| Credit Card Handling (PCI-DSS) Standards - IT Related Compliance |
 

Roles and Responsibilities

Business financial and IT roles on campus blend across many job functions/ classifications in an organization or department. The Business Owner defined in the Roles and Responsibilities policy is the senior official within a college or departmental unit (or the designee) accountable for managing information assets.

The Business Owner is responsible for managing the people and systems needed for the organization or department to function. Operational roles and responsibilities are often delegated further within larger/ complex environments. Merchant operations role could be split and or delegated to a secondary/ tertiary role such as an IT Director, PCI Compliance manager point of contact, IT administrator etc.

To ensure consensus and departmental understanding regarding support, job specific roles and functions that comprise the business operations, these should be defined and maintained in the PCI Matrix.

 

Title Description Resource
Business Owner The senior official within a college or departmental unit (or his/her designee) accountable for managing information assets. https://itsecurity.uiowa.edu/policy-roles-and-responsibilities
Merchant "Any entity that accepts payment cards...as payment for goods and/or services." https://www.pcisecuritystandards.org/pci_security/glossary#M

 

Are merchants being asked to take the information from the SAQ and input it into the matrix? Can I just send the downloaded report over instead as this spreadsheet seems duplicative? I’ve successfully completed PCI compliance SAQs for the past couple of years for each of the accounts that I manage and without any issues.

The biggest self-reported reason for Merchant PCI non-compliance is a lack of understanding the SAQ questions and the Merchant's PCI environment. PCI compliance is on-going, not a one-time effort. The Matrix is a fairly static document which should be kept updated to reflect all changes to the business environment. The Matrix is also supposed to serve as a document Merchant/ Business Owners should be able to leverage when answering questions relating to their business environments. Responses should be in clear and easily understood.

What is a Merchant Matrix?

Organization/Department specific document managed by the Business Owner of the Merchant account, unique to their respective e-commerce environment. The matrix lists the 12 PCI requirements in detail.  
Answers to the various sections are unique to each merchant's business implementation. Merchants with sub-accounts are required to have a separate worksheet for each separate account. One Excel workbook with, one or more worksheets, depending on the business needs. Merchants with multiple or similar sub accounts can copy content from the first work sheet to paste in a new worksheet - customizing as needed.

Who needs to complete the Matrix?

The Business Owner of the Merchant account needs to have a full understanding of how their business environment/s is/are set up. Business Owners may not be too involved with the technical implementation and delegate this responsibility on within the department. The Matrix is a key to how the technical side of business operations are set up and how specifically they are used to maintain compliance. Completion of unit specific Matrices should be a combined group effort i.e. Business Owners identifying staff and services needed to keep their business operationally compliant.

Whose responsibility is it to manage the PCI environment?

PCI Compliance is an ongoing process NOT a one time effort. Merchants (the Business Owner) are responsible for the financial management of their business operations i.e. decision makers responsible for the delegation of roles and responsibilities to facilitate financial and technical compliance as needed. https://treasury.fo.uiowa.edu/policies-and-procedures/credit-card-merchant-services-policy/merchant-responsibilities. The designated Business Owners of the merchant account set the pace and assign responsibility as needed, NOT the IT support staff, the administrative assistant nor the student worker. 

What is an Internal Third Party Service Provider?

An University run campus department providing the Merchant with a specific service. Examples of an Internal Third Party Service Provider could be:
The Information Security and Policy Office for Firewalling on the Academic side of campus OR; Data Center Network Security on the UIHC side of campus.

What is an External Third Party Service Provider?

An external 3rd party, vended service/ application/ device providing the Merchant with a specific business function. Examples of an External Third Party Service Provider could be:
Third party hosted pay site such as Eventbrite.

When will the PCI DSS Responsibility Matrix be completed by 'ITS' to reflect the responsibilities of the Internal UI Third Party Service Provider Responsibility?

The Matrix document is SPECIFIC to the merchant account. Each individual Merchant needs to focus and scope responses as they relate to their environment, no one else's. Individual merchants should identify any enterprise (ITS/UIHC) services consumed and work with these groups to get answers to questions regarding technical controls of the data and services in their Cardholder Data Environment(s).

What is Bluehost & Authorize.net that currently appears on the current PCI DSS Responsibility Matrix011619?

Information 'pre-filled in the Matrix is an example for Merchants who have confusion with completing sections. Each excel cell in the Matrix with a "RED" triangle in the top right corner is a comment section to help explain what type of answer is expected. User has to hover the mouse over the red triangle to reveal the comment. In addition to this, cells 'pre-populated' with copy such as Bluehost & Authorize.net is just an example of what type of service to fill in. Merchant Cardholder Data Environments are all set up differently depending on how they process credit cards. Responses will differ Merchant to Merchant. Merchants and their IT Support are more familiar with the technology used in their area and are expected to provide the correct detailed information as needed.

What the expectations are for filling out this matrix?
To be completely honest, this process has been very confusing for the last several years (filling out the survey).

As the Matrix and SAQ are both a compliance driven need to describe the technical controls implemented by each merchant, the goal going forward is to have departments collectively work together (Business Owners work with their local IT Support etc.) - to get the correct answers. These answers, are expected to provide better clarity for everyone in the merchant account group and ensure all of the relevant controls are implemented and remain sufficient to protect any card holder data.

I have completed my Matrix, what do I do with it?

Keep a copy of the completed Matrix along with all of the other Merchant account records, letting the ISPO know it is complete. The Matrix is a unit compliance management requirement, and likely to be requested when looking for objective assurance into the department's IT compliance related efforts. Merchants can work with the ISPO for direction/ feedback when completing these.

Do I have to answer these SAQs and Matrix questions, are they required?

YES, in addition to meeting financial requirements, the University is obligated to ensure that all of its campus Merchants have their credit card processing environments sufficiently secured. The SAQ and Matrix support what in the credit card processing area is in scope and how it is secured. See APPENDIX A: 12 PRIMARY REQUIREMENTS OF PCI DATA SECURITY STANDARDS page for additional information. https://treasury.fo.uiowa.edu/policies-and-procedures/credit-card-merchant-services/important-linksresources

Regarding the matrix that was sent to us, I’m not exactly sure how to answer these questions?

Work with the Business Owner of the merchant account AND the local IT Support person to answer the questions. If this relates to a current Merchant account the answers to each question will already have been completed and available for review in the Compliance Manager - SAQ. The IT Support staff who helped implement the technology should be of assistance to you.

I’ve looked at the PCI website and it says the we are compliant...(do I still need to complete the Matrix)?

YES. Answering the SAQ in the PCI Compliance Manager is an annual requirement, from when the merchant account was first created. Because of the confusion in so far as what answers to provide for various questions, the Matrix (unique to YOUR merchant account environment) is a separate and additional requirement which needs to be updated each time the existing Merchant environment changes. 

It also states that our type is SAQ type A so I’m not sure if any action needs to be taken at this time or not?

Regardless of the SAQ type, ALL campus merchants should have a completed Matrix on file to illustrate how the cardholder environment is set up. If your department only uses a card reader, list that along with a short description of the implementation. Examples could be:

  1. Responses to most of the questions in the Matrix (as with the SAQ - for SAQ A's) will be N/A or Not Applicable.
  2. What department staff have access to and or involved (roles and responsibilities)?
  3. Who manages the devices used in the cardholder environment - updates, patching etc - vendor or IT Staff?

Who are my local IT Support Staff?

These are usually the Network Security Contacts (NSCs) associated with each department in each campus building. IT support staff are the staff that could have a hand in architecting, managing and maintaining your e-commerce environment.

On the academic side of campus support staff could be one of the ITS-Extended Support staff. Information on group coverage can be found here: https://its.uiowa.edu/support/article/2697.

UIHC managed departments/ merchants can work with the HCIS TSI Vendor Systems group contacted via the HCIS Help Desk (319) 356 001, E-mail helpdesk-hcis@uiowa.edu or through ESC (Cherwell)