If you process, store, or transmit credit card data, then the Payment Card Industry (PCI) requirements apply to you. PCI requirements apply to all credit card transactions. While PCI Data Security documents must be completed each calendar year, adherence to the PCI requirements is mandatory throughout the year. OSU Purchasing cards are not included in this security assessment.

What do I have to do throughout the year?

Throughout the year, you need to continuously assess your operations and fix any vulnerability which could potentially cause a credit card data breach. You can find best practices in the “expected testing” section of your Self-Assessment Questionnaire (SAQ).

The SAQ is due. What now?

You will receive an e-mail which notifies you when the SAQs are due. Once you receive this e-mail follow the five step process below. You can find all relevant documents in the PCI DSS Box folder.

  1. Check the Status Report:

    The PCI DSS Status report contains all important information about OSU merchants. If you are missing any information about your merchant please review the PCI DSS Status Report in the Box folder If any of the information on this report is incorrect please let us know at BusinessOpsIT@oregonstate.edu.

  2. Complete the SAQ Cover Page:

    Every merchant has to fill out this page and get it signed by the Merchant Manager and the Business Center. You can find the Coverpage and instructions in the PCI DSS Box folder.

  3. Complete your SAQ:

    Every merchant on campus needs to fill out an SAQ. To learn which SAQ you have to fill out please check the "SAQ Form" column in the PCI DSS Status report in the PCI DSS Box folder.

  4. Add Policies and Procedures and Other Supporting Evidence:

    All PCI DSS submissions must include policies and procedures as evidence. Some SAQ submissions may require additional evidence. Evidence requirements are described in the OSU-specific SAQ instructions.

  5. Sign and Submit:

    Once the SAQ Cover Page and the SAQ are completed please sign and scan them and then submit them along with your Policies and Procedures via the Final PCI DSS SAQ Submission webform. The Cover Page, SAQ, policies and procedures, and other supporting evidence should be combined into a single document before submission.

Need more information?

If you need more information on any of the topics above please visit the "SAQ Supporting Documents" page.