The Payment Card Industry Data Security Standard, also known as the PCI DSS, is the universal data security standard endorsed by major payment card brands for all establishments that process, store, or transmit cardholder data and/or sensitive authentication data. The process includes steps that follow best practices in terms of security.  


The standard was created to better control cardholder data and reduce credit card fraud. 

Systems considered within the scope of this standard are those that interact with, contain, or affect cardholder data. These systems should be evaluated for their compliance with PCI DSS. The appropriate level of protection is determined by analyzing the flow of cardholder data within an organization.   

Any merchant who receives card payments must reassess PCI scope at least annually. As part of the scoping review, all cardholder data flows must be redefined, along with any systems that are linked to the cardholder environment or which could potentially compromise it.   

PCI Security Standards Council

PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. on September 7, 2006, in order to manage the ongoing evolution of the PCI DSS.  

The Council is responsible for managing the security standards, while the Council's founding members, which are the card brands, enforce the PCI standards that govern them. 

PCI DSS responsibilities at uOttawa

The University of Ottawa has a fiduciary responsibility to all its patrons and payment card processors to comply with the PCI DSS standard when handling payment card transaction data and to help reduce fraud, in terms of both financial and reputational risks.   

It is mandatory for all uOttawa sectors that process, transmit and store payment card information to comply with PCI DSS. These sectors need to ensure that their systems and payment infrastructure are secure and that employees who have access to this information follow the standard and receive the appropriate training.

What are the consequences of non-compliance?  

  • Theft of credit card data and resulting fraud.  
  • Reputational risk as a merchant.  
  • Loss of consumer confidence.  
  • Financial liabilities, fines, and penalties from payment acquirer and individual card brands.  
  • Loss of ability to accept payment cards.  

Quick links

More on PCI DSS

Contact information


If you have questions, please contact the PCI Compliance Office.

Report an incident

If you wish to report an incident, visit the reporting incidents page.