Your Bank Has Requested the College’s Attestation of Compliance…Now What?

Article PCI DSS
Attestation of Compliance


If you have a Merchant ID and accept payment cards at your institution, you are subject to the Payment Card Industry Data Security Standard (or PCI DSS). When your students make a payment, they are trusting you to protect their payment card information. If your campus were to have a breach, not only would you face significant costs and fines, you could greatly damage your reputation and brand.

Are you attesting your PCI compliance annually? If you aren’t, you probably want to start thinking about it. Many colleges and universities have recently received letters from their acquiring banks requesting an Attestation of Compliance (AOC) to verify they are meeting their PCI requirements. Failure to comply can result in significant fines, or you may even forfeit your ability to accept credit cards.

If you are new to the PCI world, this type letter can create panic across your organization. Which department is responsible for PCI? What do we do now?

Below are the 5 Steps CampusGuard recommends you take first:

  1. Confirm Your Merchant Level

    Based on the number of transactions you process annually, you are assigned a Merchant level that dictates how stringent your compliance program must be. Most colleges and universities are considered Level 3 or 4 merchants – processing less than 1 million transactions per year. As a Level 3 or 4 merchant, you are able to complete a Self-Assessment Questionnaire, or SAQ. You may also need to submit quarterly external vulnerability scans.

  2. Determine What You Need to Submit to your Bank

    Once you have defined your merchant level, you need to determine which SAQ is appropriate for your organization. This will depend on how you are processing, storing or transmitting cardholder data. Do you electronically store cardholder information? Do you take payments online? Do your cashiers take payments over the phone? All of these questions are important and will help you select the appropriate set of requirements. Once you have determined the appropriate SAQ, begin familiarizing yourself with the Standard’s requirements.

  3. Assess Your Environment

    Identify all technology and process vulnerabilities that could pose a risk to your cardholder data. You will want to start by making a list of all merchants handling cardholder information and then gathering an inventory of all Point of Sale devices, web applications, servers, networks, etc. that are either involved in the processing, storing, or transmitting of cardholder information, or that can affect the security of those environments.

  4. Determine the Flow of Payment Card Data

    Research how card data flows across campus – from the point of sale to the end of the transaction. Work with your IT department to create network diagrams detailing this data flow.

  5. Hire a PCI validated QSA (Qualified Services Assessor)

    QSAs have intense training to understand everything about the PCI DSS and data security in general. Partnering with a QSA can help jumpstart your PCI compliance efforts and assist your team in finding the gaps between the present status of your operations compared to the requirements of the PCI DSS. A QSA can make sure you are properly defining your network and make key scoping decisions, analyze and assess all merchant departments, identify potential vulnerabilities and help create a comprehensive remediation plan. Utilizing a QSA can seem more expensive, but they will help your institution get compliant fast in a way that is cost effective and even improves your underlying business processes. Most banks will also acknowledge that you are taking the appropriate steps towards remediation and extend your deadline for attesting full compliance once they know you have hired a QSA.

PCI is not a simple process; you can’t just check the boxes and move on. Getting compliant can be difficult, but if you take it one element at a time, you will see progress and eventually it will become business as usual. Remember, you’re not only protecting information, but your students, your employees, and your brand. The longer you wait, the longer your campus could be vulnerable.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.