OSU Logo

Subject Index

Annual PCI Compliance for OSU Credit Card Merchants

If you process, store, or transmit credit card data, then the Payment Card Industry (PCI) requirements apply to you. PCI requirements apply to any and all incoming credit card transactions. While PCI Data Security documents must be completed each calendar year, adherence to the PCI requirements is mandatory throughout the year. OSU Purchasing cards are not included in this security assessment.

PCI Compliance Procedure

The 2013 PCI Compliance process must be completed and submitted to Business Affairs by January 31st, 2014.

The PCI Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that accept credit cards, and in doing so store, process, or transmit cardholder data.

The Self-Assessment Questionnaire (SAQ) is a tool for merchants to validate PCI DSS Compliance. The SAQ includes a series of yes/no questions and must be completed and returned to Business Affairs that will forward them to the Oregon State Treasury (OST) in aggregate. If an answer to any question is no, meaning your operation fails to comply with the requirement, then you must state the action you will take for remediation and the date it will be in place. The specific SAQ that needs to be completed is, dependent on your business situation, and is indicated in the PCI DSS Status Report. See supporting documents below.

To complete the annual SAQ at OSU, please follow the below procedure:

  1. Verify your credit card merchant information on the PCI DSS Status Report included in the supporting documents section below. Send any updates to the contacts below.
  2. Refer to the PCI DSS Status Report for the appropriate SAQ version that must be completed. Links to SAQs are available in the table below.
  3. Merchant managers are required to complete the 2013 Payment Card Industry Data Security Standards Annual Assessment Cover Page (see table below) and the appropriate SAQ as stated in the PCI DSS Status Report. The cover Page must be completed for all OSU Credit Card Merchants but may be aggregated for similar merchants. Please note that the SAQ must be signed by the Merchant Manager.
  4. Once complete, the Cover Page and SAQ (if applicable) needs to be forwarded to your Business Center for review and signature.
  5. Once approved by the Business Center, the Cover Page and SAQ should be sent (electronically is preferred) to the Business Affairs contacts below.
  6. The 2013 PCI Compliance process must be completed and submitted to Business Affairs by January 31st, 2014.
Form Description
CvrPg Cover page includes basic merchant description and attestation.
SAQ A Card-not-present (e-commerce or mail/telephone-order) merchants, all
cardholder data functions outsourced. This would never apply to face-to-face
SAQ B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage
SAQ C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
SAQ D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

Supporting Documents:


Business Affairs Process Improvement Team
100 Kerr Administration Building
Corvallis, OR 97333

Robin Whitlock

Dan Hough