Your unit is required to take the following actions by the date your current SAQ expires:
- Annual Security Awareness Education Training available through CU Learn (culearn.cornell.edu) or you can register by clicking here.
- “CASH 200 - PCI DSS Training FY 2025” (for any staff member who handles credit card transactions and for any individual who supervises staff handling credit card transactions)
- There are three separate sections and an exam in this course.
- Remember to allow Pop-ups
- Instructions are on the first page of the training – ensure your volume is on
- If the training session is freezing up, please take the following steps before contacting IT support:
- Please make sure you do not try and move forward or nudge the player bar forward at any time or it will fail. You must play 100% of the content and answer the questions with a passing grade.
- Use Chrome, Firefox or Safari. Edge does not work well in CULearn.
- Self-Assessment Questionnaire (SAQ)
If you are processing payments exclusively on CardConnect MIDs opened through Arrow Payments, please wait until a representative from Arrow reaches out to schedule an appointment to complete the SAQ with you. Arrow will reach out to the contact listed in the MID application; therefore, if you provided a group email address, please ensure you are monitoring that email account for Arrow’s email.
At this point, your department should be completing an SAQ A for a fully outsourced eCommerce page and/or an SAQ P2PE for in-person/phone/etc. payments that require processing through a point-to-point encrypted (P2PE) device. If you do not feel your environment meets either SAQ, please contact pci-help@cornell.edu.
- Proof of Compliance for Third-Party Vendors (If applicable)
You must obtain a formal attestation of PCI compliance from any third-party vendor you use for processing payment card transactions. Each attestation is for a specific period of time and must be dated within the past twelve months.
Acceptable proof of compliance includes:
- an SAQ D-Service Provider Attestation of Compliance (AOC) signed by a company executive (if the vendor handles 300,000 Visa transactions or less);
- an AOC of a Report on Compliance (ROC) that was conducted by a QSA firm (if the vendor handles more than 300,000 Visa transactions)
- References to any other documentation (e.g., Visa service provider registry, etc.) will no longer be accepted. If your service provider refuses to provide either document above, an alternative solution will need to be put into place as soon as possible.
If you are using a third-party vendor for payment card processing and cannot obtain formal proof of compliance from the vendor, please contact the PCI compliance team immediately at pci-help@cornell.edu
All three of the above steps must be completed, and the following documents must be uploaded directly to your respective Box folders no later than one year after your last SAQ. If you are not sure how to access your folder(s), please email pci-help@cornell.edu.
For all SAQ types:
☐ Completed SAQ printed to PDF, including signed part 3b of SAQ
☐ PCI training attestation signed by department fiscal officer
☐ List of applicable MIDs and the equipment/software used with each MID
☐ Payment process diagram for each MID (can list multiple MIDs on one diagram, if they all process the
same way)
☐ PCI Compliance Program document
Note: If the items above, and the applicable items below, are not directly in this document, there should at least be links to these items within the document
Additional SAQ Documentation
For SAQ P2PE:
☐ Tamper logs
For SAQ A:
☐ Agreements with third party vendors*
☐ AOCs for all service providers (SPs)*
☐ List from SPs noting that the services they’re providing Cornell are PCI compliant*
☐ PCI responsibility matrix (completed by SP)*
☐ Passing quarterly ASV scans - ONLY for situations where a link on a Cornell-hosted website is sending people directly to a payment page, or the payment page is in an iFrame on the Cornell site
*Not needed for merchants that only have CardConnect hosted payment pages
Box folder structure
Each merchant will have SAQ folders that sit inside a larger departmental folder. You can place the training attestation and the PCI compliance program document in the larger folder, since these two items should cover all of the MIDs in your department. All other documentation should be uploaded to the appropriate SAQ Box folders.
Should you have any questions, please contact us at pci-help@cornell.edu.