G2 - PCI Compliance and Credit Card Payments Guideline
|Guideline description||Information security guideline for PCI compliance and credit card payments|
|Guideline owner||Information Security Services (ISS)|
Table of Contents
- Payment Card Industry (PCI)
- PCI compliance
- Channels and methods
- Point-to-point encryption
- Storage of cardholder information
- Payment applications
- Records of PCI compliance
- Related references
- Document history
This document is subject to change and review at least annually.
The purpose of this document is to provide information technology guidelines for PCI compliance and University of Waterloo departments and businesses that accept, collect or process credit cards or payment cards.
This guideline applies to University of Waterloo departments and businesses that accept or process credit cards or payment cards.
University of Waterloo departments and businesses that accept or process credit cards or payment cards must conform with the official standards disseminated by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are mandated by the Security Standards Council (SSC) formed by the five major credit card brands.
PCI Compliance is mandatory for all businesses and organizations that accept, collect or process credit cards, including the University of Waterloo. All University of Waterloo departments, businesses or areas on campus that accept, collect or process payment cards directly or through a third-party must comply with the PCI security standards and have an ongoing responsibility for maintaining their PCI compliance.
University of Waterloo Finance and the Information Security Services (ISS) within Information Systems and Technology jointly provide oversight for the PCI compliance and credit card security at the University of Waterloo. To ensure the University's compliance with PCI security standards, University of Waterloo Finance and Information Security Services may perform a third-party assessment or audit of departments or areas on campus that accept or process credit cards.
University departments and businesses
University of Waterloo departments and businesses that accept, collect, process or transmit credit cards must:
- Comply with the PCI security standards and requirements mandated by the Payment Card Industry Security Standards Council.
- Report any changes to their PCI compliance status and have an ongoing responsibility for PCI compliance.
- Promptly report security breaches through the Information Security Breach Response Procedure.
- Ensure solutions are reviewed by Finance and Information Security Services prior to being implemented or if there are any changes.
- Accept or process credit cards only through approved channels and payment methods by Finance.
- Complete the required training and compliance attestations through Finance.
- Maintain appropriate documentation and records of PCI compliance.
Examples of common channels and methods for credit cards and payments cards are provided below.
E-commerce and websites
- Credit cards may be accepted online through e-commerce providers approved by Finance in accordance with PCI security standards.
- Credit cards must not be accepted by email at the University of Waterloo.
- Email is not a secure channel for accepting and processing credit card payments.
- Credit cards may be accepted through payment terminals and point-of-sale systems that are approved by Finance.
- PCI compliance is required when accepting credit cards by telephone.
- Credit cards may be accepted by telephone (non-VOIP) in accordance with PCI security standards and approved by Finance.
PCI Point-to-Point Encryption (PCI-P2PE) validated solutions can help to reduce PCI scope and provide better security. A list of PCI-P2PE validated solutions can be found on the Payment Card Industry Security Standards Council web site.
Cardholder information must be protected in accordance with the Freedom of Information and Protection of Privacy Act (FIPPA) and PCI security standards at all times. Storage must be limited to contact information such as name, address, email address and telephone number.
Storage of contact information such as name, address, email address and telephone number is permitted.
Not Permitted Storage
Storage of any cardholder data information such as the Primary Account Number (PAN), Sensitive Authentication Data (e.g. Full Magnetic Stripe Data, CVV2, etc.) or any other cardholder data is not permitted at the University of Waterloo.
All payment applications must be reviewed and approved by University of Waterloo Finance and Information Security Services. Externally hosted payment applications and services to the University of Waterloo must conform with the PCI Data Security Standard (PCI DSS). Locally hosted payment applications must also be PCI Payment Application Data Security Standard (PA-DSS) validated to ensure credit card information is not being stored.
Appropriate documentation and records of compliance with the PCI security standard must be maintained. Documentation must be formal, in-use, up-to-date and readily available. Finance or Information Security Services may request documentation during an assessment, audit, breach investigation or for compliance purposes.
For general inquires and questions related to PCI compliance, credit cards and payments please email firstname.lastname@example.org.
Relevant references for PCI, credit cards and payments.
University of Waterloo
- Statement on Electronic Business
- E-Commerce Standards and Procedures
- Finance SharePoint Site – PCI Compliance Page
Name of Person, Department, Group or Committee
|2018-12-11||Added Point-to-point encryption section|
|2018-11-01||Minor clarification pertaining to storage|
Information Security Services (ISS)