UM System

Merchant Manual Instructions

SAQ A merchant manual

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 - PAN Scan Results

Section 7 – Training log

 

SAQ A Merchant Manual Yearly Upkeep Steps
  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of you policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ A annually.
  4. Make sure 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually. 
  6. Enroll staff, complete the annual online security training, and update your training log.

 

SAQ B merchant manual

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 – PAN Scan Results

Section 7 – Terminal Security Section

              Capture Device Inventory Log

              Cellular Terminal Log

              Capture Device Periodic Inspection Procedures

              Capture Device Periodic Inspection Log

              Skimming/Tampering Training

Section 8 – Training log

 

SAQ B Merchant Manual Yearly Upkeep Steps
  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of you policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ B annually.
  4. Make sure your 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.
  6. Enroll staff, complete the annual online security training, and update your training log.
  7. Perform your periodic physical inspections of your terminal(s).

 

SAQ C-VT merchant manual

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 – PAN Scan Results

Section 7 – Training log

Section 8 - Configuration Guide for in scope systems (Firewall, Workstations, Etc.) 

Section 9 - Firewall Rules with business justification for all allowances

Section 10 - Network Diagram

Section 11 - Configuration Diagram

 

SAQ C-VT Merchant Manual Yearly Upkeep Steps
  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of you policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ C-VT annually.
  4. Make sure your 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.
  6. Enroll staff, complete the annual online security training, and update your training log.
  7. Review your configuration guide annually.
  8. Review your firewall rules every 6 months.
  9. Review your network and configuration diagrams annually.
  10. Make sure your Anti-Virus is current and performing scans.
  11. Make sure Anti-Virus audit logs are retained for at least 1 year with the last 3 months readily available. 
  12. Make sure all critical patches are applied to in scope systems within 30 days of release.
 
SAQ C merchant manual

Section 1 – Departmental Merchant Agreement

Section 2 – Annual PCI Self-Assessment Questionnaire

Section 3 – Cardholder Data Flow Diagram (use the data flow from the Operational policies and procedures)

Section 4 – Department Policies and Procedures and Annual Policy Acknowledgment

Section 5 – Third-Party Service Providers Documentation

Section 6 – PAN Scan Results

Section 7 – Terminal Security Section

              Capture Device Inventory Log

              Cellular Terminal Log

              Capture Device Periodic Inspection Procedures

              Capture Device Periodic Inspection Log

              Skimming/Tampering Training

Section 8 – Rogue Wireless Scan

              Rogue Wireless Scan Procedures

              Rogue Wireless Scan Log

Section 9 – Training log

Section 10 - Configuration Guide for in scope systems (Firewall, Workstations, webserver, etc.) 

Section 11 - Firewall Rules with business justification for all allowances

Section 12 – Quarterly internal vulnerability scans

Section 13 – Annual segmentation testing results

Section 14 - Significant Change Checklists

Section 15 - Network Diagram

Section 16 - Configuration Diagram

 

SAQ C Merchant Manual Yearly Upkeep Steps
  1. Review your policies and procedures annually and indicate the review took place on your "Revision History" of you policies.
  2. Distribute the new policies to your staff and have them complete the Annual Policy Acknowledgement.
  3. Complete and sign the SAQ C annually.
  4. Make sure your 3rd party documentation is updated annually.
  5. Make sure to have a new PAN scan performed annually.
  6. Enroll staff, complete the annual online security training, and update your training log.
  7. Perform your periodic physical inspections of your terminal(s).
  8. Perform your periodic physical inspections for rogue wireless devices.
  9. Perform quarterly internal vulnerability scans.
  10. Perform annual segmentation penetration testing (NMAP).
  11. Review your configuration guide annually.
  12. Review your firewall rules every 6 months.
  13. Review your network and configuration diagrams annually.
  14. Make sure your Anti-Virus is current and performing scans.
  15. Make sure Anti-Virus and event audit logs are retained for at least 1 year with the last 3 months readily available.
  16. Make sure all critical patches are applied to in scope systems within 30 days of release.
  17. Make sure and follow the Significant Change Checklist
    1. these are all examples of when the significant change checklist must be used
      1. Changes to network devices such as firewalls, routers, switches, servers, that are in the CDE.
      2. Changes to payment applications or major code upgrades to payment applications in production.
      3. Upgrades or changes in operating systems versions or vendors.
      4. Critical security patching of operating systems or applications as classified by operating systems vendor.
      5. network changes including IP address, VLAN, or changes to network topography.
      6. Hardware/card swipe changes to the CDE.

Reviewed 2019-08-05