The Governance, Risk and Compliance (GRC) Team conducts a yearly assessment to report PCI Compliance once a year. To accomplish this, an attestation form is filled out for each GT Unit with one or more Merchant IDs (MIDs). A copy of the template for our attestation form is below:
Our process is as follows:
- The GRC Team will send an email in February to all owners of one or more Merchant IDs (MIDs) to schedule a time to have an assessment meeting.
- When a time is agreed upon, the GRC Team will send a meeting request.
- The meeting will be a discussion of how credit cards are processed at the GT unit in question. As part of the discussion, the following will occur:
- GT Unit provides a list of users that process Cardholder Data so that the GRC team can confirm they have completed the necessary PCI DSS training.
- GRC Team will interview the GT Unit to confirm flow of Cardholder Data from beginning to end of a transaction.
- Card-Present Transactions
- Card-Not-Present Transactions
- Web Transactions
- Finally, GRC team will confirm the system inventory provided by Senior Director -Bursar & Treasury Services and Treasury Analyst Sr.
- If any remediation is needed, the GRC team will work with the Primary Point of Contact to formulate a plan to resolve any issues.
- Once everything with the GT Unit is in order, the Attestation Form will be sent to the Primary Point of Contact for signature.
If you have any questions or concerns about this process, please email compliance@security.gatech.edu.