Credit Cards and Payment Card Industry (PCI)
All Carleton University departments that accept credit card payments must process those payments in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS). These requirements were developed by the founders of the PCI Security Standards Council which include American Express, Visa International Inc., MasterCard Worldwide and Discover Financial Services.
Compliance with PCI DSS is not an option. Compliance protects Carleton University from adverse financial consequences and ensures the University’s excellent reputation.
On this page you will find the following information:
- Merchant Responsibilities
- Storage and Access of Cardholder Data
- Security Incident Response Plan – PDF version
Below is a high level summary of responsibilities to help merchants gain confidence in achieving mandatory PCI compliance. For a detailed account, please read the Cardholder Data Handling Procedures.
- The ongoing protection of cardholder data
- Awareness of and adherence to the standards and directives outlined in the Cardholder Data Handling Policy/Protocol
- Ensuring that safeguards designed to protect cardholder data are not tampered with or modified
- Immediately reporting suspected security breaches to Business Operations, Financial Services
- Completing an annual PCI self-assessment questionnaire
- Obtaining guidance from Business Operations when making any changes to credit/debit card processing
- Completing annual eLearning course on cardholder data protection standards and practices
- Ensuring all staff complete training prior to accessing cardholder data
Collection of /Processing Cardholder Data:
- Being aware of which cardholder data may be collected and for what purpose
- Processing web-based payments using a PCI-compliant provider approved by Business Operations
- Obtaining formal approval from Business Operations prior to processing when the card/customer are not present (other than via an approved e-commerce solution)
- Following best practice to never accept cardholder data via email
- Adhering to the strict protocols outlined in the cardholder policy if a business purpose exists requiring use of telephone or fax to collect cardholder information
- Restricting access to areas where cardholder data is processed
- Configuring 20/20 terminals to be PCI compliant
- Using a single purpose workstation that has been configured for PCI compliance when using a virtual terminal
Storage of Cardholder Data:
- Remaining cognizant of what data may be stored and what must be destroyed immediately
- Retaining physical copies of cardholder data only as long as there is a valid business purpose
- Masking card numbers on printed receipts and stored documents
- Locking physical copies of cardholder data in a secure area
- Restricting and monitoring access to areas where cardholder data is stored
- Ensuring cardholder data is not stored in electronic format (laptops, flash drives, etc)
- Maintaining an inventory log of all media containing cardholder data
- Properly destroying all cardholder data in a timely manner, including a quarterly review
|Data Element||Collection Permitted||Storage Permitted||Protection Required|
|Cardholder data||Primary account number (PAN)||Yes||No||n/a|
|Sensitive authentication data||Full magnetic stripe||No||No||n/a|
|PIN / PIN block||No||No||n/a|
The Business Office will be delivering mandatory training for all merchants accepting credit cards.
All merchants must attend annual trainings per PCI Compliance regulations.
Below is the process to be followed for responding to security incidents involving the unauthorized disclosure or modification of cardholder data (as defined by the Payment Card Industry (PCI) Data Security Standard). A security incident refers to malicious attempt, either successful or unsuccessful, by an unauthorized party to negatively impact the confidentiality or integrity of cardholder data is within scope of this incident response plan.
All merchants are expected to:
- Be familiar with the Incident Response Plan.
- Ensure that departmental staff who process credit cards payments as part of their job are aware of the Incident Response Plan.
Step 1: Contain or limit the exposure.
- Stop taking further payments until cleared to do so by Business Operations, Financial Services.
- Disconnect the compromised system from the network (Note: Do not turn off the computer – simply unplug the network cable)
- Lock paper records in a secure location
Note: Do not alter or access the system until ITS IT security has had an opportunity to examine the IT system.
Step 2: Contact Business Operations and ITS IT Security.
The primary contact points in each office are:
In the event that a security incident is detected outside of normal business hours, please contact the ITS Service Desk and indicate that the issue must be escalated immediately.
Step 3: Document any actions taken.
Document actions taken prior to the arrival/engagement of representatives from Business Operations or ITS. Procedures for Business Operations and ITS IT Security to follow in the event of a Suspected or Confirmed Security Incident
Step 4: Validate and assess the incident.
ITS IT security will investigate the incident in accordance with ITS Incident Handling Procedures. As part of the investigation, Business Operations and ITS IT Security will:
- Establish how the compromise occurred
- Document the type of cardholder data breached (PAN, mag stripe, expiration date, etc.)
- Identify the source for the compromise
- Identify the timeframe for the compromise
- Approximate # of cardholders affected
- Review the technology environment in accordance with the ITS Incident Response Procedures
- Confirm that the incident has been contained
- Keep senior management informed
Step 5: Implement security controls (either physical, procedural, or technical).
This action will be taken once the root cause of the incident has been identified. This is necessary to prevent future incidents.
Step 6: Await instructions.
Business Operations, in consultation with ITS IT Security, will provide the merchant with approval to restart payment processing.