Loading in 2 Seconds...
Loading in 2 Seconds...
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012. SAQ Training. At the conclusion of this training, merchant managers should be able to do the following: Understand the scope of your cardholder data environment
At the conclusion of this training, merchant managers should be able to do the following:
A breach or compromise of payment card data has far-reaching consequences, such as:
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool to allow merchants to self-evaluate compliance with the Payment Card Industry Data Security Standards (PCI DSS).
The SAQ consists of two primary components:
SAQs come in several forms based on how a merchant processes, transmits and stores cardholder data. Most University accounts use an SAQ-A, B or D.
SAQ completion is required annually by our acquiring bank and card brands.
Build and Maintain a Secure Network
1: Install and maintain a firewall 2: Do not use vendor defaults
Protect Cardholder Data
3: Protect stored data4: Encrypt transmission of data
Maintain a Vulnerability Management Program
5: Use anti-virus software6: Secure systems and applications
Implement Strong Access Control Measures
7: Business need-to-know8: Assign a unique ID to each person 9: Restrict physical access
Regularly Monitor &Test Networks
10: Track and monitor access11: Regularly test security
Information Security Policy
12: Maintain a policy
The SAQ-A addresses Requirements 9 & 12
The SAQ-B addresses Requirements 3,4,7,9, & 12
The SAQ-D addresses all 12 Requirements
1. Determine the scope of the review. Go over your department operations and systems with regard to accepting payment cards. This assessment of your “cardholder data environment” helps you to accurately identify the appropriate scope for your review. Document your process to determine scope. Consider, for example:
2. Review unit payment card policy & procedures– take a look at your business process involving payment cards.
3. Complete Annually-Required University Forms
Required for all departments that have a University of Minnesota Payment Card Account.
Required for all employees involved in payment transactions who may have access to confidential cardholder data including card numbers, expiration dates or demographic cardholder information.
(Form UM 1705) – SAQ-A only
Required for departments that outsource all cardholder data functions to an approved University of Minnesota on-line, hosted payment gateway that the department manages through a password-protected website provided by the payment gateway service provider. This annual agreement sets out the requirements that allow the department to access the password-protected website without establishing a secure desktop.
4. Completion of the SAQ & Attestation
If you meet all five requirements you are eligible to complete the
13 question SAQ-A form.
1. Answer each question in your SAQ and SAVE it (the form does not auto-save responses)
2. Complete, print and sign the Attestation page; scan and save an electronic copy.
3. Email the completed SAQ and Attestation to firstname.lastname@example.org
All credit card numbers are entered by the customer using a website that ties directly to a third-party processor (such as Authorize.net), meaning you have no access to credit card numbers.
“There is no paper or electronic data. No data is received, stored, or processed locally.”
Navigating PCI DSS: Understanding the Intent of the Requirementsdescribes how & why the requirements are relevant to your payment card process.
Requirements & Security Assessment Proceduresprovides guidance to determine if you have met a requirement.