G2 - PCI Compliance and Credit Card Payments Guideline

Guideline ID 2
Guideline status Reviewed
Guideline description Information security guideline for PCI compliance and credit card payments
Guideline owner Information Security Services (ISS)
Guideline contacts

Table of Contents

Changes

This document is subject to change and review at least annually.

Purpose

The purpose of this document is to provide information technology guidelines for PCI compliance and University of Waterloo departments and businesses that accept, collect or process credit cards or payment cards.

Applicability

This guideline applies to University of Waterloo departments and businesses that accept or process credit cards or payment cards.

Payment Card Industry (PCI)

University of Waterloo departments and businesses that accept or process credit cards or payment cards must conform with the official standards disseminated by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are mandated by the Security Standards Council (SSC) formed by the five major credit card brands.

PCI Compliance

PCI Compliance is mandatory for all businesses and organizations that accept, collect or process credit cards, including the University of Waterloo. All University of Waterloo departments, businesses or areas on campus that accept, collect or process payment cards directly or through a third-party must comply with the PCI security standards and have an ongoing responsibility for maintaining their PCI compliance.  

Oversight

University of Waterloo Finance and the Information Security Services (ISS) within Information Systems and Technology jointly provide oversight for the PCI compliance and credit card security at the University of Waterloo. To ensure the University's compliance with PCI security standards, University of Waterloo Finance and Information Security Services may perform a third-party assessment or audit of departments or areas on campus that accept or process credit cards.

Responsibilities

University departments and businesses

University of Waterloo departments and businesses that accept, collect, process or transmit credit cards must:

  • Comply with the PCI security standards and requirements mandated by the Payment Card Industry Security Standards Council.
  • Report any changes to their PCI compliance status and have an ongoing responsibility for PCI compliance.
  • Promptly report security breaches through the Information Security Breach Response Procedure.
  • Ensure solutions are reviewed by Finance and Information Security Services prior to being implemented or if there are any changes.
  • Accept or process credit cards only through approved channels and payment methods by Finance.
  • Complete the required training and compliance attestations through Finance. 
  • Maintain appropriate documentation and records of PCI compliance.

Channels and methods

Examples of common channels and methods for credit cards and payments cards are provided below.

E-commerce and websites

  • Credit cards may be accepted online through e-commerce providers approved by Finance in accordance with PCI security standards.

Email

  • Credit cards must not be accepted by email at the University of Waterloo. 
  • Email is not a secure channel for accepting and processing credit card payments. 

Payment terminals

  • Credit cards may be accepted through payment terminals and point-of-sale systems that are approved by Finance.

Telephone

  • PCI compliance is required when accepting credit cards by telephone.
  • Credit cards may be accepted by telephone (non-VOIP) in accordance with PCI security standards and approved by Finance.

Point-to-Point Encryption 

PCI Point-to-Point Encryption (PCI-P2PE) validated solutions can help to reduce PCI scope and provide better security. A list of PCI-P2PE validated solutions can be found on the Payment Card Industry Security Standards Council web site.

Storage of cardholder information

Cardholder information must be protected in accordance with the Freedom of Information and Protection of Privacy Act (FIPPA) and PCI security standards at all times. Storage must be limited to contact information such as name, address, email address and telephone number.

Permitted Storage

Storage of contact information such as name, address, email address and telephone number is permitted.

Not Permitted Storage

Storage of any cardholder data information such as the Primary Account Number (PAN), Sensitive Authentication Data (e.g. Full Magnetic Stripe Data, CVV2, etc.) or any other cardholder data is not permitted at the University of Waterloo.

Payment applications

All payment applications must be reviewed and approved by University of Waterloo Finance and Information Security Services. Externally hosted payment applications and services to the University of Waterloo must conform with the PCI Data Security Standard (PCI DSS). Locally hosted payment applications must also be PCI Payment Application Data Security Standard (PA-DSS) validated to ensure credit card information is not being stored.

Records of PCI compliance

Appropriate documentation and records of compliance with the PCI security standard must be maintained. Documentation must be formal, in-use, up-to-date and readily available. Finance or Information Security Services may request documentation during an assessment, audit, breach investigation or for compliance purposes.

Contacts

For general inquires and questions related to PCI compliance, credit cards and payments please email pcicompliance@uwaterloo.ca.

Related references

Relevant references for PCI, credit cards and payments. 

PCI

University of Waterloo

Acknowledgements

Date

Type

Name of Person, Department, Group or Committee

2018-10

Consulted

Finance

Document history

Date

Revision Summary

2018-12-11 Added Point-to-point encryption section
2018-11-01 Minor clarification pertaining to storage

2018-10-25

Initial version

Reviews

Date

Reviewed By

2018-10-25

Information Security Services (ISS)