#  Step-by-Step Guide for PCI Compliance Certification 

 



 ##  

  expand\_more  

 
  

 

Follow these step-by-step instructions to complete the annual PCI Compliance Certification process. All required documentation must be completed, fully signed, and submitted by **June 30, 2026**.

## On This Page

1. [Ensure appropriate staff complete PCI Awareness 2026 Training](#complete-PCI-awareness-training)
2. [Complete the Self-Assessment Questionnaire (SAQ)](#complete-the-SAQ)
3. [Upload required supporting documentation to the CampusGuard Portal](#upload-required-supporting-documentation)
4. [Sign the Merchant Agreement and Harvard Attestation Form (via Adobe Acrobat Sign)](#sign-the-merchant-agreement)



 

##  Step 1: Ensure appropriate staff complete PCI Awareness 2026 Training 

All merchants must complete **PCI Awareness Training 2026** in the Harvard Training Portal by **June 30, 2026**.

Departments must also complete and document local training on their local procedures and policies for everyone involved in accepting credit cards. The local training should be customized based on roles and responsibilities.



 

### Required PCI Awareness 2026 Training

Staff should complete the course that corresponds to their role and payment environment. Please visit the Harvard Training Portal to enroll.

[PCI Awareness 2026 for Cashiers](https://trainingportal.harvard.edu/Saba/Web_spf/NA1PRD0068/common/ledetail/cours000000000050264)  
For front-line staff who process one card payment at a time with no electronic cardholder data storage.  
**Applicable environments: SAQ P2PE or SAQ B**

[PCI Awareness 2026 for Ecommerce](https://trainingportal.harvard.edu/Saba/Web_spf/NA1PRD0068/common/ledetail/cours000000000050265)  
For merchants that accept payments through online storefronts or ecommerce websites.  
**Applicable environment: SAQ A only**

[PCI Awareness 2026 for Merchants](https://trainingportal.harvard.edu/Saba/Web_spf/NA1PRD0068/common/ledetail/cours000000000050267)  
For merchant staff who interact with payment card data (storing, transmitting, processing), manage employees who handle card information, or those responsible for attesting PCI compliance.  
**Applicable environments: SAQ A, SAQ B, SAQ P2PE, SAQ C-VT**  
*Note: All 4 modules must be completed to satisfy the training requirement.*

[PCI Awareness 2026 for IT](https://trainingportal.harvard.edu/Saba/Web_spf/NA1PRD0068/common/ledetail/cours000000000050266)  
For IT staff responsible for securing and managing IT systems, applications, or equipment within the cardholder data environment (CDE) or that can impact the security of the CDE.  
*Note: All 3 modules must be completed to satisfy the training requirement.*



 

##  Step 2: Complete the Self-Assessment Questionnaire (SAQ) 

Harvard supports a limited number of [acceptable PCI environments (SAQ types)](/acceptable-pci-environments-harvard "Acceptable PCI Environments at Harvard").

**Each merchant is required to complete the appropriate SAQ** in the [CampusGuard Portal](https://campusguardcentral.com/login). To access the portal, click “Login with SSO” and sign in with your HarvardKey credentials.

When completing the SAQ:

- Confirm that the assigned SAQ matches your payment environment
- Complete all questions in the portal
- Finalize and lock the SAQ when finished

Locking the SAQ generates the final report and notifies the Office of Treasury Management (OTM) that it is ready for review. Contact [pci\_compliance@harvard.edu](mailto:pci_compliance@harvard.edu) if you need access to the CampusGuard Portal. Do not share credentials under any circumstances.



 

### SAQ Walkthroughs (Strongly Recommended)

The PCI Compliance Working Group and CampusGuard held live virtual SAQ walkthroughs on April 27 and April 28, 2026, to review the Self-Assessment Questionnaires. These sessions were recorded for those who couldn’t attend or who would like a refresher and are now available in the Harvard Training Portal.

