New PCI Requirements for Nelnet Users

New PCI Requirements for Nelnet Users

Revised 10/20/2015

Current PCI compliance requirements that will allow you to continue using SAQ-A under normal circumstances (Note that PCI compliance can change frequently and the information provided become outdated):

Server Related

  • New U-M websites should be hosted on an ITS managed MiServer or a PCI compliant service provider. Implement one primary function per server to avoid functions requiring different security levels co-existing on the same server.
  • If a U-M website is hosted externally, the server must be in a monitored secure location.
  • Operating system and application software versions must be supported by the vendor.
  • Security patches installed within one month of release.
  • 2-factor authentication to the web server for administrative and developer access (including 90 day password changes, no reuse of old passwords allowed).
  • Vendor access to the server should only be allowed for maintenance and support.
  • File integrity monitoring (FIM) of the operating system, web server and application (i.e. all static files). FIM is not currently provided by ITS.

Website Related

  • Use HTTPS per Google certificate recommendations
    • 2048 bit
    • SHA-2
  • Use TLS 1.1 or higher, no RC4 or fallback.
  • Limit parameter information passed to Nelnet (i.e., Order Number, Order Type, Order Description, Amount Due, Redirect URL & parameters, Retries Allowed, Time Stamp and hash). For those who were sending more info in UserChoice fields or customer name/address to Nelnet, you’ll need to collect this information on your U-M website going forward.


  • Opt-in to U-M Information & Infrastructure Assurance's internal monthly vulnerability scans – under “Additional Requests” indicate: “PCI scan”. If assistance is needed to complete the form, submit a Help Desk Ticket
  • Reconcile Nelnet activity to your website activity each business day when website is operational. This is usually a business office function.
  • Coordinate with Treasury (Dave Doyle 7-7440, where the Nelnet configuration is changed from MD5 to SHA256 for pre-existing Nelnet websites.
    • A new “extra” Nelnet Web page is created by Treasury that asks customers to simply confirm the amount (example image below). Customers only need to click “Continue” to be taken to the regular Nelnet payment Web page.
    • You don’t need to develop this Web page.
    • This assists in reducing “Man-in-the-middle” attacks.

Example of the Nelnet pre-credit card processing screen:

Double Hop Example Screen

Please remember that being the merchant you are responsible for all 12 Requirements of the PCI-DSS standard even if you currently qualify for the shorter SAQ A.