PCI Questionnaire for UHS Merchants

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. PCI Questionnaire for UHS Merchants Disclaimer: This is a UH-customized version of the PCI Self-Assessment Questionnaire version 1.0. It is designed to provide basic information to assist with PCI-Compliance efforts. It is not designed to serve as a replacement for completion of the official PCI Self-Assessment Questionnaire required by PCI. General Information Overview G1 Merchant Name:       Merchant ID:       Contact Name:       Title:       Phone:       Email:       G2 Please include a brief description of your business.       G3 How and in what capacity does your business store, process and/or transmit cardholder data?       G4 Do you use any Third Party Service Providers/Vendors? Yes / No If yes, please list below: Processor:       Gateway:       Web Hosting:       Shopping Cart:       Co-location:       Other:       G5 Does your business handle only card-not-present (ecommerce or mail/telephone order) transactions? Yes / No G6 Does your business not store, process or transmit any cardholder data on merchant premises but instead rely entirely on third party service provider(s) to handle these functions? Yes / No G7 Does your business retain only paper reports or receipts with cardholder data, which are not received electronically? Yes / No G8 Does your business store any cardholder data in electronic format? Yes / No G9 Does your business use only an imprint machine to imprint customers’ payment card information and does not transmit cardholder data over either a phone line or the Internet? Yes / No G 10 Does your business use only standalone, dial-up terminals (connected via phone line to your processor); and the standalone, dial-up terminals are not connected to the Internet or any other systems within the merchant environment? Yes / No G 11a Does your business have a payment application system (ex. POS or shopping cart system) and an Internet (for example for email or web browsing) or public network connection on the same device? Yes / No G 11b If Yes, is the payment application system/Internet device connected to any other system within the merchant environment? Yes / No
  • 2. PCI Questionnaire for UH Merchants Page 2 Requirement 1: Install and maintain a firewall configuration to protect data 1.1 Who is responsible for addressing IT issues in your department?       1.2 How are you connected to the campus network? Check all that apply: Ethernet Wired Network Connections Wireless Network Connections 1.3 Is your department using campus IT networking equipment or equipment owned or implemented by your own department? Please explain       1.4 What are the IP address ranges currently being used by your devices?       1.5 Do your employees access department resources from home or other non-campus locations? Yes / No 1.6 Do your employees access any cardholder data applications from home, other campus locations, or other remote business locations? Yes / No 1.7 How many computers does your department have?     Desktop computers     Laptops 1.8 Do any of these computers run cardholder data applications? Yes / No 1.9 How many staff members have access to computers with cardholder data?       1.10 How many servers does your department maintain for your merchant activities?       1.11 Where are these servers physically located?       1.12 What services are provided on each server?       1.13 What operating system does each server use?       1.14 How do you physically receive credit card data? Check all that apply: In person via phone via postal mail via fax via email via web Other:       1.15a Do you use Point of Sale (POS / swipe) terminals to process credit cards or do you use a software program on a PC to complete the transactions? 1.15b If Yes to either type, please list all the POS terminal hardware or computer software in use:       Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1 Who is responsible for installing new workstations/desktops in your department?       2.2a Do you have documentation with a detailed listing of how each new computing device should be configured and setup (build documents)? Yes / No
  • 3. PCI Questionnaire for UH Merchants Page 3 2.2b If Yes, do your configuration guidelines (build documents) mandate changing of default accounts and initial security settings and removal of unnecessary services and protocols? Yes / No Requirement 3: Protect Stored Data 3.1 What is the process for handling credit card transactions? Please provide a step-by-step account of how cardholder transactions are conducted.       3.2 What cardholder related data is stored by your department? Full 16 digit card number Yes / No Last 4 digits of card number Yes / No Cardholder Name Yes / No Service Code Yes / No Expiration Date Yes / No Magnetic stripe information Yes / No Card-validation code Yes / No (3 digit number printed on the signature panel of a card) PIN / PIN Block Yes / No Authorization code Yes / No 3.3 Where is this data stored? On physical paper Yes / No In computer database Yes / No Other: Please explain       3.4 If cardholder data is stored on physical paper, how is it stored and for how long?       3.5 How is this paper disposed of when no longer needed?       Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks 4.1 Are any emails sent or received containing cardholder data? Yes / No Requirement 5: Use and regularly update anti-virus software 5.1a Do you have personal firewalls installed on your computers? Yes / No 5.1b If Yes, who is responsible for insuring it is updated on a regular basis? Please check one: The computer user IT Manager Other:       Don’t know 5.2a Do you have anti-virus software installed on your computers? Yes / No 5.2b If Yes, who is responsible for insuring it is updated on a regular basis? Please check one: The computer user IT Manager Other:       Don’t know