Choose a session below to register to view the recording:

- [SAQ A Walkthrough Session – 2026 (Recording)](https://trainingportal.harvard.edu/Saba/Web_spf/NA1PRD0068/common/ledetail/cours000000000050283)
- [SAQ P2PE Walkthrough Session – 2026 (Recording)](https://trainingportal.harvard.edu/Saba/Web_spf/NA1PRD0068/common/ledetail/cours000000000050284)

View the corresponding presentations:

- [SAQ A Walkthrough Session – 2026 (PowerPoint)](https://hu.sharepoint.com/:p:/r/sites/FAD-WebsiteFiles/shared_employees/Training/FY26/PCI%204.0%20SAQ%20A%20Walkthrough%202026_finalshare.pptx?d=w8fd444fd791441269c3ac7b96c8a8a99&csf=1&web=1&e=nFsVa5)
- [SAQ P2PE Walkthrough Session – 2026 (PowerPoint)](https://hu.sharepoint.com/:p:/r/sites/FAD-WebsiteFiles/shared_employees/Training/FY26/PCI%204.0%20SAQ%20P2PE%20Walkthrough%202026_finalshare.pptx?d=wf6633433cdc34febb7748b2f5f0f6c9e&csf=1&web=1&e=OejtDD)

*Note: These workshops do not satisfy the PCI Awareness Training requirement but are strongly encouraged for all individuals completing an SAQ.*



 

##  Step 3: Upload Required Supporting Documentation 

Departments are required to upload the following documentation to the [CampusGuard Portal](https://campusguardcentral.com/login).

 

 



  Open all sections   Close all sections  



###    Terminal Inventory  expand\_more  

**Required if your department uses physical credit card readers (SAQ P2PE or SAQ B).**

- Terminal Inventory must reflect the current state of the devices.
- **The following details should be included in your inventory:**
    - Device make and model
    - Device Location
    - Device serial number or other methods of unique identification
    - Date when the inventory was last reviewed

*Note: Terminal Inventory needs to be in a list format. Photos of devices are not sufficient.*

 

 



###    Device Inspection Log (for P2PE &amp; B only)  expand\_more  

Upload a sample of a recent Device Inspection log. For more information, refer to the [PCI Device Inspection Training Course 2025](https://trainingportal.harvard.edu/Saba/Web_spf/NA1PRD0068/app/me/learningeventdetail/cours000000000048882?regId=regdw000000001743009&context=user&learnerId=emplo000000000974444&returnurl=catalog%2Fsearch%3FsearchText%3Dpci%20device%2526filter%3D%7B%7D).

 

 



###    Service Provider Documentation  expand\_more  

**Required if you use a Third-Party Service Provider.** These are typically front-end systems, such as:

- Salesforce
- CVENT
- Slate Technolutions
- Payment gateways other than TouchNet or CyberSource (i.e. FreedomPay, Bluefin, etc.)

**You must obtain from the Service Provider:**

- A current **Attestation of Compliance (AOC)**
    - *Note: If the Service Provider submits a document that is more than one year old, you should request a current AOC (i.e. The Service Provider submits a document on 6/1/26 that is dated 1/1/25, this is outdated)*
- A current **Responsibility Matrix**

*Note: OTM collects these documents centrally for Bank of America, Clover, CyberSource, and TouchNet.*

 

 



###    Local Policies and Procedures  expand\_more  

Upload any local policies and procedures related to credit card processing. **These should be reviewed and updated at least annually.**

 

 



 

 

 

 

##  Step 4: Sign the Merchant Agreement and Harvard Attestation Form 

The **Merchant Agreement and Attestation Form** will be sent to designated signers through **Adobe Acrobat Sign** by **May 8, 2026**. The documents will be distributed together as one PDF file for each completed SAQ.

**The Business Owner is responsible for completing and signing the documents.**

The documents will then automatically route for additional signatures from:

1. IT Manager
2. CIO or CISDPO
3. Financial Dean or CFO

After all signatures are completed, the document will automatically be routed back to OTM for review.

Harvard policy requires merchants to complete a new Merchant Agreement each year. Please note that by signing the Agreement, you agree to abide by all the requirements of the [University Credit Card Merchant Handbook](https://hu.sharepoint.com/sites/FAD-WebsiteFiles/Shared%20Documents/OTM/harvardcreditcardmerchanthandbook.pdf "Harvard Credit Card Merchant Handbook").



 

##  Need Help? 

For assistance during the certification process, contact [pci\_compliance@harvard.edu](mailto:pci_compliance@harvard.edu).

Office hours will be held every **Wednesday from 12:00-1:00 pm**, starting May 6, 2026, and continuing through June 24, 2026.



 

 



 [ Join via Zoom arrow\_circle\_right ](https://harvard.zoom.us/j/97261236194?pwd=jMXQpu8qUlgPBrP0Xck8SXIi1iayKW.1&from=addon)