PCI Compliance Training
Each role in the PCI Compliance process has its own level of responsibility. Training of Department Head, Site Managers and Operators is an important part of PCI compliance.
PCI Department Head – Merchant Owner
The highest level of responsibility belongs to the Department Head. The Department Head is responsible for all credit card merchant activities in his or her Division or Dean’s Office. Each Department Head must attend an annual PCI training session, which is offered and tracked by the Controller’s Office. The training sessions are listed on the Controller’s Office website.
PCI Site Manager – Functional Contact
The next level of responsibility belongs to the Site Manager. All credit card merchant operations have at least one PCI site manager, who is responsible for the day to day operations of the merchant activity. PCI Site Managers must attend an annual PCI training session, which is tracked by the Controller’s Office. PCI Site Managers will learn about the University’s initiative for becoming PCI compliant in systems, infrastructure and processes. In this interactive discussion, attendees will learn about the PCI compliance process, how this compliance initiative will affect their business practices and processes, and how they can help their department/division avoid serious financial exposure by meeting and adhering to the PCI Data Security Standard. The training sessions are listed on the Controller’s Office website.
Other responsibilities of the PCI Site Manager include ensuring that Cashiers have been appropriately trained in the PCI Data Security Standard, and are thus PCI Compliant.
- Reconciliation of credit card sales is the responsibility of the PCI Site Manger or to whom the PCI Site Manager delegates. Regular reconciliation insures deposits are accurate and timely. We recommend that reconciliations occur weekly, but at a minimum, monthly.
- For eCommerce Merchants, there are reports in CASHNet and Nelnet you can use for reconciliation. There is no eCommerce settlement to FirstData on Saturday or Sunday so those transactions will be combined with Monday’s transactions. You will have 3 days in Monday’s settlement Sat, Sun, and Mon., Tues- Fri will contain one day of transactions only. CASHNet and Nelnet end of day settles at 11:47 pm.
- For non-eCommerce or point of sale merchants there are reports in Clientline. Please send an email to email@example.com to obtain log in access.
- For merchants that accept American Express, you are responsible for an additional reconciliation as the transactions are not included with the regular merchant identification number, MID.
- Each PCI Site Manager must attend the annual PCI Site Manager training and take the online Operator training.
- Anyone who handles a customer credit card at a point of sale device and all CASHNet or Nelnet Operators must take the Operator Training Module. All PCI Site Managers must provide business procedures and develop a business continuity plan for taking credit card payments for each Merchant ID(s). Written PCI Policies for your credit card procedures must be submitted with the SAQ. If stated business practices change, submit the changes to firstname.lastname@example.org .
- A SAQ – Self-Assessment Questionnaire must be filled out for each Merchant ID(s). A SAQ is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Please contact email@example.com to set up a meeting for assistance on completing this form. Security and Compliance will fill this out together with you.
- Server information and location must be provided for new for SAQ A-EP https://www.pcisecuritystandards.org/security_standards/index.php.
PCI Operator – Cashier
The third role and level of responsibility belongs to the PCI Operator. Operator training is required on an annual basis.
A PCI Operator is anyone in the business process who handles credit card information. Examples of operators include:
- Anyone who handles a customer credit card at a point-of-sale device.
- Anyone who processes faxed or mailed forms that contain credit card information.
- Anyone who accesses a web application that processes credit card information (such as Nelnet or CashNet).
To assist with achieving compliance, we have developed on-line training for the university’s credit card operators that covers:
- General PCI Compliance with regards to basic credit card transactions.
- Situations where the card is present (over the counter transactions).
- Situations where the card is not present (telephone, fax or mail order transactions).
Training Confirmation and Tracking
PCI Compliance requires all operators, site managers and department heads to be trained on an annual basis, which must be tracked by the PCI site manager. To assist you in meeting this requirement, the on-line training tool will produce a certificate of completion, which includes the operator’s name and date. Upon completion of the training, a certificate is available for the PCI Operator who will then print and deliver a copy to the PCI site manager. The PCI site manager must retain a copy of the certificate for each operator, to document that they have been trained according to PCI requirements.