2026 PCI Compliance Certification for Departments that Accept Credit Cards

Deadline: June 30, 2026

If your department accepts credit card payments, you must complete annual PCI Compliance Certification. This requirement helps ensure that cardholder data is handled safely and securely. If certification is not completed by June 30, 2026, your department may temporarily lose the ability to accept credit card payments.

Who Must Complete PCI Compliance Certification

This process applies to departments that are credit card merchants.

A credit card merchant is a department that accepts credit or debit card payments, such as through:

  • Online payment pages or ecommerce sites (SAQ-A)
  • Point-to-Point Encryption Devices such as card readers (SAQ-P2PE)
  • Stand-alone terminals such as parking meters (SAQ-B)

Departments that accept card payments must complete PCI Compliance Certification each year.  

PCI Compliance Certification Requirements

To complete PCI Compliance Certification, departments must:  

  1. Ensure appropriate staff complete PCI Awareness 2026 Training
  2. Complete the Self-Assessment Questionnaire (SAQ)
  3. Upload required supporting documentation to the CampusGuard Portal
  4. Sign the Merchant Agreement and Harvard Attestation Form (via Adobe Acrobat Sign)

How to Complete Your PCI Compliance Certification

All required documentation must be completed, fully signed, and submitted by June 30, 2026. Follow the step-by-step guide for detailed instructions.

Onsite Assessment (New in 2026)

Harvard University has been designated as a Level 2 organization for PCI compliance. As a result, a subset of merchants will be selected each year for onsite assessments as part of the annual compliance process.  

Note: All merchants may be required to respond to follow-up questions or provide additional information as part of ongoing PCI compliance activities, even if not selected for an onsite assessment. 

2026 Onsite Assessments

Merchants selected for 2026 onsite assessments were notified in March 2026. If you did not receive a notification, your merchant account was not selected for an onsite assessment this year 

Harvard PCI Compliance Program

The PCI Compliance Program is managed jointly by Office of Treasury Management (OTM), Risk Management and Audit Services (RMAS), and Information Security and Data Privacy (ISDP).

  • OTM leads policy and business process questions
  • RMAS conducts periodic compliance reviews
  • ISDP handles technical compliance

For assistance during the certification process, contact pci_compliance@harvard.edu

Office Hours

Office hours will be held every Wednesday from 12:00-1:00 pm, starting May 6, 2026, and continuing through June 24, 2026.