PCI Requirements for Nelnet Users

PCI Requirements for Nelnet Users

Current PCI compliance requirements that will allow you to continue using SAQ-A under normal circumstances (Note that PCI compliance can change frequently and the information provided become outdated):

Server Related

  • New U-M websites should be hosted on an ITS managed MiServer or a PCI compliant service provider. Implement one primary function per server to avoid functions requiring different security levels co-existing on the same server.
  • If a U-M website is hosted externally, the server must be in a monitored secure location.
  • Operating system and application software versions must be supported by the vendor.
  • Security patches installed within one month of release.
  • 2-factor authentication to the web server for administrative and developer access (including 90 day password changes, no reuse of old passwords allowed).
  • Vendor access to the server should only be allowed for maintenance and support.
  • File integrity monitoring (FIM) of the operating system, web server and application (i.e. all static files). FIM is not currently provided by ITS.

Website Related

  • Use HTTPS per Google certificate recommendations
    • 2048 bit
    • SHA-2
  • Use TLS 1.2 or higher, no RC4 or fallback.
  • Limit parameter information passed to Nelnet (i.e., Order Number, Order Type, Order Description, Amount Due, Redirect URL & parameters, Retries Allowed, Time Stamp and hash).  Limit use of Nelnet UserChoice fields to only non-customer name/address.  Collect customer name and personal info on your U-M website.

Other

  • Departments who host their own web servers are required to integrate the ITS interstitial gateway.
  • Opt-in to U-M Information & Infrastructure Assurance's internal monthly vulnerability scans – under “Additional Requests” indicate: “PCI scan”. If assistance is needed to complete the form, submit a Help Desk Ticket [email protected].
  • Reconcile Nelnet activity to your website activity each business day when website is operational. This is usually a business office function.
  • Coordinate with Treasury (Dave Doyle, [email protected]) for new use of Nelnet.

Please remember that being the merchant, you are responsible for all 12 Requirements of the PCI-DSS standard even if you currently qualify for the shorter SAQ A.

 

» Print Friendly

Got a question?

We're here to help.

Resources