Payment Card Industry Data Security Standards (PCI DSS) Compliance
Any State agency accepting credit cards as a form of payment must complete a yearly Self-Assessment Questionnaire (SAQ), reviewed and signed by the State's Internal Security Assessor (ISA) and submitted to the State Treasurer's Office.
Required information before meeting with ISA

The ISA will provide this information for the website

Merchant Manual

Each State agency must have available a "Merchant Manual" which will be reviewed by the State's ISA and will include the following items:

What is in a Merchant Manual:
Section 1: Executive Summary
Download and complete Executive Summary: Executive Summary [7-page PDF]
Section 2: Annual PCI Self-Assessment Questionnaire
Completed & signed SAQ.
Which SAQ Do I Complete? Show SAQ LinkbuttonsHide SAQ Linkbuttons
(Click on SAQ linkbuttons below to view/download SAQ PDF for each SAQ type)
SAQ A
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises.
*Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI DSS Validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises.
*Applicable only to e-commerce channels.
SAQ B
Merchants using only:
  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.
*Not applicable to e-commerce channels.
SAQ B-IP
Merchants using only standalone, PIN Transaction Security(PTS)-approved payment terminals with an Internet Protocol (IP) connection to the payment processor, with no electronic cardholder data storage.
*Not applicable to e-commerce channels.
SAQ C
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
*Not applicable to e-commerce channels.
SAQ C-VT
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic data storage.
*Not applicable to e-commerce channels.
SAQ P2PE
Point-to-Point Encryption (P2PE). Merchants using only hardware payment terminals that are included in and managed via a validated, PCI Security Standards Council listed P2PE solutions, with no electronic cardholder data storage.
*Not applicable to e-commerce channels.
SAQ D for Merchants
All merchants not included in any other descriptions for the previous SAQ types.
SAQ D for Service Providers
All service providers defined by a payment card brand as eligible to complete an SAQ.
Hide SAQ Linkbuttons
Section 3: Vulnerability Scans or Attestation Of Compliance (AOC)
Section 4: Cardholder Data Flow Diagram
Cardholder data flow diagrams (include all cardholder data processes and detail all types of authentication data uses (e.g. PAN, CVV, Track, etc.).
NIC Nebraska "Flow of Funds Document" [2-page PDF]
Section 6: Agreements with Treasurer's Office/Employees/Third Party Providers
Copy of signed Incident Response Plan Agreement.
Copies of all agreements with vendor's processing credit card transactions and/or hosting your website.
Employee training signed documents.