University Secretariat and Legal Counsel

University Secretariat and Legal Counsel

site header

Procedures for the Acceptance of Credit and Debit Cards

Contact Officer:  PCI Co-ordinator


Purpose

The purpose of these procedures is to outline the steps that departments and units (“Merchants”) must use for all debit and credit card payment transactions at the University. All Merchants that accept debit and credit cards for payment must follow these procedures for the protection of Cardholder Data as contained in the Payment Card Industry Data Security Standards (PCI DSS), and as further contained in the University’s Policy for the Acceptance of Credit and Debit Cards.

Procedure for Establishing Merchant Accounts

Responsibility  Process

Merchant

All applications for Merchant accounts must be approved by the PCI Coordinator in Financial Services. Financial Services is the only University unit that is authorized to create, modify, or remove Merchant accounts. Departments or units are prohibited from entering into separate banking or payment processing services on their own, including PayPal. 

Further details on establishing a Merchant account for debit / credit card transactions can be found on the Financial Services website:

 Applicants must sign the “Certificate of Credit Card Security and Ethics Agreement” attached to this document and submit to the Department of Financial Services with their application.   

 

Procedure for Approved Payment Applications

Responsibility  Process

Merchant

Only the following methods for credit and debit card processing are permitted:

  • Point-of-Sale (POS) processing using the designated PCI network for both card present and card not-present transactions;
  • Hosted Checkout solutions which provide web-based processing using a PCI-compliant service provider approved by the PCI Coordinator such that credit card data is not entered into a web page of a server hosted on the Queen’s network.
  • Virtual Terminal payment applications whereby transactions are manually entered into a PCI-compliant service provider’s computer website;
  • Payment Gateway applications which allow cyber storefronts to securely transmit their payments to a payment processor over the Internet.

Use of alternative methods may be approved, on a case-by-case exception by the Controller and Chief Information Officer (CIO).

To further ensure compliance, providers of payment applications must provide an Attestation of Compliance (AOC) certificate on an annual basis to the Merchant which then must be forwarded to the PCI Coordinator.

Any changes in payment applications and/or processes that would affect the University’s PCI environment and all related business processes must be reported to   the PCI Coordinator for approval.  The PCI Coordinator can be reached by contacting PCICoordinator@queensu.ca.

 

Procedure for Use of Payment Applications and Payment Services

Responsibility  Process

Merchant

Any department or unit that wishes to use a payment application or external payment services for the processing of payment card transactions must have prior approval from the PCI Coordinator.   In addition, any payment applications or payment services must be approved as being PCI compliant and PCI language must be incorporated into the purchasing contract language.   The payment application provider must be willing to indemnify the University for all costs related to a potential or actual security breach associated with the processing, storing, or transmission of Cardholder Data.

The University will provide a core level of service and support to Merchants to facilitate the processing of debit and credit card transactions.  Should a Merchant decide to use a specialized payment application for payment processing, the Merchant will be responsible for any additional costs and resources arising from the use and implementation of the payment application.  In addition, the Merchant will also be responsible for any costs related to ensuring that the payment application is compliant with all payment card compliance standards.     

 

Procedure for General Restrictions on the Use of Cardholder Data

Responsibility  Process

Merchant

Generally, the University’s servers and network infrastructure are not to be used for processing, storing, or transmitting Cardholder Data. A specialized PCI communication network is available from ITS. Requests for exemptions may be made to the PCI Coordinator and will be approved jointly by the Controller and Chief Information Officer (CIO).

Under no circumstances is Cardholder Data to be sent via electronic messaging (i.e. e-mail, text messaging). 

Cardholder information received through facsimile is permitted so long as the facsimile machine is located in a secure environment with access restricted to authorized personnel.  Any Cardholder information sent by facsimile is not permitted to be stored in machine memory. Furthermore, the ability to send or receive Cardholder Data by facsimile which is then converted to email is not allowed. 

The processing or transmission of Cardholder Data is not permitted over wireless Wi-Fi networks.   This includes, but is not limited to applications such as wireless POS terminals or Virtual Terminal applications.    Wireless POS terminals may only be used if data is transmitted through the cellular mobile phone network.

 

Procedure for Security Awareness and Training

Responsibility  Process

Merchant

Upon hire and at least annually, any employees involved with the processing of credit card transactions must attend annual training on Cardholder Data protection standards and practices.

The provision of training and awareness will fall under the responsibility of Financial Services.

Security and/or background checks must be conducted for any new staff that will handle any Cardholder Data. Only authorized staff are permitted to handle Cardholder Data, and access to Cardholder Data must be restricted to users with a need to know. 

Merchants must maintain awareness of the contents of the University’s information security policies

 

Procedure for Data Storage, Retention, Inventory and Destruction

Step  Process

1.

