Step-by-Step Guide for PCI Compliance Certification
Follow these step-by-step instructions to complete the annual PCI Compliance Certification process. All required documentation must be completed, fully signed, and submitted by June 30, 2026.
On This Page
Step 1: Ensure appropriate staff complete PCI Awareness 2026 Training
All merchants must complete PCI Awareness Training 2026 in the Harvard Training Portal by June 30, 2026.
Departments must also complete and document local training on their local procedures and policies for everyone involved in accepting credit cards. The local training should be customized based on roles and responsibilities.
Required PCI Awareness 2026 Training
Staff should complete the course that corresponds to their role and payment environment. Please visit the Harvard Training Portal to enroll.
PCI Awareness 2026 for Cashiers
For front-line staff who process one card payment at a time with no electronic cardholder data storage.
Applicable environments: SAQ P2PE or SAQ B
PCI Awareness 2026 for Ecommerce
For merchants that accept payments through online storefronts or ecommerce websites.
Applicable environment: SAQ A only
PCI Awareness 2026 for Merchants
For merchant staff who interact with payment card data (storing, transmitting, processing), manage employees who handle card information, or those responsible for attesting PCI compliance.
Applicable environments: SAQ A, SAQ B, SAQ P2PE, SAQ C-VT
Note: All 4 modules must be completed to satisfy the training requirement.
PCI Awareness 2026 for IT
For IT staff responsible for securing and managing IT systems, applications, or equipment within the cardholder data environment (CDE) or that can impact the security of the CDE.
Note: All 3 modules must be completed to satisfy the training requirement.
Step 2: Complete the Self-Assessment Questionnaire (SAQ)
Harvard supports a limited number of acceptable PCI environments (SAQ types).
Each merchant is required to complete the appropriate SAQ in the CampusGuard Portal. To access the portal, click “Login with SSO” and sign in with your HarvardKey credentials.
When completing the SAQ:
- Confirm that the assigned SAQ matches your payment environment
- Complete all questions in the portal
- Finalize and lock the SAQ when finished
Locking the SAQ generates the final report and notifies the Office of Treasury Management (OTM) that it is ready for review. Contact pci_compliance@harvard.edu if you need access to the CampusGuard Portal. Do not share credentials under any circumstances.
SAQ Walkthroughs (Strongly Recommended)
The PCI Compliance Working Group and CampusGuard held live virtual SAQ walkthroughs on April 27 and April 28, 2026, to review the Self-Assessment Questionnaires. These sessions were recorded for those who couldn’t attend or who would like a refresher and are now available in the Harvard Training Portal.
Choose a session below to register to view the recording:
View the corresponding presentations:
Note: These workshops do not satisfy the PCI Awareness Training requirement but are strongly encouraged for all individuals completing an SAQ.
Step 3: Upload Required Supporting Documentation
Departments are required to upload the following documentation to the CampusGuard Portal.
Required if your department uses physical credit card readers (SAQ P2PE or SAQ B).
- Terminal Inventory must reflect the current state of the devices.
- The following details should be included in your inventory:
- Device make and model
- Device Location
- Device serial number or other methods of unique identification
- Date when the inventory was last reviewed
Note: Terminal Inventory needs to be in a list format. Photos of devices are not sufficient.
Upload a sample of a recent Device Inspection log. For more information, refer to the PCI Device Inspection Training Course 2025.
Required if you use a Third-Party Service Provider. These are typically front-end systems, such as:
- Salesforce
- CVENT
- Slate Technolutions
- Payment gateways other than TouchNet or CyberSource (i.e. FreedomPay, Bluefin, etc.)
You must obtain from the Service Provider:
- A current Attestation of Compliance (AOC)
- Note: If the Service Provider submits a document that is more than one year old, you should request a current AOC (i.e. The Service Provider submits a document on 6/1/26 that is dated 1/1/25, this is outdated)
- A current Responsibility Matrix
Note: OTM collects these documents centrally for Bank of America, Clover, CyberSource, and TouchNet.
Upload any local policies and procedures related to credit card processing. These should be reviewed and updated at least annually.
Step 4: Sign the Merchant Agreement and Harvard Attestation Form
The Merchant Agreement and Attestation Form will be sent to designated signers through Adobe Acrobat Sign by May 8, 2026. The documents will be distributed together as one PDF file for each completed SAQ.
The Business Owner is responsible for completing and signing the documents.
The documents will then automatically route for additional signatures from:
- IT Manager
- CIO or CISDPO
- Financial Dean or CFO
After all signatures are completed, the document will automatically be routed back to OTM for review.
Harvard policy requires merchants to complete a new Merchant Agreement each year. Please note that by signing the Agreement, you agree to abide by all the requirements of the University Credit Card Merchant Handbook.
Need Help?
For assistance during the certification process, contact pci_compliance@harvard.edu.
Office hours will be held every Wednesday from 12:00-1:00 pm, starting May 6, 2026, and continuing through June 24, 2026.