Q. Who is responsible for ensuring that all CCSP related documentation is filled out?

A. The Account owner is the primary contact for the CCSP Office. Although other personnel and resources might be necessary to complete some of the assessments that the department receives from the CCSP Office, it is typically the account owner's responsibility to coordinate those resources so that the assessments are submitted in a timely manner.

Q. When are my assessments due?

A. Assessments are due once per year. The exact timing depends on your department. The CCSP Office will always send a reminder email at least one month in advance of the assessment due date. Contact the CCSP Office for details about your assessment schedules.

Q. Where can I find the CCSP training material mentioned in the Business Process Assessment?

A. https://login.sans.org/

Q. Who needs to complete the CCSP Online Training?

A. Account contacts, including the account owner, IT contact, and business manager, as well as any employee who has access to cardholder data must complete the online training. Each individual must complete the training at least once per year.

Q. What CCSP training modules apply to my merchant account?

A. The training modules are not merchant account specific. Rather, they are job position specific. For example, if your merchant account is tied to a card-swipe terminal, then the account owner would take the account owner training, while other "cashiers" would take the training module specific to card-swipe terminals. The account owner training encompasses everything in the three other training modules since the account owner needs to be familiar with all card processing policies and procedures.

Q. Who must sign the Policy Attestation Form?

A. The Account Owner, IT Contact, and Business Managers must sign the form. Additionally, anyone else that may come into contact with credit card information within your department also needs to review the policies and sign the form.

Q. What are the requirements for using a Virtual Terminal?

A. If a merchant elects to use utilize a virtual terminal they must first submit the request to the CCSP Office. Once approved, the virtual terminals must be implemented and configured in accordance with CCSP requirements. This includes using predefined CCSP desktop images and GPO's, connecting to the specified CCSP Network, and installing ePO and Tripwire reporting tools to facilitate the assessment of these systems. The department's IT Contact must ensure that virtual terminals are properly configured and reporting to the CCSP's centralized reporting tools.

Q. What CCSP/PCI requirements apply to prospective university vendors and service providers?

A. All university service providers must be validated as either a Level 1 or Level 2 PCI Compliant service provider.  Additionally, the service provider must be willing to state in writing that they will be responsible for the credit card data that they possess on our behalf. 

Payment applications must be PA-DSS validated.