If you process, store, or transmit credit card data, then the Payment Card Industry (PCI) requirements apply to you. PCI requirements apply to all credit card transactions. While PCI Data Security documents must be completed each calendar year, adherence to the PCI requirements is mandatory throughout the year. OSU Purchasing cards are not included in this security assessment.

What do I have to do throughout the year?

Throughout the year, you need to continuously assess your operations and fix any vulnerability which could potentially cause a credit card data breach. You can find best practices in the “expected testing” section of your Self-Assessment Questionnaire (SAQ). More on which SAQ is right for you on the "Which SAQ do I need to fill out?" page.

The SAQ is due. What now?

You will receive an e-mail which notifies you when the SAQs are due. Once you receive this e-mail follow the four step process below:

  1. Check the Status Report:

    The PCI DSS Status report contains all important information about OSU merchants. If you are missing any information about your merchant please review the OSU: PCI DSS Status Report. If any of the information on this report is incorrect please let us know at BusinessOpsIT@oregonstate.edu. Since this document contains sensitive information it is password protected. Please log in with your ONID to view the documents. If you are a new merchant completing your first packet as due within 30 days of receiving the MID, you will skip this step.

  2. Complete the SAQ Cover Page:

    Every merchant has to fill out this page and get it signed by the Merchant Manager. Please visit the "How to fill out the SAQ cover page" to find everything you need to fill out the SAQ cover page.

  3. Complete your SAQ:

    Every merchant on campus needs to fill out an SAQ. To learn which SAQ you have to fill out please visit "Which SAQ do I need to fill out?." Please visit "How to fill out my SAQ?" page for OSU-specific instructions on how to fill it out.

  4. Add Policies and Procedures and Other Supporting Evidence:

    All PCI DSS submissions must include policies and procedures as evidence. Some SAQ submissions may require additional evidence. Evidence requirements are described in the OSU-specific SAQ instructions.

  5. Sign and Submit:

    Once the SAQ Cover Page and the SAQ are completed please sign and scan them and then submit them along with your Policies and Procedures via the Final PCI DSS SAQ Submission webform. The Cover Page, SAQ, policies and procedures, and other supporting evidence should be combined into a single document before submission.

Need more information?

If you need more information on any of the topics above please visit the "SAQ Supporting Documents" page.