Step-by-Step Guide for PCI Compliance Certification

Follow these step-by-step instructions to complete the annual PCI Compliance Certification process. All required documentation must be completed, fully signed, and submitted by June 30, 2026.

On This Page

  1. Ensure appropriate staff complete PCI Awareness 2026 Training
  2. Complete the Self-Assessment Questionnaire (SAQ)
  3. Upload required supporting documentation to the CampusGuard Portal
  4. Sign the Merchant Agreement and Harvard Attestation Form (via Adobe Acrobat Sign)

Step 1: Ensure appropriate staff complete PCI Awareness 2026 Training

All merchants must complete PCI Awareness Training 2026 in the Harvard Training Portal by June 30, 2026

Departments must also complete and document local training on their local procedures and policies for everyone involved in accepting credit cards. The local training should be customized based on roles and responsibilities.

Required PCI Awareness 2026 Training

Staff should complete the course that corresponds to their role and payment environment. Please visit the Harvard Training Portal to enroll. 

PCI Awareness 2026 for Cashiers
For front-line staff who process one card payment at a time with no electronic cardholder data storage.
Applicable environments: SAQ P2PE or SAQ B

PCI Awareness 2026 for Ecommerce
For merchants that accept payments through online storefronts or ecommerce websites.
Applicable environment: SAQ A only

PCI Awareness 2026 for Merchants
For merchant staff who interact with payment card data (storing, transmitting, processing), manage employees who handle card information, or those responsible for attesting PCI compliance.
Applicable environments: SAQ A, SAQ B, SAQ P2PE, SAQ C-VT
Note: All 4 modules must be completed to satisfy the training requirement. 

PCI Awareness 2026 for IT
For IT staff responsible for securing and managing IT systems, applications, or equipment within the cardholder data environment (CDE) or that can impact the security of the CDE.
Note: All 3 modules must be completed to satisfy the training requirement. 

Step 2: Complete the Self-Assessment Questionnaire (SAQ)

Harvard supports a limited number of acceptable PCI environments (SAQ types)

Each merchant is required to complete the appropriate SAQ in the CampusGuard Portal. To access the portal, click “Login with SSO” and sign in with your HarvardKey credentials.

When completing the SAQ:  

  • Confirm that the assigned SAQ matches your payment environment  
  • Complete all questions in the portal  
  • Finalize and lock the SAQ when finished  

Locking the SAQ generates the final report and notifies the Office of Treasury Management (OTM) that it is ready for review. Contact pci_compliance@harvard.edu if you need access to the CampusGuard Portal. Do not share credentials under any circumstances. 

SAQ Walkthroughs (Strongly Recommended)

The PCI Compliance Working Group and CampusGuard held live virtual SAQ walkthroughs on April 27 and April 28, 2026, to review the Self-Assessment Questionnaires. These sessions were recorded for those who couldn’t attend or who would like a refresher and are now available in the Harvard Training Portal.

Choose a session below to register to view the recording:

View the corresponding presentations:

Note: These workshops do not satisfy the PCI Awareness Training requirement but are strongly encouraged for all individuals completing an SAQ.  

Step 3: Upload Required Supporting Documentation

Departments are required to upload the following documentation to the CampusGuard Portal.

Step 4: Sign the Merchant Agreement and Harvard Attestation Form

The Merchant Agreement and Attestation Form will be sent to designated signers through Adobe Acrobat Sign by May 8, 2026. The documents will be distributed together as one PDF file for each completed SAQ.

The Business Owner is responsible for completing and signing the documents.

The documents will then automatically route for additional signatures from: 

  1. IT Manager
  2. CIO or CISDPO
  3. Financial Dean or CFO 

After all signatures are completed, the document will automatically be routed back to OTM for review. 

Harvard policy requires merchants to complete a new Merchant Agreement each year. Please note that by signing the Agreement, you agree to abide by all the requirements of the University Credit Card Merchant Handbook.

Need Help?

For assistance during the certification process, contact pci_compliance@harvard.edu

Office hours will be held every Wednesday from 12:00-1:00 pm, starting May 6, 2026, and continuing through June 24, 2026.