PCI Questionnaire for UHS Merchants
Disclaimer: This is a UH-customized version of the PCI Self-Assessment Questionnaire version 1.0. It is designed to
provide basic information to assist with PCI-Compliance efforts. It is not designed to serve as a replacement for
completion of the official PCI Self-Assessment Questionnaire required by PCI.
General Information Overview
G1 Merchant Name: Merchant ID:
Contact Name: Title:
G2 Please include a brief description of your business.
G3 How and in what capacity does your business store, process and/or transmit cardholder data?
G4 Do you use any Third Party Service Providers/Vendors? Yes / No If yes, please list below:
Web Hosting: Shopping Cart:
G5 Does your business handle only card-not-present (ecommerce or mail/telephone order)
transactions? Yes / No
G6 Does your business not store, process or transmit any cardholder data on merchant premises
but instead rely entirely on third party service provider(s) to handle these functions? Yes /
G7 Does your business retain only paper reports or receipts with cardholder data, which are not
received electronically? Yes / No
G8 Does your business store any cardholder data in electronic format? Yes / No
G9 Does your business use only an imprint machine to imprint customers’ payment card
information and does not transmit cardholder data over either a phone line or the Internet?
Yes / No
G 10 Does your business use only standalone, dial-up terminals (connected via phone line to your
processor); and the standalone, dial-up terminals are not connected to the Internet or any
other systems within the merchant environment? Yes / No
G 11a Does your business have a payment application system (ex. POS or shopping cart system)
and an Internet (for example for email or web browsing) or public network connection on the
same device? Yes / No
G 11b If Yes, is the payment application system/Internet device connected to any other
system within the merchant environment? Yes / No
PCI Questionnaire for UH Merchants Page 2
Install and maintain a firewall configuration to protect data
1.1 Who is responsible for addressing IT issues in your department?
1.2 How are you connected to the campus network? Check all that apply:
Ethernet Wired Network Connections Wireless Network Connections
1.3 Is your department using campus IT networking equipment or equipment owned or
implemented by your own department? Please explain
1.4 What are the IP address ranges currently being used by your devices?
1.5 Do your employees access department resources from home or other non-campus
locations? Yes / No
1.6 Do your employees access any cardholder data applications from home, other campus
locations, or other remote business locations? Yes / No
1.7 How many computers does your department have? Desktop computers Laptops
1.8 Do any of these computers run cardholder data applications? Yes / No
1.9 How many staff members have access to computers with cardholder data?
1.10 How many servers does your department maintain for your merchant activities?
1.11 Where are these servers physically located?
1.12 What services are provided on each server?
1.13 What operating system does each server use?
1.14 How do you physically receive credit card data? Check all that apply:
In person via phone via postal mail via fax
via email via web Other:
1.15a Do you use Point of Sale (POS / swipe) terminals to process credit cards or do you use
a software program on a PC to complete the transactions?
1.15b If Yes to either type, please list all the POS terminal hardware or computer software in use:
Do not use vendor-supplied defaults for system passwords and other security parameters
2.1 Who is responsible for installing new workstations/desktops in your department?
2.2a Do you have documentation with a detailed listing of how each new computing device should
be configured and setup (build documents)? Yes / No
PCI Questionnaire for UH Merchants Page 3
2.2b If Yes, do your configuration guidelines (build documents) mandate changing of default
accounts and initial security settings and removal of unnecessary services and protocols?
Yes / No
Protect Stored Data
3.1 What is the process for handling credit card transactions? Please provide a step-by-step
account of how cardholder transactions are conducted.
3.2 What cardholder related data is stored by your department?
Full 16 digit card number Yes / No
Last 4 digits of card number Yes / No
Cardholder Name Yes / No
Service Code Yes / No
Expiration Date Yes / No
Magnetic stripe information Yes / No
Card-validation code Yes / No (3 digit number printed on the signature panel of a card)
PIN / PIN Block Yes / No
Authorization code Yes / No
3.3 Where is this data stored?
On physical paper Yes / No
In computer database Yes / No
Other: Please explain
3.4 If cardholder data is stored on physical paper, how is it stored and for how long?
3.5 How is this paper disposed of when no longer needed?
Encrypt transmission of cardholder data and sensitive information across public networks
4.1 Are any emails sent or received containing cardholder data? Yes / No
Use and regularly update anti-virus software
5.1a Do you have personal firewalls installed on your computers? Yes / No
5.1b If Yes, who is responsible for insuring it is updated on a regular basis? Please check one:
The computer user IT Manager Other: Don’t know
5.2a Do you have anti-virus software installed on your computers? Yes / No
5.2b If Yes, who is responsible for insuring it is updated on a regular basis? Please check one:
The computer user IT Manager Other: Don’t know
PCI Questionnaire for UH Merchants Page 4
Develop and maintain secure systems and applications
6.1 Do you use software applications for processing credit card transactions? Yes / No
If Yes, please answer the following group of 4 questions:
6.1a What applications do you use for processing credit card transactions?