Data Storage Requirements

  • All confidential or sensitive material containing Cardholder Data, whether in paper form or electronic form (e.g. CD, DVD, floppy disk, hard disk, tape, USB “thumb” drive, etc.) is to be retained only for the minimum time necessary for their use and then should be destroyed;
  • If there is a need to retain Cardholder Data either in electronic or printed form, it must be stored or archived securely within a secure and locked facility in order to prohibit access to those personnel who do not process credit cards;
  • All hardcopy or electronic media containing confidential or sensitive information must be labelled as such;
  • All confidential or sensitive material sent by mail on or off of the Queen’s campus must be logged and sent via secured courier or other delivery mechanism which can be accurately tracked.
2.

Retention Requirements

  • The following Cardholder Data must be kept for no longer than 30 days after a single transaction:
    • Primary Account Number (“PAN”) (rendered unreadable – see below); and
    • Expiration Date.

Once a customer’s account information is no longer required, all Cardholder Data for that account must be purged within 30 days using an approved destruction method as outlined in this section.  

  • The following Cardholder “authentication” data may only be retained until the completion of the authorization of a transaction:
    • Card Verification Code (CVV2, CVC2, CID, data) as found on the back of a credit card;
    • PINs and encrypted PIN blocks information;
    • Full track data (from the magnetic stripe on the back of the card or equivalent data on a chip).

After authorization, the data must be immediately deleted according to the Destruction process detailed in this document.   Storage of Cardholder authentication data after a transaction has been completed is not allowed (even if encrypted).

  • Any Cardholder Data contained in databases, logs, files, or backup media must be rendered unreadable by encrypting the PAN, or by masking or truncating the PAN so that only a portion of the PAN is visible.
  • If a payment application is designed for a specific purpose in which the full PAN must be displayed, approval must be provided by the PCI Coordinator. In all cases the application must limit the display of the full PAN to the fewest number of users possible.
  • For transactions whereby Cardholder Data is collected but the processing of the card transaction will not occur until sometime in the future, tokenization methodologies must be employed. With tokenization, the PAN is assigned a unique, randomly generated sequence of numbers or characters which can be stored and substituted for the PAN for use in future-dated transactions.
3. 

Inventory Requirements

All stored electronic and hardcopy media containing sensitive Cardholder Data must be inventoried at least annually.  Security controls on the storage mechanism must also be checked on an annual basis.

For Cardholder Data contained in hard copy form, a review must be undertaken at least quarterly to ensure that the stored Cardholder Data does not exceed the data retention requirements contained in this document.   

4.

Destruction Requirements

All confidential or sensitive media containing Cardholder Data (whether digital or electronic) that is no longer needed for legal, regulatory, or business requirements must be disposed of using an approved method as documented in this procedure.  

  • All printed material containing personal and confidential information should be shredded to adhere to the Personal Health Information Protection Act (PHIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA). Cross shredding is preferred.

Other applicable data stored in files and directories where the containing media will be re-used must be deleted securely by a “wiping” utility approved by ITS.

Before computer or communications equipment can be sent to a vendor for trade-in, servicing, or disposal, all confidential or sensitive information that includes Cardholder Data must be destroyed or removed according to the approved methods in this document.  

Removable computer storage media, such as optical disks or magnetic tapes, may not be donated to charity or otherwise recycled.  

The outsourced disposal of media containing confidential or sensitive information must use a bonded disposal vendor that provides a “Certificate of Destruction”.   Storage containers used for information to be destroyed (such as “to-be-shredded” containers) must be locked to prevent access to its contents. Destruction must be performed on site at Queen’s.

ITS can assist with the disposal of electronic media containing sensitive or confidential information.   For more information, please visit

http://www.queensu.ca/cio/information-systems-security-office or call ITS at 613-533-6666 during regular business hours.

 

Procedure for Regular Inspection of Point of Sale (“POS”) or PINPAD Devices for Tampering

Responsibility  Process

Merchant

Regular inspections of Point-Of-Sale and PINPAD devices must be conducted on a weekly basis, at a minimum, to detect tampering or replacement of a device, and thereby minimize the potential impact of using fraudulent devices. If a Point-Of-Sale or PIN PAD device is not locked up at night, it should be inspected daily.

Merchants must periodically inspect devices for tampering and/or substitution. In addition, merchants must:

  • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices;
  • Do not install, replace, or return devices without verification;
  • Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices);
  • POS terminals must be kept in a secure location and staff must log off when away from them.
     
  • Report suspicious behavior and indications of device tampering or substitution to Department of Financial Services immediately.
  • If POS devices and/or terminals are lost, stolen, damaged, or used without the Merchant’s permission, the Department of Financial Services must be notified immediately.