  • 4. PCI Questionnaire for UH Merchants Page 4 Requirement 6: Develop and maintain secure systems and applications 6.1 Do you use software applications for processing credit card transactions? Yes / No If Yes, please answer the following group of 4 questions: 6.1a What applications do you use for processing credit card transactions?       6.1b Are any of these applications developed internally? Yes / No 6.1c Do you have a procedure for testing system/application configuration changes prior to implementation? Yes / No 6.1d Do you have a testing environment separate from your production environment? Yes / No 6.2 Do you have a formal process /procedure for approving changes to your computers? Yes / No 6.3 Do you have a formal process/procedure for approving changes to your card-handling business procedures? Yes / No Requirement 7: Restrict access to data by business need-to-know 7.1 Which job positions within your department need access to cardholder data to conduct credit card transactions?       7.2a Is there anyone else in your department that has access to this data? Yes / No 7.2b If Yes, who?       7.3 Does your department accept orders from campus on-line “storefronts?” Yes / No If Yes, please answer the following group of questions: 7.3a How does this process work? Please describe the process:       7.3b Does anyone in your department, including yourself, have access to view cardholder order information outside of your department “storefront,” i.e. can you see only your department’s orders, or can you see orders from other departments? Yes / No 7.3c If Yes, who has access to view cardholder order information? Please list:       7.3d After an online order is processed, when is the cardholder data no longer viewable online? Immediately After 7 days Other:       Requirement 8: Assign a unique ID to each person with computer access 8.1 Do all computers require users to enter a user ID and password to logon? Yes / No 8.2 Do your users use only CougarNet or IT-managed user IDs to access systems? Yes / No 8.3 Does your department manually create user IDs for use with any applications? Yes / No
  • 5. PCI Questionnaire for UH Merchants Page 5 8.4 When an employee leaves the university, what is the process that is followed to disable their user IDs?       8.5 Do non-UH employees (contractors, vendors, etc) use computers within your department? Yes / No 8.6 Does your department use any shared “counter” or group user IDs for access to systems? Yes / No Requirement 9: Restrict physical access to cardholder data 9.1 What access controls are in place in your department where cardholder data is handled (office areas, computer areas, printer areas, etc)?       9.2a Do you receive any cardholder data via fax? Yes / No 9.2b If Yes, is your fax machine a standalone machine? Yes / No 9.2c If Yes, is your fax machine physically secured against unauthorized access? Yes / No 9.3 How are your computers backed up?       9.4 Who is responsible for handling the backing up process?       9.5 If computers are backed up to removable media, where is the backup media stored?       9.6 How is backup media physically disposed of when no longer used?       9.7 What is the process for deleting or destroying cardholder data before it is physically destroyed (for example by shredding papers or reformatting electronic media)?       Requirement 10: Track and monitor all access to network resources and cardholder data 10.1 Is all access to electronic cardholder data, including administrator access, logged? Yes / No 10.2a Is security logging enabled on all computers? Yes / No 10.2b If yes, is the logging configured to record successful and unsuccessful login attempts and access to audit logs?       10.3 Are security logs backed up? Yes / No 10.4 How long are audit logs retained?       10.5a Are all computers members of CougarNet or an IT-managed domain? Yes / No 10.5b If No, are all critical system clocks and times synchronized with an official time server?
  • 6. PCI Questionnaire for UH Merchants Page 6 Yes / No Requirement 11: Regularly test security systems and processes 11.1 Do you perform regular vulnerability scans or penetration tests of your computers? Yes / No 11.2 Do you receive any alerts from an intrusion detection system (IDS)? Yes / No Requirements 12: Maintain a policy that addresses information security 12.1 Do you have any written departmental policies (aside from the UH System Administrative Memoranda (SAM) or any other official campus policies) regarding: Access control No / Yes Last Reviewed / Updated:    /   /    Application / system development No / Yes Last Reviewed / Updated:    /   /    Operational procedures No / Yes Last Reviewed / Updated:    /   /    IT network No / Yes Last Reviewed / Updated:    /   /    Physical security? No / Yes Last Reviewed / Updated:    /   /    12.2 Who is responsible for publishing these policies?       12.3 Who is responsible for ensuring these policies are followed?       12.4 Please list the policies that you distribute to employees (if any).       12.4a When are these policies distributed? Check all that apply: New employee Annually Other:       12.4b What format are these policies distributed? Check all that apply: paper email website shared drive Other:       12.5 Are your users required to sign an agreement verifying that they have read and understood your department-specific policies and procedures? Yes / No 12.6 Have all of your staff completed the following credit card training within the past 12 months? F08033-Credit Card Processing Yes / No F08035-Credit Card Data Security Yes / No H08001-Secure Our Systems Yes / No (previously called Data Security Training) 12.7 Has a background check been performed on all of your employees with access to cardholder data? Yes / No 12.8a Do you have a written security incident response plan? Yes / No 12.8b If yes, how often is this security incident response plan tested?       Thank you