6.1b Are any of these applications developed internally? Yes / No
6.1c Do you have a procedure for testing system/application configuration changes prior to
implementation? Yes / No
6.1d Do you have a testing environment separate from your production environment?
Yes / No
6.2 Do you have a formal process /procedure for approving changes to your computers?
Yes / No
6.3 Do you have a formal process/procedure for approving changes to your card-handling
business procedures? Yes / No
Restrict access to data by business need-to-know
7.1 Which job positions within your department need access to cardholder data to conduct credit
7.2a Is there anyone else in your department that has access to this data? Yes / No
7.2b If Yes, who?
7.3 Does your department accept orders from campus on-line “storefronts?” Yes / No
If Yes, please answer the following group of questions:
7.3a How does this process work? Please describe the process:
7.3b Does anyone in your department, including yourself, have access to view cardholder order
information outside of your department “storefront,” i.e. can you see only your department’s
orders, or can you see orders from other departments? Yes / No
7.3c If Yes, who has access to view cardholder order information? Please list:
7.3d After an online order is processed, when is the cardholder data no longer viewable online?
Immediately After 7 days Other:
Assign a unique ID to each person with computer access
8.1 Do all computers require users to enter a user ID and password to logon? Yes / No
8.2 Do your users use only CougarNet or IT-managed user IDs to access systems? Yes / No
8.3 Does your department manually create user IDs for use with any applications? Yes / No
PCI Questionnaire for UH Merchants Page 5
8.4 When an employee leaves the university, what is the process that is followed to disable their
8.5 Do non-UH employees (contractors, vendors, etc) use computers within your department?
Yes / No
8.6 Does your department use any shared “counter” or group user IDs for access to systems?
Yes / No
Restrict physical access to cardholder data
9.1 What access controls are in place in your department where cardholder data is handled (office
areas, computer areas, printer areas, etc)?
9.2a Do you receive any cardholder data via fax? Yes / No
9.2b If Yes, is your fax machine a standalone machine? Yes / No
9.2c If Yes, is your fax machine physically secured against unauthorized access? Yes / No
9.3 How are your computers backed up?
9.4 Who is responsible for handling the backing up process?
9.5 If computers are backed up to removable media, where is the backup media stored?
9.6 How is backup media physically disposed of when no longer used?
9.7 What is the process for deleting or destroying cardholder data before it is physically destroyed
(for example by shredding papers or reformatting electronic media)?
Track and monitor all access to network resources and cardholder data
10.1 Is all access to electronic cardholder data, including administrator access, logged?
Yes / No
10.2a Is security logging enabled on all computers? Yes / No
10.2b If yes, is the logging configured to record successful and unsuccessful login attempts and
access to audit logs?
10.3 Are security logs backed up? Yes / No
10.4 How long are audit logs retained?
10.5a Are all computers members of CougarNet or an IT-managed domain? Yes / No
10.5b If No, are all critical system clocks and times synchronized with an official time server?
PCI Questionnaire for UH Merchants Page 6
Yes / No
Regularly test security systems and processes
11.1 Do you perform regular vulnerability scans or penetration tests of your computers?
Yes / No
11.2 Do you receive any alerts from an intrusion detection system (IDS)? Yes / No
Maintain a policy that addresses information security
12.1 Do you have any written departmental policies (aside from the UH System Administrative
Memoranda (SAM) or any other official campus policies) regarding:
Access control No / Yes Last Reviewed / Updated: / /
Application / system development No / Yes Last Reviewed / Updated: / /
Operational procedures No / Yes Last Reviewed / Updated: / /
IT network No / Yes Last Reviewed / Updated: / /
Physical security? No / Yes Last Reviewed / Updated: / /
12.2 Who is responsible for publishing these policies?
12.3 Who is responsible for ensuring these policies are followed?
12.4 Please list the policies that you distribute to employees (if any).
12.4a When are these policies distributed? Check all that apply:
New employee Annually Other:
12.4b What format are these policies distributed? Check all that apply:
paper email website shared drive Other:
12.5 Are your users required to sign an agreement verifying that they have read and understood
your department-specific policies and procedures? Yes / No
12.6 Have all of your staff completed the following credit card training within the past 12 months?
F08033-Credit Card Processing Yes / No
F08035-Credit Card Data Security Yes / No
H08001-Secure Our Systems Yes / No (previously called Data Security Training)
12.7 Has a background check been performed on all of your employees with access to cardholder
data? Yes / No
12.8a Do you have a written security incident response plan? Yes / No
12.8b If yes, how often is this security incident response plan tested?