Compliance with payment card industry standards

Adoption: January 15, 2020

Effective date: February 1, 2020
Instance of approval: Administration Committee

Originating/Responsible Department : Financial Resources and Information Technology


1. PURPOSE

1.1 The purposes of this Policy are to:

.1 confirm the University’s commitment to maintaining secure and reliable Payment Card Processing (as defined in Section 2 of this Policy);

.2 ensure the University’s compliance with the Payment Card Industry Data Security Standards (“PCI DSS”) developed by the founding members of the Payment Card Industry Security Standards Council (“PCI SSC”) and published on the PCI SSC website; and

.3 establish the University authorities responsible to ensure such compliance.

2. DEFINITIONS AND INTERPRETATION

2.1 For the purposes of this Policy, and any procedure and standard established by the University pursuant to it, the following words and expressions shall have the following corresponding meanings:

a) “Cardholder Data” is any personally identifiable data associated with the person who is responsible for the credit or debit card a cardholder. Examples include, but are not limited to: account number, expiration date, card type, name, address, and card validation code – the three or four-digit value printed on the front or back of a payment card referred to as CAV, CVC, CVV, or CSC depending on the payment card brand. The term Cardholder Data is interchangeable with payment card data throughout this Policy and any related University procedure or standard.

b) “Payment Card” refers to any payment card/device issued by a financial institution, such as a bank or one of the founding members of PCI SSC (American Express, Visa International Inc., MasterCard Worldwide and Discover Financial Services) to a customer that enables the customer to access the funds in the customer’s bank accounts or through a credit account and make payments by electronic funds transfer and access automated teller machines. Payment Card does not include the uOttawa card issued by the University’s uOttawa Card Services.

c) “Payment Card Processing” is defined as using any application or device to process a Payment Card transaction as payment to the University.

2.2 The PCI DSS Glossary, Abbreviations and Acronyms published by the PCI SSC will be used to assist in the interpretation of this Policy and related University procedure and standard.

2.3 The following University Policies and associated Procedures must be read in conjunction with this Policy

Policy 36 — Supply of Goods and Services
Policy 90 — Access to Information and Protection of Privacy
Policy 116 — Use and Security of Information Technology Assets
Policy 117 — Information Classification and Handling
Policy 118 — Electronic Mail (Email) Policy

3. SCOPE AND APPLICATION

3.1 This Policy applies to all University employees, contractors or any other third parties acting on behalf of the University or at the request of the University who accept payment by a Payment Card and who store, process or transmit Cardholder Data. It also applies to all Payment Card Processing and any media, telecommunication, servers, workstations or computer networks used for such storage, processing, or transmission of Cardholder Data.

3.2 This Policy does not apply to the uOttawa campus card issued by uOttawa Card Services.

4. POLICY STATEMENT

4.1 The University is committed to minimizing Payment Card fraud, hacking and various other security threats, and the risk of unauthorized access to Cardholder Data.

4.2 All University employees, contractors or any other third parties acting on behalf of the University or that the request of the University who accept payment by a Payment Card and the Payment Card Processing and technologies used must comply with the PCI DSS, including, without limitation, all of the following:

(a) Installing and maintaining a firewall configuration to protect Cardholder Data;

(b) Changing vendor-supplied defaults for system passwords and other security parameters;

(c) Protecting stored Cardholder Data;

(d) Encrypting transmission of Cardholder Data across open, public networks;

(e) Protecting all systems against malware and performing regular updates of anti-virus software;

(f) Developing and maintaining secure systems and applications;

(g) Restricting access to Cardholder Data to only those who have a legitimate business need to know;

(h) Assigning a unique identification to each individual who is given access to system components;

(i) restricting physical access to Cardholder Data or to systems that hold Cardholder Data;

(j) Tracking and monitoring all access to Cardholder Data and network resources;

(k) Regularly testing security systems and processes; and

(l) Maintaining an information security policy for all personnel.

4.3 The University will provide training on compliance with PCI DSS to its personnel who are involved with Payment Card Processing.

4.4 All contractors or other third parties acting on behalf of the University or at the request of the University who accept payment by a Payment Card or involved in the Payment Card Processing and technologies must provide training on compliance with PCI DSS to its personnel and to those for whom they are responsible.

5. RESPONSIBILITIES

5.1 Instances of non-compliance with this Policy are to be reported to the University’s Associate Vice-President Financial Resources and the Chief Information Officer, who in turn, will inform the Vice-President, Finance and Administration. The Associate Vice-President, Financial Resources and the Chief Information Officer (as applicable) will look into the matter and recommend to the Vice-President, Finance and Administration the appropriate course of action in light of the circumstances.

5.2 The Associate Vice-President (AVP) Financial Resources and Chief Information Officer (CIO) are jointly responsible for the following:

.1 implementation and regular review of this Policy and recommending any changes to it to the Vice-President Resources;

.2 developing and maintaining procedures and/or standards for approval by the Vice-President, Finance and Administration;

.3 Publishing, maintaining and ensuring awareness of this Policy and related University policies, procedures and standards;

.4 educating and arranging for training to the University community about PCI DSS requirements;

.5 any other task the Vice-President, Finance and Administration may deem appropriate in order to implement this Policy and any related University policy, procedure or standard.

6. IMPLEMENTATION, REVIEW AND AMENDMENT

6.1 The Associate Vice-President, Financial Resources and the Chief Information Officer are responsible for periodic review of this Policy and for recommending to the Vice-President, Finance and Administration any changes to it or to any procedure adopted pursuant to it. This Policy will be reviewed as necessary to ensure compliance with applicable legislation and regulation and with good business practices.

6.2 Amendments to this Policy, other than those set out in section 6.3 of this Policy, will require the approval of the President.

6.3 The Vice-President, Finance and Administration may amend this Policy to update the following information contained herein:

(a) the designation, title or identity of officials, offices, or departments and contact information within the University;

(b) the designation or title of government ministries or agencies; and

(c) the title or citation of legislation, regulations, policies or procedures.

6.4 The Vice-President, Finance and Administration may establish, amend, abrogate or make exceptions to procedures for purposes of the effective implementation of this Policy, provided that such procedures or exceptions are consistent with the provisions of this Policy.