Credit Cards and Payment Card Industry (PCI)
Compliance

All Carleton University departments that accept credit card payments must process those payments in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS). These requirements were developed by the founders of the PCI Security Standards Council which include American Express, Visa International Inc., MasterCard Worldwide and Discover Financial Services.

Compliance with PCI DSS is not an option.  Compliance protects Carleton University from adverse financial consequences and ensures the University’s excellent reputation.

On this page you will find the following information:

Merchant Responsibilities

Below is a high level summary of responsibilities to help merchants gain confidence in achieving mandatory PCI compliance.  For a detailed account, please read the Cardholder Data Handling Procedures.

In General:

  • The ongoing protection of cardholder data
  • Awareness of and adherence to the standards and directives outlined in the Cardholder Data Handling Policy/Protocol
  • Ensuring that safeguards designed to protect cardholder data are not tampered with or modified
  • Immediately reporting suspected security breaches to Business Operations, Financial Services
  • Completing an annual PCI self-assessment questionnaire
  • Obtaining guidance from Business Operations when making any changes to credit/debit card processing

Staff/Training:

  • Ensuring all staff complete training prior to accessing cardholder data

Collection of /Processing Cardholder Data:

  • Being aware of which cardholder data may be collected and for what purpose
  • Processing web-based payments using a PCI-compliant provider approved by Business Operations
  • Obtaining formal approval from Business Operations prior to processing when the card/customer are not present (other than via an approved e-commerce solution)
  • Following best practice to never accept cardholder data via email
  • Adhering to the strict protocols outlined in the cardholder policy if a business purpose exists requiring use of telephone or fax to collect cardholder information
  • Restricting access to areas where cardholder data is processed
  • Configuring 20/20 terminals to be PCI compliant
  • Using a single purpose workstation that has been configured for PCI compliance when using a virtual terminal

Storage of Cardholder Data:

  • Remaining cognizant of what data may be stored and what must be destroyed immediately
  • Retaining physical copies of cardholder data only as long as there is a valid business purpose
  • Masking card numbers on printed receipts and stored documents
  • Locking physical copies of cardholder data in a secure area
  • Restricting and monitoring access to areas where cardholder data is stored
  • Ensuring cardholder data is not stored in electronic format (laptops, flash drives, etc)
  • Maintaining an inventory log of all media containing cardholder data
  • Properly destroying all cardholder data in a timely manner, including a quarterly review

Storage and Access of Cardholder Data

Data Element Collection Permitted Storage Permitted Protection Required
Cardholder data Primary account number (PAN) Yes No n/a
Cardholder name Yes Yes Yes
Service code Yes Yes Yes
Expiration date Yes Yes Yes
Sensitive authentication data Full magnetic stripe No No n/a
CVC2/CVV2/CID Yes No n/a
PIN / PIN block No No n/a

Training

The Business Office will be delivering mandatory training for all merchants accepting credit cards.

All merchants must attend annual trainings per PCI Compliance regulations.

Security Incident Response Plan

Below is the process to be followed for responding to security incidents involving the unauthorized disclosure or modification of cardholder data (as defined by the Payment Card Industry (PCI) Data Security Standard).  A security incident refers to malicious attempt, either successful or unsuccessful, by an unauthorized party to negatively impact the confidentiality or integrity of cardholder data is within scope of this incident response plan.

Download Carleton’s Security Incident Response Plan

All merchants are expected to:

  • Be familiar with the Incident Response Plan.
  • Ensure that departmental staff who process credit cards payments as part of their job are aware of the Incident Response Plan.

Step 1: Contain or limit the exposure.

  • Stop taking further payments until cleared to do so by Business Operations, Financial Services.
  • Disconnect the compromised system from the network (Note: Do not turn off the computer – simply unplug the network cable)
  • Lock paper records in a secure location

Note: Do not alter or access the system until CCS IT security has had an opportunity to examine the IT system.

Step 2: Contact Business Operations and CCS IT Security.

The primary contact points in each office are:

Business Operations CCS
Primary Contact
  • Valerie Evans: Manager, Business Office
  • 301N Robertson Hall
  • (613) 520-2600 x1330
  • Tim Lott: Asst. Director- Information Security
    Chief Information Security Officer
  • 402K Robertson Hall
  • (613) 520-2600 x5245
Alternate Contact
  • Kristine Simmons: Assistant Manager, Business Operations
  • 301J Robertson Hall
  • (613) 520-2600 x2070
  • Geoff Leboldus: Senior IT Security Analyst
  • 402N Robertson Hall
  • (613) 520-2600 x6725

In the event that a security incident is detected outside of normal business hours, please contact the CCS Service Desk and indicate that the issue must be escalated immediately.

Step 3: Document any actions taken.

Document actions taken prior to the arrival/engagement of representatives from Business Operations or CCS. Procedures for Business Operations and CCS IT Security to follow in the event of a Suspected or Confirmed Security Incident

Step 4: Validate and assess the incident.

CCS IT security will investigate the incident in accordance with CCS Incident Handling Procedures. As part of the investigation, Business Operations and CCS IT Security will:

  • Establish how the compromise occurred
  • Document the type of cardholder data breached (PAN, mag stripe, expiration date, etc.)
  • Identify the source for the compromise
  • Identify the timeframe for the compromise
  • Approximate # of cardholders affected
  • Review the technology environment in accordance with the CCS Incident Response Procedures
  • Confirm that the incident has been contained
  • Keep senior management informed

Step 5:  Implement security controls (either physical, procedural, or technical).

This action will be taken once the root cause of the incident has been identified.  This is necessary to prevent future incidents.

Step 6: Await instructions.

Business Operations, in consultation with CCS IT Security, will provide the merchant with approval to restart payment processing.

Resources