Information Technology Services
Information Technology Services

Securing cardholder data at Queen's

By Mike Smith and Nancy Simon, ITS Project Portfolio Office

Have you ever used your credit card to order a transcript in SOLUS? To pay for a session at Queen’s Physical Therapy Clinic?  To enrol your child in a Queen’s Summer Camp?

If you have, you’re not alone. Payment card transactions are critically important to the business of the university, and in 2015, Queen’s processed 285,000 payment card transactions totalling $30 million in sales.*

It is not uncommon to hear stories about how major businesses have suffered breaches in the security of their payment card data. The university has a responsibility to ensure that such transactions are reliable and secure; that purchases will be completed successfully, and that cardholder data cannot be stolen during or after purchases. Queen’s is committed to ensuring that the right security practices are in place to meet those responsibilities.

The members of the Payment Card Industry (PCI) – including Visa, MasterCard and American Express – define standard processes and security controls that need to be in place to ensure that payment card data is safe from exploitation. Led by Queen’s Financial Services and Information Technology Services (ITS), Queen’s is currently engaged in a multi-year project to attain compliance with the PCI Data Security Standard (PCI DSS).

“Just as Queen’s is committed to excellence in academics and research, so too are we committed to excellence in the business functions that sustain the university financially,” notes Heather Woermke, Queen’s Controller.


To date, the project has been focused on building the IT infrastructure needed to support compliance: a separate network for transmitting credit card data, and a PCI-compliant datacentre for housing applications that handle credit card information. Departments have also been engaged in updating their current business processes or patching servers that currently host credit card applications. Over the next several months, payment pin pads and terminals will be moved from the campus network to the PCI network.

“Building the PCI datacentre is a critical first step in achieving compliance,” says Bo Wandscheider, Chief Information Officer and Associate Vice-Principal (ITS). “Establishing a core infrastructure that meets the gold standard for PCI security enables not only the ongoing success of the 80 merchants at Queen’s who already rely on credit card payments, but also lays a foundation for ongoing business opportunities at the university.”


Achieving university-wide compliance with the PCI DSS is a complex undertaking that will require active participation from stakeholders across the institution. For example, some merchants may need to move their applications to our secure PCI datacentre, while others may choose to outsource to a PCI-compliant third party solution. If you are a merchant who accepts credit card payments; a business officer; or an IT resource who builds and maintains credit card applications at Queen’s, the project team will be engaging with you to provide information and support in executing the changes required to become compliant by our target date of December 31, 2017.

If you have questions about the impact of these changes on you, please contact Mike Smith, Project Manager, ITS Project Portfolio Office.

*Correction: The original article misstated the payment card totals for 2015.

Last updated: September 2016