Live now: Board of Curators meeting

UM System

Merchant Manual Instructions

SAQ A merchant manual

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 - PAN Scan Results

Section 7 – Training log

 

SAQ A Merchant Manual Yearly Upkeep Steps
  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ A annually.
  4. Make sure 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually. 
  6. Enroll staff, complete the annual online security training, and update your training log.

 

SAQ B merchant manual

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 – PAN Scan Results

Section 7 – Terminal Security Section

              Capture Device Inventory Log

              Cellular Terminal Log

              Capture Device Periodic Inspection Procedures

              Capture Device Periodic Inspection Log

              Skimming/Tampering Training

Section 8 – Training log

 

SAQ B Merchant Manual Yearly Upkeep Steps
  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ B annually.
  4. Make sure your 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.
  6. Enroll staff, complete the annual online security training, and update your training log.
  7. Perform your periodic physical inspections of your terminal(s).

 

SAQ C-VT merchant manual

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 – PAN Scan Results

Section 7 – Training log

Section 8 - Configuration Guide for in scope systems (Firewall, Workstations, Etc.) 

Section 9 - Firewall Rules with business justification for all allowances

Section 10 - Network Diagram

Section 11 - Connectivity Diagram

 

SAQ C-VT Merchant Manual Yearly Upkeep Steps
  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ C-VT annually.
  4. Make sure your 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.
  6. Enroll staff, complete the annual online security training, and update your training log.
  7. Review your configuration guide annually.
  8. Review your firewall rules every 6 months.
  9. Review your network and configuration diagrams annually.
  10. Make sure your Anti-Virus is current and performing scans.
  11. Make sure Anti-Virus audit logs are retained for at least 1 year with the last 3 months readily available. 
  12. Make sure all critical patches are applied to in scope systems within 30 days of release.
 
P2PE merchant manual

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 – PAN Scan Results

Section 7 – Terminal Security Section

              Capture Device Inventory Log

              Cellular Terminal Log

              Capture Device Periodic Inspection Procedures

              Capture Device Periodic Inspection Log

              Skimming/Tampering Training

Section 9 – Training log

Section 10 - PIM (P2PE Installation Manual)

 

SAQ P2PE Merchant Manual Yearly Upkeep Steps
  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of your policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ P2PE annually.
  4. Make sure your 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.
  6. Enroll staff, complete the annual online security training, and update your training log.
  7. Perform your periodic physical inspections of your terminal(s).
  8. Review your PIM (P2PE Installation Manual) annually to ensure it is up to date.

Reviewed 2022-08-18