PCI DSS compliance process

Every merchant at the University of Ottawa is required to follow instructions issued by the PCI DSS Compliance Office.

Validation tools and participating partners

Every merchant at the University of Ottawa is required to follow instructions issued by the PCI DSS Compliance Office in terms of completing an annual self-assessment questionnaire (SAQ), which is a validation tool used by eligible organizations or merchants to self-assess their PCI DSS compliance. Different SAQs are available for various business environments.

The University of Ottawa has retained the services of a qualified security assessor (QSA), who is a cybersecurity expert, to support us in our efforts to complete these assessments, identify vulnerabilities, conduct randomized sampling audits, review our policies, and meet current industry standards. A QSA is qualified by the PCI Security Standards Council to perform PCI DSS assessments. 

The PCI Compliance Office (PCO) reserves the right to conduct periodic inspections, both announced and unannounced, of our devices as part of the University’s compliance requirements. 

Requirements

Merchants should expect to meet the following requirements, and provide the accompanying documentation, depending on their payment environment. 

To reduce the scope of PCI DSS analyses, merchants must now use POS devices that only connect to 3G/4G networks.  Merchants may be called upon to provide:

  • Data flow diagrams  
  • A registry of equipment with unique identifiers and pictures   
  • Proof of yearly POS verification training for all users   
  • Proof of regular POS checks conducted by the merchant ID responsible person and by users  
  • Pictures of secure location (safe, locked desk, cabinets, etc.)   

The documents that e-commerce units may be required to provide will vary, depending on whether they are software-as-a-service (SaaS) or an on-premises system (hosted on uOttawa servers). To reduce the scope of PCI DSS analyses, the payment page must be completely outsourced to a PCI DSS-compliant third-party payment gateway. Merchants may be asked to provide:

  • Established engagement process with service provider   
  • Written agreement from the service provider to acknowledge they are responsible for the security of cardholder data they store, process, or transmit.    
  • Documents indicating that the merchant has read and agrees to the procedures, standards, and policies the University maintains in terms of access control, vulnerability management, security, critical usage, and more.   
  • Proof that the service provider is PCI DSS compliant and that they provide uOttawa with their Attestation of Compliance every year.   
  • Data flow diagrams  
  • Network diagrams   
  • Hardening guide/build book of the server    
  • Users’ active directory list.    
  • Evidence that the operating system is updated/supported  
  • Evidence that servers are updated/supported  
  • Evidence that WebApp stacks are updated    
  • Established engagement process with payment gateway service provider   
  • Written agreement from the payment gateway service provider to acknowledge they are responsible for the security of cardholder data they store, process, and/or transmit    
  • Payment gateway service providers must be PCI DSS compliant and provide uOttawa with their Attestation of Compliance every year   
  • Documents stating that the merchant has read and agrees to the procedures, standards, and policies the University maintains regarding access control, vulnerability management, security, critical usage, and more   
  • Documentation stating that the merchants are conducting quarterly ASV scans and external vulnerability scans after any major source code change to the application.