Welcome to the PCI Awareness Page of the OCIO. As a state agency taking payments, your agency is required to be PCI compliant and will have to complete online training. Which online training is right for you? Choose the Self-Assessment based on the payment system that is performed by the agency. For more information see the Self-Assessment Questionnaire.
| PCI Data Security Standard - High Level Ovevlew | ||
|---|---|---|
| Build and Maintain a Secure Network and Systems |
1 |
Install and maintain firewall configuration to protect cardholder data |
|
2 |
Do not use vendor-supplied default for system passwords and others security parameters | |
| Protect Cardholder Data |
3 |
Protect stored card holder data |
|
4 |
Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program |
5 |
Protect all systems against malware and regularly update anti-virus software or programs |
|
6 |
Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures |
7 |
Restrict access to cardholder data by business need to know |
|
8 |
Identify and authenticate access to system components | |
|
9 |
Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks |
10 |
Track and monitor all access to network resources and card holder data |
|
11 |
Regularly test security systems and processes | |
| Maintain an Information Security Policy |
12 |
Maintain a policy that addresses information security or all personnel |
Glossary
AOC - Acronym for “attestation of compliance.” The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.
Application - Includes all purchased and custom software programs or groups of programs, including both internal and external (for example, web) applications.
Cardholder - Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
Cardholder Data - At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
CDE - Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
ISA - Acronym for “Internal Security Accessor.”
ISP - Acronym for “Internet Service Provider.”
Merchant - For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
PAN - Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
Payment Processor - Sometimes referred to as “payment gateway” or “payment service provider (PSP)”. Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. See also Acquirer.
Personally Identifiable Information PII - Information that can be utilized to identify or trace an individual’s identity including but not limited to name, address, social security number, biometric data, date of birth, etc.
QSA - Acronym for “Qualified Security Assessor.” QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments. Refer to the QSA Qualification Requirements for details about requirements for QSA Companies and Employees.
Scoping - Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.
Independent Agency Self Assessment Questionnaire (SAQ)
Each questionnaire lists the criteria required to use the form.
D - Merchant of Record All other SAQ-Eligible Merchants
- If you do not fall into any of the sub categories you are a SAQ-D
- 79 Pages
- Nebraska Interactive (NI) does and SAQ-D for all county services
A - Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced
- All NI applications are in this category
- The agency may have to provide evidence of full re-direct
A EP - Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
- If agency is not using a full-redirect, or SOAP/AJAX calls to redirect within the application
- PayPal does this and requires the entire application to be in a PCI compliant environment
C - Merchants with Payment Application Systems Connected to the Internet – No Electronic Cardholder Data Storage
- If the agency is adamant about manually entering cardholder data they will have use this form
- 49 Pages and Puts network and Controls in scope
- If State uses Elavon or direct connect terminal
C VT - Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage
- This does not apply to State Agencies
- FD-40 Implementation will be required
- No manual entry of credit card from computer
- 29 Pages reduces network footprint
NIC and Agency Responsibilities Matrix. NIC guidance only applies for Portal provided services.
FAQs
Nebraska Interactive takes care of my credit card info, do I need to provide an SAQ?
Yes.
What happens if I don’t submit an SAQ by October 15, 2018?
You may be subject to fines and may be prevented from taking credit card payments.
Can I take credit card payments over the phone and still be PCI compliant?
No, credit card payments may not be taken over the phone.
Contact List
Charlotte Scott, State Treasurer's Office
Heidi Wallace, State Treasurer's Office
Chris Hobbs, Administrative Office of the OCIO
Office of the CIO
501 South 14th Street
Lincoln, NE 68508
402.471.3560
Best Practices
Deadline for PCI compliance is October 15, 2018
Create a Merchant Manual
Train Employees
Interested in taking credit cards? Email Nebraska Interactive: ni-info@egov.com
Resources
State Treasurer's Official Website
Nebraska Information Technology Commission