It is recommended that POS and PINPAD devices located in public areas be inspected on a daily basis. For devices that are located in non-public areas, inspection should occur on a weekly basis.   

The PCI Security Standards Council provides a list of best practices for the prevention of credit card device tampering. More information can be found at: https://www.pcisecuritystandards.org/documents/Skimming%20Prevention%20BP%20for%20Merchants%20Sept2014.pdf (PDF 1.19 MB)

 

Procedure for Non-Compliance with Policies and Procedures

Responsibility  Process

Any member of the University Community

The process for dealing with non-compliance will be as follows:

  • An identification of non-compliance will be reported to the PCI Coordinator, immediately.
  • The nature of the non-compliance will be assessed by the PCI Coordinator or an external validator (i.e. QSA), if required. Depending on the risk of the non-compliance, emergency measures may be taken to secure the data as detailed under the section entitled Incident Response Plan.  
  • If there is suspicion of an imminent threat, access may be terminated immediately.
  • The PCI Coordinator will provide notice to the non-compliant department or unit that remediation is required.   
  • Within two weeks of being notified that remediation is required, the non-compliant department or unit will produce a plan to remediate the issue to the PCI Coordinator for approval.   This remediation plan will contain the steps necessary to achieve compliance as well as a timeline to complete the task.  
  • The Controller and Chief Information Officer (CIO) will ultimately determine if the non-compliance issue has been resolved.    
  • If remedial actions are incomplete or sufficient time has elapsed without the resolution of the compliance issue, the Controller and Chief Information Officer (CIO) will have the right to take further action, up to and including the suspension or revocation of card privileges.

 

Procedure for Incident Response Plan

In the case of a suspected or actual security incident involving sensitive Cardholder information, the following steps must be taken:

Responsibility  Process

Merchant

  • Cease accepting payments until further notice.
  • The compromised work station or POS device must be disconnected from the network (e.g. unplug network cable, phone line, deactivate switch port, etc.).  The compromised system should only be shut down if this is the only way to prevent the system from being connected to the network.
  • The suspected breach or actual security incident should be reported to the PCI Coordinator immediately.      
  • The Merchant must not resume accepting credit or debit cards until it is cleared to do so by the PCI Coordinator.    
The Office of the University Information Systems Security Officer
  • The PCI Coordinator will assess the reported incident and coordinate an emergency response plan, which will include, but is not limited to:
    1. All actions taken will be logged (e.g. bound notebook, video camera, etc.);
    2. Accurate paper trails will be implemented during all transfers of equipment and information related to the incident;
    3. Compromised systems will not be accessed or altered (e.g. do not log on or change passwords; do not log in as ROOT);
    4. All logs and electronic evidence will be preserved;
    5. Be on high alert and monitor all traffic on systems containing Cardholder Data.   
  • The PCI Coordinator  will alert all necessary parties (both internal and external) including:
    • Acquirer / Payment Card Processing Provider within 24 hours

The acquirer / payment card processing provider will in turn advise the University and the Merchant as to the next steps including notification to the payment card brands;

The Incident Report to the acquirer / payment card processing provider should include the Merchant identification number, details of the breach, type of stored Cardholder Data compromised, and steps taken to contain the incident;

  • The Associate Vice-Principal (Finance);
  • The University Information Systems Security Officer;
  • The Chief Information Officer;
  • University Communications;
  • Internal legal counsel;
  • Law enforcement, if applicable.

 

Procedure for Compliance

Responsibility  Process

Merchant

Any department or unit that accepts, captures, stores, transmits and/or processes credit card information must comply with the latest version of the PCI-DSS and participate in the annual self-assessment process and training.

All Merchants that accept payment cards must annually attest that they are in compliance with the University’s policies and procedures for the acceptance of credit and debit cards, and with the PCI DSS compliance validation requirements.

All Merchants must attest that any payment applications used in connection in the processing of credit card transactions have been installed properly in accordance with the service provider’s instructions and meet all requirements with respect to PCI-DSS and PA-DSS requirements. 

Merchants will be responsible for ensuring that a PCI Self-Assessment Questionnaire (SAQ) is completed each year. The SAQ must be submitted to the PCI Coordinator, where upon approval, will submit the SAQ to the appropriate acquirer.

Merchants will be required to provide these attestations when notified by the PCI Coordinator on an annual basis that such attestation is due.  Such attestations must be signed off by the departmental or organizational unit head, and include the names of all persons that are in contact with Cardholder Data for their area.  


Date Approved:  September 14, 2015

Approval Authority:  Vice-Principals' Operations Committee 

Date of Commencement:  September 14, 2015

Date for Next Review:  September 2017

Related Policies, Procedures and Guidelines: