customer compliance portal

0

Customer Compliance PortalUser Guide

V2.0

1

Copyright 2016 Merchant Preservation Services, LLC. All rights reserved.

CampusGuard®, the Merchant Preservation Services logo, and the CampusGuard logo are registeredtrademarks of Merchant Preservation Services, LLC.

No part of this document may be reproduced or transmitted without the express written permission ofMerchant Preservation Services, LLC.

Information represented in this document is subject to development and change without notice.

Document version 2.0Last revised December 15, 2016

2

ContentsAbout This Guide........................................................................................................................................... 3Introduction ..................................................................................................................................................3

Quick Reference........................................................................................................................................ 3Validation of Compliance..........................................................................................................................4

Basic Portal Features ..................................................................................................................................... 5Log On.......................................................................................................................................................5User Roles .................................................................................................................................................7Navigation.................................................................................................................................................7User Profile ...............................................................................................................................................7Portal Navigation ...................................................................................................................................... 8User Dashboard ........................................................................................................................................ 9

SAQ Features, Navigation, and Instructions................................................................................................10SAQ/Form Navigation.............................................................................................................................10The Icon Legend and Helpful Tools.........................................................................................................10

The SAQ - Questionnaire...............................................................................................................................0Part 1 and Part 2 ....................................................................................................................................... 0Requirements ........................................................................................................................................... 5Part 3 and Part 4 ....................................................................................................................................... 6

Scanning Request........................................................................................................................................10Document Locker ........................................................................................................................................12General Documents ....................................................................................................................................13

3

About This GuideThis reference guide is designed to help CampusGuard customers navigate the many features of theCampusGuard Customer Compliance Portal. The Customer Compliance Portal is designed as a workingtool for our customers to work on their PCI DSS compliance initiatives. The intended audience of thisguide is merchants, financial administrators, information technology specialists, and other usersinvolved with payment card processing operations.

IntroductionThe Payment Card Industry Data Security Standard (PCI DSS) is a global standard created to helpbusiness, industries, and organizations that accept payment cards do so in a manner that helps preventfraud. The DSS was created by the five major card brands (Visa, MasterCard, Discover, American Express,and JCB) and applies to all organizations that store, process, or transmit cardholder information. While itis not solely an information security standard, many of its components relate to information security,and the DSS is widely accepted as the most prescriptive set of security parameters in the industry.

Quick ReferenceThe PCI DSS is comprised of twelve high-level requirements, grouped into six goals (see below). Since allorganizations accepting payment cards must submit both an Attestation of Compliance (AOC) combinedwith a Self-Assessment Questionnaire (SAQ), CampusGuard has created this portal to assist customerswith their compliance reporting responsibilities.

4

Validation of ComplianceAll organizations (both merchants and service providers) must comply with all applicable sections of thePCI DSS. Validation of that compliance is monitored by the acquirer or bank that the merchant hascontracted with. Validation is required annually and documented with the merchants’ completion of theprescribed Self-Assessment Questionnaires (SAQs). There are currently nine different SAQs, eachrepresenting a specific set of requirements for the different types of payment environments. It isimportant to note that even though a merchant or service provider may be eligible to complete a shortversion SAQ, they are always responsible for adherence to the entire PCI DSS at all times.

The CampusGuard Customer Compliance Portal’s main functionality is designed to allow users to have asingle, secure location where they can administer and review their SAQs, track progress and status, andstore all of the documentation required for their annual attestation cycle. Each individual merchanthas the ability to complete their own SAQ specific to their payment processes. If the institution isattesting compliance as one overall merchant, the individual SAQs can then be compiled into onecomprehensive report for analysis and submission.

The SAQ’s in the portal are exact copies of those provided by the PCI Security Standards Council (SSC), soyou can rest assured that you are responding to the correct requirements. However, we understand thatsome requirements may be confusing; embedded throughout the Portal are links to features, such as ahelp request that goes directly to the CampusGuard team, ability to make a comments on eachrequirement, and valuable reference information.

The Compliance Portal provides several additional features to assist you in your compliance efforts:

A link to the CampusGuard website for access to news, updates, additional services, and otherresources.

A link to the Payment Card Industry Security Standards Council (PCI SSC) and their referencematerials.

A General Documents area for customer-only access to CampusGuard policy and proceduretemplates, user guides, news updates, alerts, and other information. This User Guide is anexample of what resides in the General Documents area.

A Document Locker for the secure storage of all associated network drawings and documentsrelated to the SAQs. Documents can be added to the Document Locker directly from an SAQwhen additional information is required.

A form to request external vulnerability scans of your web applications and networkresources involved in the payment process.

5

Basic Portal Features

Log OnTo log on visit the CampusGuard main Website (https://www.campusguard.com). In the upper rightthere is a Log On link.

Click this link and you will be directed to the portal login page.

Login with your User Name (typically your email address) and password. Upon login you will beredirected to your home page within the portal.

Note: If your organization is a member of The InCommon Federation, you may be setup to takeadvantage of the single sign on (SSO) capability. Specifically, your IT organization may have worked withthe CampusGuard team to have your institutional network ID be automatically utilized as yourCampusGuard Compliance Portal login.

To log on, open your browser and navigate to www.campusguard.com/loginsso.

6

The browser will automatically navigate you first to the InCommon page where you will select yourinstitution from the drop down menu. To have the system keep this setting, select either the "Remembermy selection for this session only" or “Remember my selection permanently”.

Click NEXT and you will arrive at your institution’s Central Authentication Service (CAS). Enter theusername and password used within your organization. You will then be taken directly into theCampusGuard Portal. As long as you keep that browser session open, you will not need to login again for8 hours.

7

User RolesThere are two roles available for customers in the portal:

Org Admin: An administrator who needs overarching access and oversight of their organization’s entiremerchant base. This role has visibility across all merchant SAQs and included documentation.

User: Individual user responsible for one or more specific merchant areas. This role will only be ableto access the questionnaires and associated documents assigned to specific merchants. The User rolemay be assigned to one or multiple merchants within the portal.

NavigationIn the left frame, you will find the User Menu. From here you canaccess the different areas of portal that you are authorized to use,return to the Home Page, or edit your Profile information. Acrossthe top is a navigation menu with links to the Portal’s additionalfeatures.

User ProfileSelecting the link to “Your Profile” allows you to edit your contact information and change yourpassword.

The password must be a minimum of seven characters in length and consist of upper and lower caseletters, and at least one number or special character. If you are updating your password, please lookfor the confirmation message of a successful update at the top of the screen. If you do not getconfirmation, your personal password was not accepted and you will need to select another passwordthat conforms to the system’s requirements.

Note: Users with InCommon/SSO access should NOT change their password.

8

Portal NavigationThe top menu provides links to the different features within the Portal.

CampusGuard Home – Direct link to the CampusGuard public website. Portal Home – Return to the User dashboard/home page on the portal. Scanning Request – Form used for requesting external vulnerability scans of your web

applications or network resources. Document Locker – Secured folder that can be used to upload network drawings and/or

documentation that support compliance objectives. General Documents – Read-only area used by CampusGuard to distribute common documents

and resources to all users of the portal. Help – Create an email to the CampusGuard team or navigate to the PCI Council website.

9

User DashboardUsers will have access only to the specific merchant or merchants they have been assigned. Upon login,please verify your assigned merchants look correct. To begin, you will select a SAQ or continue a SAQ inprogress by clicking on the Start/Continue button located under the Merchant ID. This button will directyou to the first page of the selected SAQ.

From the User home page, you can also select to view a group of questions based on their responsesetting (Yes, No, Don’t Know, N/A, Not Answered, and Compensating Control), by clicking on therespective hyperlinks in the pie chart that appears for each SAQ. For example, if you had previouslyattempted to complete your SAQ, but were uncertain on a number of requirements and had answered“Don’t Know”, you can now easily navigate to those questions by clicking on the gray Don’t Knowhyperlink.

If you are an Org Admin, you will have a comprehensive view of the organization’s SAQ Status on thehome page. You will also have a drop-down menu where you can select a specific merchant or chooseto View All.

10

SAQ Features, Navigation, and Instructions

SAQ/Form NavigationClicking the Start/Continue button will generate the assigned questionnaire. Thenavigation frame will appear on the left replacing the User Menu. This frameprovides statistical information about the SAQ / AOC.

Total sections – Number of sections within the SAQ.

Entry Requirements – Number of requirement questions to be answered.

Entry Requirement Progress – A status bar showing the percentage ofRequirements that have been answered. NOTE: the fields in Parts 1, 2, 3,and 4 are not included in this tally.

SAQ pages – Quick links to the specific pages of the SAQ / AOC.

Users may access any section and/or question at any time once they are withintheir selected SAQ / AOC. However, please remember to SAVE using the button atthe bottom of each page before navigating away from a page.

The Icon Legend and Helpful ToolsThroughout the SAQ, there are helpful tools to assist you in its completion.These tools are denoted by icons.

Add CommentsClicking this icon generates a box to providesupplementary information regarding an answer toa requirement within the SAQ. You may add up to 255characters of text to include additional details orclarification. It can also be used as a place holder toremind you to come back to this question. For example,you may just want to add a comment stating, “Needmore information” so you can return to this question ata later time. Type your comment and click OK. Allcomments added in this box can be printed with thequestionnaire.

11

Change CommentsIf the comments icon is green, it indicates a comment hasbeen saved for this question. Clicking this icon will allowyou to review, edit, or delete the comment. You may addtext up to 255 characters. Removing the text from this boxand selecting “OK” will return the comments icon to red.

Upload DocumentsThis icon will generate a new window and allow you to browse your system files and upload a documentassociated with the requirement you are on. Although files of any type can be uploaded, it isrecommended that all attached documents be saved in PDF format.

To use this feature:

Select the icon on the specific question that pertainsto the document being uploaded.

Click the “Browse” button to navigate to the location onthe users’ system that the document resides.

Select the document. Click “Upload File”.

The document will then be uploaded and saved to the secure CampusGuard Document Locker. You canview uploaded documents by selecting the “Document Locker” Tab in the navigation menu.

Ask CampusGuard a QuestionBy clicking the question icon, a pop-up window will appear and allow you to generate a direct email toCampusGuard staff.

The email subject is auto-populated with the question number.Share your question or comments and click send. ACampusGuard team member will respond as quickly as possible.If you are confused and questioning what a specificrequirement is asking or whether it applies to yourenvironment, please do not hesitate to take advantage of thisfeature. Your Org Admin or PCI Team may also receive a copyof the question so they can provide assistance as needed.

0

The SAQ - QuestionnaireThe primary function of the CampusGuard Compliance Portal is to facilitate the management of allmerchant Self-Assessment Questionnaires (SAQs) for an institution. Specific SAQs are assigned to eachmerchant ID as required by the Acquirer (bank).

It is not necessary to complete the SAQ all at once. The SAQ can also be used as a working document tomanage your journey towards compliance.

As a user you will only see those SAQs that have been assigned to you. To begin, select the gray Startbutton at the top left of the pie chart graphic.

Be sure to save your work by clicking the Save/Next Page button at the bottom of each page. You canalso print your SAQ by clicking on the Printable Version link at the top of the page.

Part 1 and Part 2

Part 1a. Merchant Organization InformationComplete this section with the contact information for the merchant area/department

Company Name – Your institution’s official name DBA(s) – Department that is using this Merchant ID Number (MID) Contact Information – Primary contact for this merchant

1

Part 1b. Qualified Security Assessor Company InformationSince you have contracted with CampusGuard for consulting services use the information in theimage below to complete this section.

Part 2a. Type of merchant businessWhat type of payment channels does your business serve? Select the different paymentchannels that the merchant provides. Since the payment channels for college and universityclients is widely varied, we suggest you do the following:

Select “Others” For “Please Specify” type in Higher Education

Part 2b. Description of Payment Card Business

Enter in a short description of how this merchant stores, processes, or transmits cardholderdata. Provide a high level overview of how cardholder data flows within your business and anythird-party involvement. For example, “Customer visits our website, chooses a product topurchase, and is redirected to Authorize.Net for payment. The customer inputs their paymentinformation, and the success or failure of the transaction is reported back to our server, along

2

with a record of the item purchased and cardholder name.” It is also useful to note “we do notstore cardholder data at this time” or “we use PTS-approved swipe terminals” if applicable.

Part 2c. Locations

List the type of facility, number of facilities similar in structure and business process, and thelocations of each facility. List only those locations that apply to this merchant. For example, theDining Services SAQ may cover two types of outlets – on-campus dining halls and remote foodcards. Each type would be listed on a separate line.

Part 2d. Payment Application

Does the merchant use one or more Payment Applications? A Payment Application is a softwareapplication that stores, processes, or transmits cardholder data as part of authorization orsettlement, and where the payment application is off-the-shelf software and is installed on themerchant’s premises. PA-DSS does NOT include custom software created just for the merchantor software that is hosted by a PCI-validated third-party service provider that maintains thepayment application. If yes, list the Application(s) being used for payment processing. Provideversion number and application vendor.

