Payment Card Industry - Data Security Standard (PCI DSS): An ever-evolving standard created by MasterCard, Visa, American Express, and Discover to protect cardholder information.
PCI DSS Compliance is mandatory for all university merchants and must be practiced at all times. Failure to do so could result in:
- extraordinary fines
- loss of ability to accept credit cards
- department and university reputation damage if a data breach
- potential loss of job
Annual mandatory PCI compliance validation steps
Step 1: Online merchant certification course - takes about 45 minutes. All staff who come into contact with credit card data and merchant contacts must take this U-M MyLINC course annually. Materials referenced within the course are available on the Additional PCI resources web page.
Step 2: Merchant Services Policy document - Merchant contacts are required to review the Merchant Services Policy document annually. Signer updates are sent to the Treasurer's Office.
Step 3: Attestation of PCI Compliance - Annually, merchant contact complete Self Assessment Questionnaire (SAQ) on the Trustwave website. Initially Trustwave will send merchants an email with a link to their website. Trustwave requires separate log ins for each merchant account.
Trustwave PCI guidance
- These templates will assist you through each question within the Self Assessment Questionnaire (SAQ) on the Trustwave website. Failure to use this template may result in misinterpretation of the questions, thus increasing the likelihood that you will be non-compliant or have to reprocess the SAQ. Contact Treasury if you are unsure of which SAQ to complete. Each year, download the most current template here. Do not download a template and use it the next year.
- SAQ A Guidance (online credit card transactions processed by a 3rd party, e.g., Nelnet, Authorize.net, etc.)
- SAQ B Guidance (credit card transactions processed with a credit card terminal)
- SAQ B-IP, SAQ A-EP, SAQ C, SAQ C-VT or SAQ D Contact the Treasurer's Office 734 615-2103 or 734 647-7440 if you are required to complete one of these SAQs.
- Additional PCI resources web page - U-M log on required.