University Secretariat and Legal Counsel

University Secretariat and Legal Counsel

site header

Policy for the Acceptance of Credit and Debit Cards 

Category:  Finance

Approval:  Vice-Principals’ Operations Committee

Responsibility:  Associate Vice-Principal, Finance

Date Approved:  September 14, 2015


Purpose/Reason for Policy:

The use of Payment Cards, such as credit and debit cards, provides a convenient way for the University and affiliated entities to accept reimbursement for the payment of goods and services.   As a condition for the continued acceptance of Payment Cards, the University is contractually bound through its agreement with its Payment Card processing service providers to be compliant with the requirements of the Payment Card Industry Data Security Standards (PCI DSS).  

The goal of PCI DSS is the protection of Cardholder Data.  PCI DSS is a comprehensive set of controls, processes, and other requirements designed to enhance Cardholder Data security around the collection, storage, and handling of payment card information data.  

In addition to being a mandatory requirement for the continued usage of Payment Cards, being compliant with PCI DSS increases customer confidence for Payment Card transactions (e.g. donors); and provides a stronger internal control environment at the University with respect to the protection of sensitive information.

Non-compliance with PCI DSS exposes the University to risks including but not limited to:

  • Potential loss of credit card acceptance privileges;
  • Liability for damages;
  • Lost revenue and downtime for systems that are breached.

Scope of this Policy:

This policy applies to all entities, departments, or individuals affiliated with the University who are involved with the acceptance and processing of Payment Cards for the payment of goods and services.  

Any party that uses the Queen’s telecommunication or computer networks for the storage, processing, or transmission of Cardholder Data must also comply with this policy.

Policy Statement

  1. Payment Card Industry Data Security Standard (PCI DSS)

    Any University department or unit, persons affiliated with the University, or any University systems and networks that are involved with the processing, storage, or transmission of Cardholder Data must be in compliance with the latest version of the Payment Card Industry Data Security Standard (PCI DSS) to ensure the security of Cardholder information, protect the University from reputational risk, financial and legal liability, and allow the University to maintain its ability to process debit and credit card transactions. Any University department or unit, or person affiliated with the University must demonstrate PCI compliance and receive permission from the PCI coordinator before using the University’s networks for the processing of Cardholder Data.   

    All payment applications used for the processing, storage, or transmission of Cardholder Data must also be compliant with the latest version of the PCI-DSS and PA-DSS standards.

    Any failure to abide by this policy or the procedures contained in the Procedures for the Acceptance of Credit and Debit Cards will result in the temporary suspension or permanent revocation of payment card acceptance privileges.

  2. Establishment of Merchant Accounts

    Departments and units may only accept payments if Merchant accounts have been established and approved by Financial Services.   

    Merchant accounts must be established using the University’s preferred payment card processing provider(s). Departments and units are prohibited from entering into other payment arrangements with any other service provider(s), including PayPal. Any exceptions to this policy must be approved jointly by the Controller and Chief Information Officer (CIO).

  3. Costs of Establishing a Merchant Account

    Any costs of establishing a Merchant account for the purpose of accepting payment through Payment Cards will be borne by the department or unit establishing the account.   These costs include, but are not limited to, the rental of point-of-sale (“POS”) purchase terminals, transaction fees, and costs associated with online E-Commerce applications, payment applications, and service providers.   In addition, Merchants will be responsible for any costs associated with achieving and maintaining compliance with PCI DSS standards, which may include security scanning, auditing, and remediation work to ensure PCI compliance.  Merchants will also be responsible for costs associated with any security breaches as result of the non-compliance with the requirements of this policy and associated procedures. 

Definitions:

Cardholder
A customer or consumer that uses a payment card for the purchase of goods and services.
 
Cardholder Data
At a minimum, Cardholder Data consist of the full Primary Account Number (“PAN”).   Cardholder Data may also appear in the form of the full PAN plus any of the following:   Cardholder name, the expiration date, and/or service code.
 
E-Commerce
The act of buying and selling of products and services over electronic systems such as the Internet and other computer networks.
 
Merchant
A merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or VISA) as payment for goods and/or services.
 
Payment Application Data Security Standard (“PA DSS”)
The Payment Application Data Security Standard (“PA DSS”) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance.  PA DSS applies to third-party applications that store, process or transmit payment Cardholder Data as part of an authorization or settlement.  
 
PayPal
The name of an organization that facilitates payments and money transfers through the Internet.  PayPal performs payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee.
 
Primary Account Number (“PAN”)
This is usually the 14 or 16 digit payment card number that is found on the front of a payment card and identifies the issuer of the card and the particular Cardholder account.
 
Payment Cards
Any debit card, or payment card or credit card that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc. 
 
Payment Card Industry Coordinator (“PCI Coordinator”)
The PCI Coordinator will advise and provide oversight on all matters pertaining to the acceptance of Payment Cards at the University, including PCI DSS compliance.
 
Payment Card Industry Data Security Standard (“PCI DSS”)
The Payment Card Industry Data Security Standard (“PCI DSS”) is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer’s payment card data.   PCI DSS was developed and the standard is maintained by the Payment Card Industry Security Standards Council (“PCI SSC”). 

Payment Card Industry Security Standards Council (“PCI SSC”)
The Payment Card Industry Security Standards Council (“PCI SSC”) is a council established by the major credit card brands (VISA, American Express, MasterCard, JCB, and Discover) and is the governing organization responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS) and the Payment Application Data Security Standard.   
 
Point-Of-Sale (“POS”)
Hardware and/or software used to process payment card transactions at merchant locations at the point of the sale.   

Responsibilities:

Department, units, and all persons that come into contact with Cardholder data are responsible for ensuring that they are compliant with this policy and associated procedures.
 
The PCI Coordinator will oversee the enforcement of this policy and associated procedures and is responsible to approve all new Merchant accounts.   Any exceptions to this policy or associated procedures, or decisions to suspend or revoke a Merchant account will be made jointly by the Controller and CIO.
 
The Associate Vice-Principal, Finance is responsible for the administration of this policy and associated procedures.


Contact Officer:  PCI Coordinator

Date for Next Review:  September 2017

Related Policies, Procedures and Guidelines:

Policies Superseded by the Policy:  None