Payment Card Security (PCI DSS)
Overview
All Northwestern University departments that accept credit/debit card payments are considered merchant locations and must process those payments in a secure manner. It is the responsibility of each merchant location to maintain compliance with the NU Merchant Card Processing Policy and the Payment Card Industry Data Security Standard (PCI DSS) established by the Payment Card Industry Security Standards Council (PCI SSC).
Treasury Operations is a central e-commerce administrator and compliance resource for Northwestern University merchant locations. All Northwestern University merchant locations must participate in Northwestern University’s PCI training program and compliance initiatives. Failure to fully participate may result in the merchant account being revoked.
Northwestern’s PCI DSS Compliance Program addresses requirements of the PCI SSC, including:
- Security Awareness Education (required PCI DSS Security Training and Attestation)
- Third Party Service Provider (TPSP) engagement
- System Vulnerability Scans
- System Penetration Testing
- Periodic Reviews and Audits
- Annual PCI SAQ (Self-Assessment Questionnaire)
(1) PCI DSS Security Training and Attestation
Per PCI DSS requirement 12.6, Northwestern University requires all Northwestern merchant location personnel interacting with the Cardholder Data Environment (CDE) in any manner (from the initial entry to the final reconciliation) to complete an annual training and attestation. This mandatory requirement includes student employees, contractors and volunteers.
Employees and those with myHR access should complete training in myHR: (PCI DSS: Payment Card Data Security).
Volunteers and those without myHR access should complete this training at: https://sites.northwestern.edu/pcidss/
- Individuals who have not completed training and attestation are not permitted to process Cardholder Data (CHD) on behalf of Northwestern University interests. Merchant locations using untrained or unattested individuals to process CHD may have their merchant account revoked.
Merchant location personnel should also read and understand the Northwestern PCI DSS Compliance Policy.
Treasury Operations may require individual or group participation in additional PCI security awareness education training as needed.
(2) Third Party Service Provider (TPSP) engagement
NU Merchant locations or their representatives, including vendors and other TPSPs, may not enter into legally binding agreements with TPSPs processing or handling any type of CHD (Cardholder Data), or interacting in any other way with the CDE (Cardholder Data Environment) without proper NU vetting and approval first; including but not limited to Treasury Operations, NU IT Security and Compliance, NU Office of General Counsel and NU Purchasing. All agreements with TPSPs must have specific PCI DSS and liability shift language included.
(3) System Vulnerability Scans
Merchants with non-P2PE, on-campus payment systems connected to the Internet are required to run vulnerability scans against their systems. Northwestern University’s contract with Trustwave includes external vulnerability scans that are scheduled on the TrustKeeper Portal; scan reports are posted on the TrustKeeper Portal as well. It is the responsibility of the Merchant to review the scans and address any vulnerabilities that have been identified. Failure to address identified vulnerabilities can result in the Merchant location, as well as the entire University, falling out of compliance. Merchants with PCI-validated P2PE payment systems are not required to run scans.
(4) System Penetration Testing
Northwestern University is now a PCI Level 3 Merchant based upon recent card processing metrics, and NU Merchants with non-P2PE, on-campus payment systems connected to the Internet are now required to have internally conducted penetration testing performed at least quarterly. Since this service is not currently a part of our Trustwave contract, arrangements need to be made by e-Commerce Operations and NU IT Security and Compliance, coordinated with Merchant onsite Administrators and IT staff. Failure to cooperate with this mandatory requirement may result in your Merchant account being revoked. Merchants with PCI-validated P2PE payment systems are not required to run penetration tests.
(5) Periodic Reviews and Audits
Treasury Operations and Northwestern’s PCI DSS partners or consultants may perform periodic reviews or audits of merchant location operations to ensure that merchants comply with PCI DSS and the University's risk is reduced. Failure to cooperate with such activities may result in merchant account usage being revoked.
Merchant locations should also routinely review their procedures and equipment, including physically inspecting card processing equipment to ensure devices have not been substituted or tampered. This Merchant Location Device Inspection Log can be used for your inspections.
Please contact ccard@northwestern.edu with questions or to request assistance.
(6) Annual PCI SAQ (Self- Assessment Questionnaire)
All Northwestern University merchant locations are required to validate PCI-DSS compliance at least annually by completing the appropriate SAQ in a timely manner. A questionnaire must be completed for each Merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:
- - payment processing system changes
- - a year has elapsed since your last SAQ
- - upon Treasury Operations request
The SAQ should be completed through the TrustKeeper Portal which is available in the CardConnect CardPointe gateway.
There are 8 types of SAQ. Treasury Operations or Arrow Payments can help determine which type is required for your merchant location environment:
SAQ Type | Type of Payment System |
---|---|
SAQ A | Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. |
SAQ A-EP | Card Not Present, E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels |
SAQ B | Merchants using only Imprint machines with no electronic cardholder data storage and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. |
SAQ B-IP | Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
SAQ C | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. |
SAQ C-VT | Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based Virtual Terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. |
SAQ D | All other SAQ-Eligible Merchants |
SAQ P2PE-HW | Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
Resources: