University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C All university merchant departments accepting credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS), which is intended to ensure the safe handling of cardholder data. To validate PCI DSS compliance, a self-assessment questionnaire must be completed for each merchant ID assigned by the university s merchant acquirer. (e.g., Global Payments). A completed self-assessment questionnaire (SAQ) is required annually. It is the responsibility of the merchant department to complete the questionnaire when due. There are 5 different versions of the SAQ. The required SAQ for a merchant depends on the manner in which credit cards are processed. Category Description Examples SAQ Category A For card-not-present merchants where all cardholder data functions are outsourced. There are no face to face transactions. TouchNet marketplace e-commerce upay, ustore or Bill+Pay. SAQ Category B SAQ Category C SAQ Category C-VT For merchants using imprint or standalone dial-up terminals connected by phone line. There must be no electronic cardholder data storage. For merchants with payment applications connected to the internet. There must be no electronic data storage and no connection to other systems. For merchants using only web-based virtual terminal applications. Verifone VX570 connected only to phone line. Point-of-sale systems with card present, face to face transactions. Cardholder data environment isolated. Verifone VX570 connected to internet. TouchNet Payment Gateway Single Authorizations or office entry on behalf of others, using self service solutions. SAQ Category D All other merchants not included above. Point-of-sale systems with card present, face to face transactions. Cardholder data environment is not isolated from other functions. To obtain a copy of the SAQ s and the PCI DSS visit this web site: https://www.pcisecuritystandards.org/security_standards/index.php Before beginning your SAQ, please read the following documents: The PCI Data Security Standard https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf Instructions and Guidelines provided by the PCI Security Standards Council https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.1.pdf
This guide is for merchant departments who process credit card transactions using credit card terminals connected to the internet or a point-of-sale (POS) system that is isolated and not connected to any other systems. In order to use this guide to complete SAQ C for your merchant, all of the following criteria must be met: Your department has a payment application system and an Internet connection on the same device; The payment application/internet device is not connected to any other systems within the merchant environment; The merchant store is not connected to other store locations, and any LAN is for a single store only. Your department does not store cardholder data in electronic format. If your department does store cardholder data, such data is only in paper reports or paper copies of receipts and is not received electronically; Your department does not store cardholder data in electronic format; and Your department s payment application vendor uses secure techniques to provide remote support to your payment system.
TrustKeeper Log-in If your merchant processes transactions consistent with the SAQ C requirements, you must login to TrustKeeper to complete your SAQ. Log in to TrustKeeper at trustkeeper.net. Contact your credit card campus coordinator to obtain your user ID and password.
TrustKeeper Home Page From the TrustKeeper home page, click on Learn about the Program do obtain the Getting Started Guide with instructions on how to proceed. Follow the instructions to complete your merchant profile and SAQ. More specific instructions or information that you might need is available later in this document. Click on the Merchant Profile link to edit/complete the Merchant Profile.
Merchant Profile Your merchant profile may indicate a complete status when you first log in. If you have not already done so, you should verify the Merchant Profile information, correct the answers, if necessary, and save. To see help context for a question, click on the question mark that follows each question. If you are uncertain about an answer to a question, contact your campus credit card coordinator.
Merchant Profile (continued) Click Save on the final page to save your profile and return to the home page.
Edit Compliance Questionnaire From the home page, click on Edit Compliance Questionnaire to begin the SAQ.
SAQ Selection Click on the Edit Compliance Questionnaire link to complete the SAQ. SAQ 2.0 Form C should already be selected. If it is not, review the merchant profile and check your answers. Click Begin to go to the SAQ questions.
Completing the SAQ When you log in for the first time, you may find that some of the questions have already been completed. You should review all of the questions and answers by clicking on the All Questions tab. Information you may need about each question is contained in the remaining pages of this guide. An Administrative Practice Letter (APL) IV-F Credit Debit Card Standards has been issued by the University of Maine System Office of the Treasurer to create standards for credit and debit card processing. You may want to reference that APL as you complete your SAQ. You can find it on the web at: http://www.maine.edu/pdf/aplcreditdebitcardstandards.pdf
Eligibility Criteria Answer all eligibility questions. You are certifying your eligibility to complete SAQ C. Merchant has a payment application system and an Internet or public network connection on the same device and/or same local area network (LAN). Answer TRUE if the device or system used to process credit card payments is connected to the internet. The payment application system/internet device is not connected to any other system within the merchant environment. Answer TRUE only if your terminal, computer or system used for processing credit card payments is connected to your campus PCI Compliant Network and has access to only internet site(s) required for processing payments and related activity. Merchant store is not connected to other store locations, and any LAN is for a single store only does not store any cardholder data in electronic format. Merchant does not store any cardholder data in electronic format. APL IV-F Credit/Debit Card Standards states that electronic storage of cardholder data on any University computer is prohibited. If your device or system complies, answer TRUE. If Merchant does store cardholder data, such data is only in paper reports or copies of receipts and is not received electronically. Merchant departments must not send or receive cardholder data electronically and must comply with all PCI DSS requirements for storage of cardholder data. Answer TRUE if you comply with that requirement. Merchant's payment application software vendor uses secure techniques to provide remote support to merchant s payment application system. If your system vendor provides remote support to your system, they should log in using an account made available only when necessary, using two factor authentication and encryption. Answer TRUE if your vendor uses these secure techniques. Answer TRUE if you have no remote vendor support. If you are unable to answer all questions as TRUE, SAQ C is not the correct questionnaire. The remaining questions must all be answered YES or Not Applicable (N/A) for your merchant to be PCI DSS compliant and to pass the SAQ. All N/A answers must be explained in the comments section for that question. If you are unable to answer YES or N/A you likely need to make some changes in your credit card processing.
Firewall Configuration Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows? Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage. Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment, and are the restrictions documented? (SAQ #1.2.1.a) If your system is connected to the campus PCI Compliant Network, answer YES. Is all other inbound and outbound traffic specifically denied (for example by using an explicit?deny all? or an implicit deny after allow statement)? (SAQ #1.2.1.b) If your system is connected to the campus PCI Compliant Network, answer YES. Are perimeter firewalls installed between any wireless networks and the cardholder data environment, and are these firewalls configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment? (SAQ #1.2.3) If your system is connected to the campus PCI Compliant Network, answer YES. Does the firewall configuration prohibit direct public access between the Internet and any system component in the cardholder data environment as follows? Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? (SAQ #1.3.3) Is outbound traffic from the cardholder data environment to the Internet explicitly authorized? (SAQ #1.3.5) Is stateful inspection, also known as dynamic packet filtering, implemented (that is, only established connections are allowed into the network)? (SAQ #1.3.6) System Settings Answer YES if your system is connected to your campus s secure PCI Compliant Network. Are vendor-supplied defaults always changed before installing a system on the network? Vendor-supplied defaults include but are not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.(saq #2.1) Each user should be using an individual account provided specifically to that user. Ensure that no vendor provided default settings are used. Answer YES only if you follow those practices. For wireless environments connected to the cardholder data environment or transmitting cardholder data, are defaults changed as follows:
Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions? (SAQ #2.1.1.a) Wireless devices should not be used to process cardholder data. The device you use should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Are default SNMP community strings on wireless devices changed? (SAQ #2.1.1.b) The device you use as for virtual terminal access should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Are default passwords/passphrases on access points changed? (SAQ #2.1.1.c) The device you use as for virtual terminal access should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? (SAQ #2.1.1.d) The device you use as for virtual terminal access should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Are other security-related wireless vendor defaults changed, if applicable? (SAQ #2.1.1.e) The device you use as for virtual terminal access should not have wireless access enabled. Answer: Not Applicable and Comments: Wireless devices are not permitted at this time. Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device's specified function are disabled) (SAQ #2.2.2a)? Answer YES if the personal computer(s) used to connect to virtual terminals have been customized by your IT administrator to include only the services and accounts needed for the authorized payment activities. Is all non-console administrative access encrypted as follows? (Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.) (SAQ #2.3) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator's password is requested? (SAQ #2.3a)
If a vendor or third party accesses your system to modify the software configuration, the connection must use methods that require encryption of all traffic. If you have such access, verify that encryption is used and answer YES. If such methods are not used to modify configuration of your system, answer N/A, Add comment: Non-console administrative access is not used. Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (SAQ #2.3b) Vendor implementation guidelines must ensure insecure protocols cannot be used for remote logins. Is administrator access to web-based management interfaces encrypted with strong cryptography? (SAQ #2.3c) Stored Data Protection Ensure the https: prefix for all URLs when using any web-based interfaces. If sensitive authentication data is received and deleted, are processes in place to securely delete the data to verify that the data is unrecoverable? (SAQ #3.2b) Magnetic stripe cardholder data or card validation values (CVV) must not be stored for any reason. Answer: YES if the answers to questions 2 4 in this section are YES or N/A. Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted) (SAQ #3.2c): The full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere) are not stored under any circumstance? This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. (SAQ #3.2.1) Answer YES if your system does not store any contents of the magnetic stripe from the back of the card. The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored under any circumstance? (SAQ #3.2.2) Answer YES if your system does not store card validation codes when entered for card-not-present activity. If your system is not used for card-not-present transactions, Answer N/A, Add comment: Card present activity only. The personal identification number (PIN) or the encrypted PIN block are not stored under any circumstance? (SAQ #3.2.3) Answer YES if you accept debit cards and your system does not store personal identification (PIN) numbers from debit card transactions, or answer N/A, Add comment: Debit cards not accepted. Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed)? (SAQ #3.3)
Verify that your system masks the display of the card number for on-screen and printed reports or receipts. Answer: YES Transmitted Data Protection Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (SAQ #4.1.a) Answer YES if you have confirmed that your payment applications use strong cryptographic protocols for all transmission of cardholder data. The application vendor will provide guidelines for proper implementation. For web-based applications, the https: prefix must precede all URL s to indicate proper encryption is being used to protect the transmission of your sensitive information, including cardholder data. Are only trusted keys and/or certificates accepted? (SAQ #4.1.b) The application vendor will provide guidelines for proper implementation. For ex, with SSL implementations, certificates must be signed by a trusted Certificate Authority. Your browser has a built-in mechanism to accept only trusted certificates. Answer YES only if you NEVER accept certificates that your web browser warns you could be invalid (e.g. expired, self-signed, wrong hostname). These are likely signs of malicious activity. Are security protocols implemented to use only secure configurations? (SAQ #4.1.c) Answer YES if you have confirmed that your payment applications are configured to use only strong cryptographic protocols for all transmission of cardholder data. The application vendor will provide guidelines for proper implementation. Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? (SAQ #4.1.d) Answer YES if you have confirmed that your payment applications use strong cryptographic protocols for all transmission of cardholder data. The application vendor will provide guidelines for proper implementation. For SSL/TLS implementations (SAQ #4.1.e): Does HTTPS appear as part of the browser Universal Record Locator (URL)? Is cardholder data required only when HTTPS appears in the URL? Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (SAQ #4.1.1) Answer: Not Applicable and Comments: Wireless devices are not permitted at this time.
Are policies in place that state that unprotected PANs are not to be by end-user messaging technologies (for example, e-mail, instant messaging, chat)? (SAQ #4.2.b) Anti-Virus Protection APL IV-F Credit/Debit Card Standards prohibits the use of such messaging technologies for sending or receiving credit card data. Answer: YES Is anti-virus software deployed on all systems commonly affected by malicious software? (SAQ #5.1) Verify that your system has the appropriate anti-virus software installed. Answer: YES Are all anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (SAQ #5.1.1) Verify that your system has the appropriate anti-virus software installed. Answer: YES Is all anti-virus software current, actively running, and generating audit logs as follows: Does the anti-virus policy require updating of anti-virus software and definitions? (SAQ #5.2.a) Answer YES, as this is a requirement of the Credit/Debit Card Standards APL Is the master installation of the software enabled for automatic updates and scans? (SAQ #5.2.b) Confirm with your IT administrators that automatic updates and scans are required by the default installation procedures. Answer: YES Are automatic updates and periodic scans enabled? (SAQ #5.2.c) Answer YES if you have confirmed these are enabled. Check the settings of your anti-virus software to confirm this is true. Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (SAQ #5.2.d) Answer YES if you have confirmed audit logs are generated for all anti-virus activities. Check your anti-virus settings to confirm logs are not being deleted sooner than one-year and that you have sufficient disk space where the logs are being stored. Application and Systems Security Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed? (SAQ #6.1.a) Verify that security patches for your system components have the latest updates installed. (e.g., Windows, Internet Explorer) Answer: YES
Are critical security patches installed within one month of release? (SAQ #6.1.b) Verify that security patches for your system components are regularly installed. (e.g., Windows, Internet Explorer) Answer: YES Access Restrictions Is access to system components and cardholder data limited to only those individuals whose jobs require such access as follows: Are access rights for privileged user IDs restricted to least privileges necessary to perform job responsibilities? (SAQ #7.1.1) APL IV-F Credit/Debit Card Standards requires access limitations for paper documentation containing cardholder data and restrictions to devices or databases involved in processing, storing or communicating cardholder data. Access to systems or paper documentation must be limited to only the privileges required to perform necessary job responsibilities. Answer: YES Are privileges assigned to individuals based on job classification and function (also called "role-based access control" or RBAC)? (SAQ #7.1.2) Account Security Is two-factor authentication incorporated for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties? (SAQ #8.3) Are proper user identification and authentication management controls in place for nonconsumer users and administrators on all system components, as follows: Are accounts used by vendors for remote access, maintenance or support enabled only during the time period needed? (SAQ #8.5.6.a) If vendors access your system remotely to provide maintenance, verify that accounts used for access are enabled only as needed, Answer: YES. If your vendor does not access your system remotely, Answer: N/A, Add comment: No remote vendor access. Are vendor remote access accounts monitored when in use? (SAQ #8.5.6.b) If vendors access your system remotely to provide maintenance, verify that accounts used for access are enabled only as needed, Answer: YES. If your vendor does not access your system remotely, Answer: N/A, Add comment: No remote vendor access. Physical Access Controls Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? (SAQ #9.6)
APL IV-F Credit/Debit Card Standards prohibits electronic storage of cardholder data. Verify that any paper media that contains cardholder data is properly destroyed once the transaction is complete or is physically secure. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer N/A, Add comment: No media is created containing cardholder data. Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data? (SAQ #9.7.a) APL IV-F Credit/Debit Card Standards prohibits electronic storage of cardholder data. Verify that proper controls are used if paper documents containing cardholder data are handled. If proper procedures are in place, answer: YES. If paper documents containing cardholder data are never created in the payment process, Answer: N/A, Add comment: No media is created containing cardholder data. Do controls include the following: Is the media classified so the sensitivity of the data can be determined? (SAQ #9.7.1) APL IV-F Credit/Debit Card Standards states that when documents containing cardholder data are moved from one place to another, they must be clearly marked as confidential information. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, Answer: N/A, Add comment: No media is created containing cardholder data. Is the media sent by secured courier or other delivery method that can be accurately tracked? (SAQ #9.7.2) APL IV-F Credit/Debit Card Standards states that when documents containing cardholder data are moved from one place to another, they must be delivered personally or by a trackable courier service. If proper procedures are in place, answer YES If paper documents containing cardholder data are never created in the payment process, answer N/A, Add comment: No media is created containing cardholder data. Are logs maintained to track all media that is moved from a secured area, and is management approval obtained prior to moving the media (especially when media is distributed to individuals)? (SAQ #9.8)
APL IV-F Credit/Debit Card Standards requires that, if paper media exists with cardholder information, movement or transfer of that media must be approved by management. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer: N/A, Add comment: No media is created containing cardholder data. Is strict control maintained over the storage and accessibility of media that contains cardholder data? (SAQ #9.9) APL IV-F Credit/Debit Card Standards requires that stored media must be kept in a locked file. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer: N/A, Add comment: No media is created containing cardholder data. Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons? (SAQ #9.10) APL IV-F Credit/Debit Card Standards states that paper documents containing cardholder data should be kept only for as long as required for completion of the transaction. If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer: N/A, Add comment: No media is created containing cardholder data. Is destruction performed as follows? Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed? (SAQ #9.10.1.a) Are containers that store information to be destroyed secured to prevent access to the contents? (For example, a "to-be-shredded" container has a lock preventing access to its contents.) (SAQ #9.10.1.b) APL IV-F Credit/Debit Card Standards requires that destruction of any paper documents containing cardholder data must be done in such a way to make reconstruction of the data impossible. (e.g., cross-cut shredder, incineration) If proper procedures are in place, answer YES. If paper documents containing cardholder data are never created in the payment process, answer: N/A, Add comments: No media is created containing cardholder data.
Monitoring and Testing Is a documented process implemented to detect and identify wireless access points on a quarterly basis? (SAQ #11.1a) Confirm with System or Campus IT they have documented the process they will use on a quarterly basis to evaluate the wireless environment in the area of your payment devices. Answer YES if the below requirements, (SAQ #11.1 b, c, d, e ) are met. Does the methodology detect and identify any unauthorized wireless access points, including at least the following (SAQ #11.1b): WLAN cards inserted into system components; Portable wireless devices connected to system components (for example, by USB, etc.); Wireless devices attached to a network port or network device? Is the process to identify unauthorized wireless access points performed at least quarterly for all system components and facilities? (SAQ #11.1.c) If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to personnel? (SAQ #11.1.d) Does the Incident Response Plan (Requirement 12.9) include a response in the event unauthorized wireless devices are detected? (SAQ #11.1.e) Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades) as follows? Are quarterly internal vulnerability scans performed? (SAQ #11.2.1.a) The Information Security Office will ensure these scans are performed and provided to you. If you are getting these results as expected, answer YES. Does the quarterly internal scan process include rescans until passing results are obtained, or until all "High" vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved? (SAQ #11.2.1.b) Are internal quarterly scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? (SAQ #11.2.1.c) If your internal vulnerability scans are being performed by your IT administrator or Information Security Office personnel, answer YES. Are quarterly external vulnerability scans performed? (SAQ #11.2.2.a) Do external quarterly scan results satisfy the ASV Program Guide requirements (for example, no vulnerabilities rated higher than a 4.0 by the CVSS and no automatic failures)? (SAQ #11.2.2.b)
If you are performing quarterly scans via TrustKeeper, answer YES. Are quarterly external vulnerability scans performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC)? (SAQ #11.2.2.c) If you are performing quarterly scans via TrustKeeper, answer YES. Are internal and external scans performed after any significant change (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)? (SAQ #11.2.3.a) All significant changes to your payment environment must involve your IT administrators. If involved, they will ensure rescans are performed and results provided to you for remediation. Answer YES. Does the scan process include rescans until (SAQ #11.2.3.b): For external scans, no vulnerabilities exist that are scored greater than a 4.0 by the CVSS, For internal scans, a passing result is obtained or all "High" vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved? Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? (SAQ #11.2.3.c) Answer YES if your internal scans are performed by the your IT administrator or Information Security Office personnel AND if your external scans are performed via TrustKeeper. Security Policies and Procedures Is a security policy established, published, maintained, and disseminated to all relevant personnel? (SAQ #12.1) APL IV-F Credit/Debit Card Standards defines credit card security practices to comply with UMS Policy Section 901 Information Security and is required to be distributed to all employees involved in handling cardholder data. Answer: YES Is the information security policy reviewed at least once a year and updated as needed to reflect changes to business objectives or the risk environment?(saq #12.1.3) APL IV-F Credit/Debit Card Standards will be updated and distributed at least annually. Answer: YES Are usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets personal data/digital
assistants [PDAs], e-mail, and Internet usage) developed to define proper use of these technologies for all personnel, and require the following? Explicit approval by authorized parties to use the technologies? (SAQ #12.3.1) Verify that personnel involved in payment card transactions understand that they are not authorized to use these devices in connection with payment card activities and must not attach such devices with payment card devices unless specifically authorized. Authentication for use of the technology? (SAQ #12.3.2) A list of all such devices and personnel with access? (SAQ #12.3.3) All devices used in connection with payment card activities must be specifically identified. Acceptable uses of the technologies? (SAQ #12.3.5) APL IV-F Credit/Debit Card Standards states that UMS CISO approval is required for use of any wireless technologies in processing credit card data. Answer: YES Acceptable network locations for the technologies? (SAQ #12.3.6) Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity? (SAQ # 12.3.8) Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use? (SAQ # 12.3.9) Do the security policy and procedures clearly define information security responsibilities for all personnel? (SAQ #12.4) Responsibilities for information security are defined in APL IV-F Credit/Debit Card Standards, APL VI-C Information Security and UMS Policy Section 901 Information Security. Answer: YES Are the following information security management responsibilities formally assigned to an individual or team? Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? (SAQ #12.5.3) APL VI-C Information Security has established guidelines for incident response. Answer: YES
Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? (SAQ #12.6) APL IV-F Credit/Debit Card Standards states that cardholder data security is a required part of security awareness program for all employees. Answer: YES If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, as follows: Is a list of service providers maintained? (SAQ #12.8.1) APL IV-F Credit/Debit Card Standards has a requirement that a listing of all service providers is maintained and is included as Appendix III. Answer: YES Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess? (SAQ #12.8.2) Is there an established process for engaging service providers, including proper due diligence prior to engagement? (SAQ #12.8.3) APL IV-F Credit/Debit Card Standards has a requirement to obtain such a written acknowledgement from service providers. Answer: YES Is there an established process for engaging service providers, including proper due diligence prior to engagement? (SAQ #12.8.3) APL IV-F Credit/Debit Card Standards requires that all new service providers involved in processing, transmitting or storing cardholder data must be approved by the UMS CIO and CISO. Answer: YES Is a program maintained to monitor service providers' PCI DSS compliance status at least annually? (SAQ #12.8.4) APL IV-F Credit/Debit Card Standards has a requirement for service providers to provide evidence of PCI DSS compliance at least annually. Answer: YES Confirmation and Acknowledgement You must be able to answer all questions YES in order to have a passing SAQ. PCI DSS Self-Assessment Questionnaire C, version 2.0 was completed according to the instructions therein. (SAQ #CA.1.C) All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects. (SAQ #CA.2)
I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. (SAQ #CA.3) I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times. (SAQ #CA.4) No evidence of magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, or PIN data storage subsequent to transaction authorization was found on ANY systems reviewed during this assessment. (SAQ #CA.5) Signature of Executive Officer Enter the full name of merchant department contact or supervisor. Title of Executive Officer Enter the title of the officer from (S.) above. Submitting your SAQ After you have answered all of the questions, submit your SAQ by clicking the Submit / Save button. From the home page, you can see your PCI status and expiration date at the top of the page. You will be notified when the expiration date approaches. You must complete an SAQ each year. You can view or print your report by clicking the Report link. This is the report that will be submitted to the merchant acquirer as evidence of your PCI compliance. Notify your campus coordinator for credit card processing if you have completed your SAQ and your status does not show Compliant. You can view your compliance certificate by clicking the View Compliance Certificate link at the bottom of the page.