Email Templates: Service Provider Annual Documentation Request

Email Templates: Service Provider Annual Documentation Request

Existing Service provider, Provider owns merchant account, eCommerce Only

Email Template

Existing Service provider, Middlebury owns merchant account, eCommerce Only

Email Template

Existing Service provider, Middlebury owns merchant account, Card Present Point of Sale system (POS)

Email Template

Existing Service Provider, Middlebury owns merchant account, eCommerce, card present and not-present, payment processing via API (SCMP, SOAP Toolkit)

Email Template

Existing Service provider, Provider owns merchant account, eCommerce Only

Examples: ABC Sports, BSN Sports, Eventbrite, Healthy College Snacks, My Online Camps, Slate, Submittable, Transcripts on Demand

●Existing Service Provider

●Service Provider is the Merchant Account Holder

●Deposit are sent to Middlebury via ACH deposit or check

Email Template

Dear xxxxx,

Thank you for partnering with Middlebury (enter department) to provide (enter service being provided).

Middlebury is committed to engaging with service providers that are focused on Information Security and compliant with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS requires Middlebury to obtain and review our Service Providers PCI Compliance documentation on an annual basis.

Kindly answer any questions listed below and submit the required documentation:

●Provide a current Attestation of Compliance (AOC) from a SAQ D – Service Provider if you self-assess compliance, OR, Attestation of Compliance (AOC) from a Report on Compliance (ROC) On-Site Assessment (if you have a QSA firm perform your PCI audit)

○Ensure the services being provided have been assessed for validation on the AOC

●Provide a recent ASV Scan

●Verify encryption protocol is TLS 1.1 or greater. TLS 1.2 is preferred, SSL and TLS 1.0 are no longer considered secure or compliant.

●Have you had significant changes in your solution over the past twelve months?

●Have you experienced a breach of cardholder data over the past twelve months?

I look forward to receiving the documentation and answers to the above questions. Please let me know if you have questions or concerns.

(MDRP Signature)

Existing Service provider, Middlebury owns merchant account, eCommerce Only

Examples:

●Existing Service Provider

●Middlebury is the Merchant Account Holder

●Payment processing functionality connected via a Middlebury owned payment gateway account

○CyberSource Secure Acceptance Web/Mobile

○Bluefin’s PayConex Hosted Payment Page

○NelNet’s Cryptpay Hosted Payment Page

Email Template

Dear xxxxx,

Thank you for partnering with Middlebury (enter department) to provide (enter service being provided).

Middlebury is committed to engaging with service providers that are focused on Information Security and compliant with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS requires Middlebury to obtain and review our Service Providers PCI Compliance documentation on an annual basis.

Kindly answer any questions listed below and submit the required documentation: .

●Provide a current Attestation of Compliance (AOC) from a SAQ D – Service Provider if you self-assess compliance, OR, Attestation of Compliance (AOC) from a Report on Compliance (ROC) On-Site Assessment (if you have a QSA firm perform your PCI audit)

○Ensure the services being provided have been assessed for validation on the AOC

●Provide a recent ASV Scan

●Verify encryption protocol is TLS 1.1 or greater. TLS 1.2 is preferred, SSL and TLS 1.0 are no longer considered secure or compliant.

●Have you had significant changes in your solution over the past twelve months?

●Have you experienced a breach of cardholder data over the past twelve months?

I look forward to receiving the documentation and answers to the above questions. Please let me know if you have questions or concerns.

(MDRP Signature)

Existing Service provider, Middlebury owns merchant account, Card Present Point of sale system (POS)

Example: Retail Food Operations POS Solution

●Existing Service Provider

●Middlebury is the Merchant Account Holder

●Card present transactions only

Email Template

Dear xxxxx,

Thank you for partnering with Middlebury (enter department) to provide (enter service being provided).

Middlebury is committed to engaging with service providers that are focused on Information Security and compliant with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS requires Middlebury to obtain and review our Service Providers PCI Compliance documentation on an annual basis.

Kindly answer any questions listed below and submit the required documentation: .

●Provide a current Attestation of Compliance (AOC) from a SAQ D – Service Provider if you self-assess compliance, OR, Attestation of Compliance (AOC) from a Report on Compliance (ROC) On-Site Assessment (if you have a QSA firm perform your PCI audit)

○Ensure the services being provided have been assessed for validation on the AOC

●Provide a recent ASV Scan

●Verify you are a Payment Card Industry (PCI)-certified Qualified Integrator and Reseller (QIR) professional, for point-of-sale (POS) application and terminal Installation and integration.

●Verify encryption protocol is TLS 1.1 or greater. TLS 1.2 is preferred, SSL and TLS 1.0 are no longer considered secure or compliant.

●Have you had significant changes in your solution over the past twelve months?

●Have you experienced a breach of cardholder data over the past twelve months?

●Are you a Service Provider Level 1?

●Are you listed on the Visa Global Service Provider Registry?

●Is your solution a PCI SSC validated Point to (P2PE) solution?

○Provide the PCI SSC Solution Validation Number ______

○Provide the PIM manual for the P2PE validated solution

●If not P2PE validated; Please provide the PA DSS solution validation information and the PA DSS Certification

I look forward to receiving the documentation and answers to the above questions. Please let me know if you have questions or concerns.

(MDRP Signature)

Existing Service Provider, Middlebury owns merchant account, eCommerce, card present and not-present, payment processing via API (SCMP, SOAP Toolkit)

●Existing Service Provider

●Middlebury is the Merchant Account Holder

●Service Provider Level 1 listed Visa Global Registry of Service Providers

●eCommerce solution integrated API Payment Processing, staff entering card present and card not present transactions- generally these are larger vendors and solutions. Example: iModules Alumni Online Community

Email Template

Dear xxxxx,

Thank you for partnering with Middlebury (enter department) to provide (enter service being provided).

Middlebury is committed to engaging with service providers that are focused on Information Security and compliant with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS requires Middlebury to obtain and review our Service Providers PCI Compliance documentation on an annual basis.

Kindly answer any questions listed below and submit the required documentation: .

●Provide a current Attestation of Compliance (AOC) from a SAQ D – Service Provider if you self-assess compliance, OR, Attestation of Compliance (AOC) from a Report on Compliance (ROC) On-Site Assessment (if you have a QSA firm perform your PCI audit)

○Ensure the services being provided have been assessed for validation on the AOC

●Provide a recent ASV Scan

●Provide a SSAE 16 Audit Report (SOC 1) or SOC 2

●Have you had significant changes in your solution over the past twelve months?

●Have you experienced a breach of cardholder data over the past twelve months?

●Are you a Service Provider Level 1?

●Are you listed on the Visa Global Service Provider Registry?

●Is your solution a PCI SSC validated Point to (P2PE) solution?

○Provide the PCI SSC Solution Validation Name and Number ______

○Provide the PIM manual for the P2PE validated solution

●Verify encryption protocol is TLS 1.1 or greater. TLS 1.2 is preferred, SSL and TLS 1.0 are no longer considered secure or compliant.

I look forward to receiving the documentation and answers to the above questions. Please let me know if you have questions or concerns.

(MDRP Signature)

PCI Documentation Library\Service Provider Management\Email Templates Existing Service Provider Annual Documentation Request 2016.08.28 1