

Credit Card Security (PCI-DSS Compliance)

Overview

All Northwestern University departments that accept credit card payments must process those payments in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS) per the NU Merchant Card Processing Policy and the Payment Card Industry Security Standards Council (PCI-SSC). It is the responsibility of each department to maintain compliance with PCI DSS.

e-Commerce Operations, under the auspices of Treasury Operations, directs a compliance program as an extension of managing merchant accounts. Participation in the PCI compliance program run by e-Commerce Operations is mandatory for all NU Merchants. Failure to fully participate in the program may result in your merchant account being revoked resulting in your inability to accept and process credit card payments.

Below is a list of the main components of the NU PCI Compliance Program based on the requirements set forth by the PCI-SSC, followed by details regarding each component:

  1. Annual SAQ (Self-Assessment Questionnaires)
  2. Security Awareness Education (security training)
  3. System Vulnerability Scans (as applicable)
  4. System Penetration Testing (as applicable)
  5. Periodic Reviews and Audits

Annual SAQ (Self-Assessment Questionnaires)

All merchants are required to validate PCI-DSS compliance at least once, annually, by completing the appropriate SAQ in a timely manner (prior to expiration). A separate questionnaire must be completed for each merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:

  • payment processing system changes
  • a year has elapsed since your last SAQ
  • you have been prompted to do so by e-Commerce Operations

Treasury Operations maintains a contract with Trustwave to centrally manage PCI-DSS validation through the TrustKeeper Portal. All SAQs should be completed through the TrustKeeper Portal.

The PCI-SSC has issued 6 types of SAQs. e-Commerce Operations will help determine which SAQ applies to your situation. The table below lists all of the current SAQ form types, along with their general definitions.

SAQ Type

Type of Payment System

SAQ Form A

Card-not-present, All cardholder data functions outsourced; No Electronic Storage,
Processing, or Transmission of Cardholder Data

SAQ Form B

Imprint Machines or Standalone Dial-out Terminals only, No Electronic Cardholder
Data Storage

SAQ Form C

Payment Application Connected to Internet, No Electronic Cardholder Data Storage

SAQ Form C-VT

Web-Based Virtual Terminal, No Electronic Cardholder Data Storage

SAQ Form D

All other SAQ-Eligible Merchants

SAQ Form P2PE-HW v2.0

Hardware Payment Terminals in a Validated P2PE Solution only, No Electronic
Cardholder Data Storage

Security Awareness Education

Pursuant to PCI DSS requirement 12.6, e-Commerce Operations will hold PCI DSS Security Training annually. At least one representative from each merchant must attend the centralized training. It is at the discretion of the department whether to send additional employees to the central training or to disseminate the information through its own security awareness program; however, Treasury Operations and/or e-Commerce Operations may require participation in other forms of security awareness education training offerings whenever they see fit. The current fiscal year's security awareness presentation can be found in the Resources section below.

System Vulnerability Scans

Merchants with on-campus payment systems connected to the Internet are required to run vulnerability scans against their systems. Our contract with Trustwave includes external vulnerability scans that are scheduled on the TrustKeeper Portal; scan reports are posted on the TrustKeeper Portal as well. It is the responsibility of the merchant to review the scans and address any vulnerabilities that have been identified. Failure to address identified vulnerabilities can result in the location falling out of compliance.

System Penetration Testing

Merchants with on-campus payment systems connected to the Internet are required to have penetration testing performed at least once a year. Since this service is not currently a part of our Trustwave contract, special arrangements need to be made. Please contact e-Commerce Operations at 1-5382 if you would like to arrange a penetration test.

Periodic Reviews and Audits

e-Commerce Operations will regularly review the completed SAQs and vulnerability scans on the TrustKeeper Portal. Periodically, additional information and follow-up interviews may be requested. At the discretion of e-Commerce Operations, internal audits may occasionally be requested in order to review a merchant card location's credit card operations. The intention of these activities is to reduce the University’s risk by ensuring that merchants comply with PCI DSS. Failure to cooperate with such activities may result in your merchant account being revoked.

Resources:

NU PCI Compliance Program

PCI Security Awareness 2013

PCI Security Awareness 2012

PCI DSS 2.0

PCI DSS 2.0 SAQ Instructions

SAQ A v2.0

SAQ B v2.0

SAQ C v2.0

SAQ D v2.0

PCI Security Standards Council Website