All credit card merchants must comply to data security standards that are set by the Payment Card Industry. If you process, store, or transmit credit card data, then the Payment Card Industry (PCI) requirements apply to you.  PCI requirements apply to all credit card transactions.  Adherence to the PCI requirements is mandatory throughout the year, therefore, you need to continuously assess your operations and fix any vulnerability which could potentially cause a credit card data breach.

Every merchant is required to complete a Self-Assessment Questionnaire (SAQ) packet each calendar year for submission and review by OSU’s Qualified Security Assessor (QSA). PCI data security documents are completed and loaded into the QSA online system for compliance review and compilation of the overall OSU report. Any merchant’s failure to comply and remedy security deficiencies affects the certainty of the entire university to securely process credit card payments.  Note: OSU Purchasing cards are not included in this security assessment.

Annual Self-Assessment Questionnaire (SAQ)

Merchant Managers are provided access to CampusGuard's portal for their annual SAQ submission. Merchants receive email notification on the SAQ update process and are to follow the six-step process below.

NOTE: PCI 4.0 compliance requirements are effective March 31, 2024. The SAQ form v3.2.1 will continue to be used in 2023 and will change to the SAQ form v4.0 in 2024.

1. Recieve the SAQ support packet materials for the SAQ form(s) you are required to complete. The SSO login instructions will be included in the notification email to the QSA online system, if applicable.

2. All staff working with credit card data is expected to complete annual security training and provide a copy of the completion certificate. This training can be found on Bridge.

3. Complete the SAQ Cover Page. Every merchant is encouraged to fill out this page and upload with Merchant Manager and FSS signatures.

4. Complete your SAQ form online using the guide in the packet materials. Treasury staff are available to assist with the SAQ form and setting an appointment is required when a merchant manager is using the portal for the first time.

When filling out your SAQ you might need additional information. Below you will find a table with some links and a short explanation for what you might need them for.

Link Description
PCI DSS Quick Reference Guide v3.2.1 This is a link to the official PCI reference guide. You will be able to find general information about PCI here.
PCI: Glossary

This is a link to a pdf that provides a glossary of terms, abbreviations, and acronyms.

Payment Security Educational Resources This is a link to the official PCI website's educational resources.
PCI DSS Skimming Prevention: Best Practices for Merchants This is a link to a pdf that explains best practices for skimming prevention.
OSU Fiscal Policy Program 03-110-212: e-Commerce This is a link to OSU's e-commerce policy.
University Policy 08-105: University Data Management, Classification and Incident Response This is a link to OSU's University Data Management, Classification and Incident Response Policy 08-105.
OSU Cash Handling Handbook This is a link to OSU's Cash Handling Handbook which includes Credit Card payments.
OSU Fiscal Policy Manual  This is a link to OSU's Fiscal Operations Manual.
Oregon Accounting Manual - Credit Card Acceptance for Payment This is a link to the Oregon Accounting Manual pdf.
Oregon State Treasury Cash Management Manual This is a link to the state or Oregon treasury Cash Management Manual.
Third-Party Security Assurance Recommendations for meeting PCI DSS requirement 12.8 to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner. Sample PCI DSS Responsibility Matrix can be found in Appendix B.
Roles & Responsibilities for University PCI Compliance Efforts This is a link to OSU's merchant processing roles and responsibilities for PCI DSS compliance efforts.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. Add Policies and Procedures and Other Supporting Evidence. All PCI DSS submissions must include policies and procedures as evidence. Some SAQ submissions may require additional evidence. Evidence requirements are described in the OSU-specific SAQ packet.

6. Sign/Submit and upload documents to your CampusGuard Locker. Once the SAQ is electronically signed and finalized, it will store a PDF version to the locker. Your Cover Page, policies and procedures, training certificates, and other supporting evidence can be combined into a single document before submission but can be loaded individually. 

In years prior to 2022, documentation was managed through Box. These folders are still available, however, as the university works through the Merchant Card assessment and modernization project, expected to be completed in late 2024, historical documents will be removed from Box and will only be available upon request. If you use this resource and need assistance with managing your materials, please reach out to Treasury@oregonstate.edu.