The PCI SSC website (Validated Payment Applications) can be used to determine whether apayment application is validated for use.

3

Part 2e. Description of EnvironmentProvide a high level description of the cardholder data environment (CDE). Include criticalsystem components within the CDE, such as POS devices, databases, web servers, etc., and anyother necessary payment components, as applicable.

You will also be asked to indicate if your organization uses network segmentation to affect thescope of your PCI DSS environment. Network segmentation refers to the physical or logicalseparation between devices that handle cardholder data (CHD) and are in PCI scope from thosethat do not handle CHD and are not in scope for PCI compliance. If there are any additionalfirewalls, routers, virtual, or other systems in place that restrict network traffic to or from thesystems within the merchant area (traffic that is otherwise allowed on the network), you wouldanswer “Yes” to this question. If there are no systems in place that restrict traffic flows betweenthe merchant area and the remainder of the campus network you would answer “No”.

4

Part 2f. Third-Party Service Providers

Third-party service providers are vendors that provide systems or services that store, process, ortransmit cardholder data on the merchant’s behalf, e.g. Authorize.NET, CyberSource, PayPal,etc., or are companies with whom CHD is shared for any purpose to support merchant paymentprocesses. If cardholder data is shared with any third party, i.e. for payment processing or otherservices, you must answer “Yes” and provide the name of the vendor and the service theyprovide.

Part 2g. Eligibility to Complete AOC SAQ

All merchants MUST comply with the full PCI DSS, however, the various SAQs focus on specificpayment channel requirements. The merchant must be able to indicate all statements listedhere are accurate for their merchant area.

5

RequirementsThis is the section of the SAQ that will vary depending on the questionnaire that you areanswering. Since each questionnaire will address different parts of the PCI DSS and includediffering questions, this guide will not detail how to answer each question. However, weencourage you to use the “?” to request help from the CampusGuard Team if you havequestions or need assistance on a specific Requirement question.

Remember, to be fully PCI-compliant all answers must be Yes, Not Applicable, or (with SecurityAdvisor approval) Compensating Control.

6

Part 3 and Part 4

Part 3. PCI DSS ValidationCheck the status box to indicate the compliance or noncompliance of this Merchant ID.

Check Compliant, if… All sections of the SAQ / AOC are complete and; All questions answered affirmatively (“YES” or “N/A”), resulting in an overall

COMPLIANT rating

Check Non-Compliant, if… Not all sections of the SAQ / AOC are complete or; Not all questions are answered "YES” or “N/A

NOTE: If checking Non-Compliant, the merchant manager will be required to complete theAction Plan in Part 4 of this document and enter a Target Date for Compliance. If this is the case,the merchant manager should consult with your University PCI Administrator/Liaison foradditional guidance.

Part 3a. Acknowledgement of StatusThe merchant manager should be able to confirm the listed statements and check all boxes thatapply. To be compliant, you must select all boxes.

Part 3b. Merchant AttestationHave the responsible Executive Officer complete and sign this section. Note: this section isverifying the compliance status that is being asserted and that the Executive Officer personallyguarantees the validity of the SAQ. Be VERY sure that you have accurately answered allrequirements of all sections of the SAQ upon signing this section.

7

Part 3c. QSA Acknowledgement (if applicable)It is not necessary to complete Part 3c but if you would like to include CampusGuard’s advisoryrole in the completed SAQ, please work with your CampusGuard CRM to have this section filledin.

Part 3d. ISA Involvement (if applicable)If your organization has an Internal Security Advisor (ISA) on-staff and they assisted with thecompletion of the SAQ, you can include their contact details in this section.

Part 4. Action Plan for Non-Compliant StatusSelect Yes or No in response to CURRENT STATUS with each section; you should not answerquestions based on what you are going to do. The questions should be answered as if therequirement is in-place (Yes) or not in place (No). If No is selected you must add a date ofprojected compliance. You must also add comments explaining the plan for remediation andcompliance.

8

Be sure to click the Save button at the end of each section.

Appendix B: Compensating Controls WorksheetUse this worksheet to define compensating controls for any requirement where you chose“Compensating Controls” as the response.

Compensating Controls MUST be approved by your acquiring bank which will require completedocumentation of the Compensating Control. Only organizations that have undertaken a riskanalysis and have legitimate technological or documented business constraints can consider theuse of compensating controls to achieve compliance. A Compensating Control cannot besatisfied by a policy and procedure that already addresses another, existing PCI requirement,and it must go above and beyond the requirement it is trying to satisfy. Compensating Controlsneed to be re-evaluated on an annual basis.

There are very strict requirements for allowing Compensating Controls, therefore all detailsneed to be annotated and submitted to a QSA for approval. Your CampusGuard Security Advisorand CRM will assist you with the completion of this process.

9

Appendix C: Explanation of Non-ApplicabilityThis appendix is used to explain why a question was answered N/A. You will need to account forevery N/A selected throughout the SAQ. In lieu of filling in the page below, you can use aseparate document, uploaded to the Document Locker, which follows the format of the screenbelow.

10

Scanning RequestMerchants can request external vulnerability scans of their web applications and / or networkresources involved in the payment process. Select the “Scanning Request” link on the top navigationmenu.

This generates a form that can be completed by the user. Select either Network Vulnerability Scan orWeb Application Scan from the drop down at the top of the page.

Network Vulnerability Scan – Use this type of scan for all devices in the CHD.1. Complete the contact information. This will be the person that CampusGuard will

interface with to complete the scans. Organization and Merchant Name will bepre-populated.

2. List all IP addresses for those devices in your CHD that you wish to be scanned.3. Complete the Date and Time that you wish a scan to occur (24 hour advance notice

required). Also check the box if you wish to be notified prior to the scan.4. Send Request. Your request will be submitted and you will receive confirmation from

the CampusGuard team.

11

Web Application Scan – Use this scan for any website involved in the CDE. Even if you use athird party to process your transactions, you should scan the website that has the link, API, etc.that performs the handoff or redirect to the third party.

1. Complete Contact Information. Organization and Merchant Name will be pre-populated.2. Select the type of Web server platform (only one) and version.3. If there is a database associated with this Web server, check the box and then add the

type of database. (Oracle, SQL, etc.)4. If applicable, list the IP address of the Web server. If the server is supporting multiple

sites and you only wish to scan one or some of the sites, leave this field blank and usethe URL field.

5. List URLs to be scanned. This is the URL for the site. The scanner will crawl to any sub-pages within the site unless those pages are listed in the “do not scan” list.

6. List pages that should not be scanned. You may not wish to have some pages scannedthat have certain select statements or database functionality. CampusGuard SecurityAdvisors can assist you with this decision.

7. Select preferred time and date of scan (24 hour advance notice required). CampusGuardwill confirm receipt of your request, and set the scanner to run at the time specified. Itshould be noted that depending on the size of the site, the scan may take several hours.Consideration should be made to account for this.

8. Select Notification Prior to Scanning. Check this box if you would like to be notifiedwhen the scan is about to occur.

9. Send Request. A CampusGuard team member will make contact to discuss the requestand setup the scan parameters.

12

Document LockerThe Document Locker is a secure location to store documents and network drawings to support answersgiven in the SAQ. The Document Locker is also used to deliver vulnerability scan reports fromCampusGuard and store archived SAQs from previous years.

An example of a document that may be required is in SAQ D, Requirement 1, Question 1.1.2 whichspecifies a “current network diagram with all connections to cardholder data…” This drawing can beuploaded for future reference with this question. You may use any format for the document since thedocument will be stored in the same manner that it is uploaded. However for consistency, it isrecommended that all documents be stored as PDF format. This will ensure that printing of thecompleted questionnaires and associated documents will function as expected.

Selecting the tab for the Document Locker from the Navigation bar reveals the above window. Fromhere it is possible to: Show all documents associated with a particular Merchant ID. Print archived documents, previous SAQs, and other documents. Upload additional documents.

To remove documents from the Document Locker, find the title of the document you wish to removeand then click the “X” in the Delete column. The document will be removed from the system.

*It is not possible to recover a document once it has been deleted, therefore be sure that is the actionyou wish to take.

13

General DocumentsThe General Documents section of the portal contains documents that will be of use to all CampusGuardcustomers. This section is read-only for customers and you cannot upload documents here.CampusGuard reserves this area to distribute resources to the community, including news updates,alerts, guides, templates, and more. Selecting the General Documents tab on the navigation menu willreveal all items available for download. Click on the link of the document that you wish to obtain, and itwill download to your computer in the location that you specify.