PCI DSS Self-Assessment Questionnaire
Directive Statement
All merchant locations or units that store, process, or transmit cardholder data must perform an annual self-assessment in partnership with Merchant Services.
Reason for Directive
Credit card merchants at the University of Florida are required to follow strict procedures to protect customers’ credit card data and maximize compliance with the PCI DSS. Failure to protect such information may result in financial loss for customers, suspension of credit card processing privileges, fines imposed on credit card merchants and damage to the University’s reputation.
Who Must Comply?
All University departments whose personnel store, process or transmit cardholder information. This also applies to units that outsource the processing of payment card information to third party vendors.
Overview
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS. All University of Florida campus merchants are required to complete a SAQ every year. There are multiple versions of the SAQ to meet various scenarios.
| SAQ | Description |
|---|---|
| A | Card-not-present (e-commerce or mail/telephone-order) merchants, that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service provider, with no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels |
| A-EP | E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic data storage, processing or transmission of cardholder data on merchant’s systems or premises. Applicable only to e-commerce channels |
| B | Merchants using only:
Not applicable to e-commerce channels |
| B-IP | Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e-commerce channels |
| C-VT | Merchants who manually enter a single transaction at a time via a keyboard into an internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels |
| C | Merchants with payment application systems connected to the internet – no electronic cardholder data storage Not applicable to e-commerce channels |
| D | SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types
SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ |
| P2PE | Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed Point-to-Point Encryption (PP2E) solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
The PCI Security Standards Council provides the SAQ Instruction Guide to assist in completing the annual SAQ.
Last Reviewed
Last reviewed on 03/20/2024
Resources
Annual SAQ Instructions and Guidelines
PCI Security Standards Council
Training
TRM200 – Explaining UF Cash/Check Controls
TRM125 – Payment Card Security Awareness Training
Contacts
Banking & Merchant Services: (352) 392-9057
Treasury-creditcards@ad.ufl.edu