PCI Compliance for OSU Credit Card Merchants
If you process, store, or transmit credit card data, then the Payment Card Industry (PCI) requirements apply to you. PCI requirements apply to any and all incoming credit card transactions. OSU Purchasing cards are not included in this security assessment.
PCI Compliance
The PCI Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that accept credit cards, and in doing so store, process, or transmit cardholder data.
The Self-Assessment Questionnaire (SAQ) is a tool for merchants to validate PCI DSS Compliance. The SAQ includes a series of yes/no questions and must be completed and returned to the Oregon State Treasury annually. If an answer to any question is no, meaning your operation fails to comply with the requirement, then you must state the action you will take for remediation and the date they will be in place. Different SAQ’s are specified for various business situations (described below),
To complete the annual SAQ at OSU, please follow the below procedure:
- Verify your credit card merchant information with Business Affairs. Send an email (see contacts below) to request a report for your business unit.
- Business Affairs will inform merchants of the appropriate SAQ version that must be completed.
- Merchant operation managers will be required to complete the 2011 Payment Card Industry Data Security Standards Annual Assessment Cover Page and the appropriate SAQ below (as directed by Business Affairs). SAQ’s must be completed for all OSU Credit Card Merchants. Please not that the SAQ must be signed by the Merchant Operations Manager.
- Once complete, the SAQ and SAQ Cover Sheet will need to be forwarded to the Business Center Manager for review and signature.
- Once approved by the Business Center Manager, the SAQ should be sent (electronically is preferred) to Business Affairs.
| SAQ | Description |
| A | Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
| B | Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage |
| C | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage |
| C-VM | VIRTUAL MERCHANT USERS ONLY! Merchants with payment application systems connected to the Internet, no electronic cardholder data storage |
| D | All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ. |
Supporting PCI DSS Documents:
Contacts:
Business Affairs Process Improvement Team
100 Kerr Administration Building
Corvallis, OR 97333
Robert Monasky
Robert.Monasky@OregonState.Edu
541-737-0654
Dan Hough
Dan.Hough@OregonState.Edu
541-737-2935
