PCI DSS
The PCI Security Standards Council established the PCI DSS to help protect consumers’ card payment data.
The University of Ottawa is working on implementing measures to comply with the Payment Card Industry Data Security Standard (PCI DSS). The first phase of the implementation focuses on verifying the University’s point-of-sale (POS) terminals. More measures will follow in the coming months.
What is PCI DSS?
The PCI Security Standards Council (PCI SSC) established the Payment Card Industry Data Security Standard (PCI DSS) to help protect consumers’ payment card data. The PCI DSS requires all organizations that process, transmit and store payment card information to comply with a set of data controls, establish IT and physical security measures and meet policy requirements in order to mitigate the risk of loss, theft or abuse of payment card data.
Why comply with PCI DSS?
The University is contractually obligated to comply with PCI DSS in order to continue accepting card payments.
Non-compliance could result in the University losing the privilege of accepting card payments. It could also result in costly fines, increased validation requirements and harm to the University’s reputation.
POS terminals
Who must comply to the POS terminal measures
All uOttawa point of sale (merchants) that currently accept card payments for goods and services must comply with this standard.
POS terminals measures
In order to help POS managers prevent fraud associated with card skimming attacks, uOttawa has implemented the following measures:
- Verification of POS terminals
POS managers and their employees must verify their terminals to ensure they have not been tampered with. - Mandatory training
All employees who use a terminal as part their work functions must complete the mandatory training, which includes how to verify a POS terminal and the terminal environment. - Consent form
Once employees have completed the training, they will be required to sign an electronic form indicating they accept the measures and rules related to PCI DSS.
Steps to preventing POS terminal fraud
POS managers are responsible for ensuring their payment systems and infrastructure are secure. By following current best practices, POS managers are critical in preventing terminals from falling victim to fraud. Managers are responsible for regularly verifying the terminals and the terminal environment. They must also ensure their employees are appropriately trained on handling POS terminals.
- When you first receive a terminal, carefully observe the position, colour and materials used for the security label or company sticker. Taking a picture of the device and any wires is a good practice so that you can refer to it in the future should you notice something seems different. Be sure to store this information in a safe and accessible location.
- Keep a record of the number of terminals under your responsibility with information on the terminal. For example:
- Make and model
- Location (for example, the exact address and room number)
- Serial number or other unique identifying information
- At the beginning of each day or before opening your POS, employees must check the POS terminal. They can use the quick guide “Checking your POS terminal”.
- Create a list of any additional elements to check that reflects the situation in your work environment.
- If more than one employee uses the POS terminal, establish a rotating schedule for the routine POS check in order to reduce the risk of anything being missed and to ensure that not only one person carries out all checks.
- Develop and maintain a schedule for your employees to follow. Ensure the records include:
- Day and time of check
- Name of employee conducting the check
- Steps completed
- Maintain an up-to-date checklist for employees that are POS users.
- Secure your POS terminals at the end of each day.
- Establish and maintain an emergency plan.
- Ensure new staff members receive proper training on POS terminal verification.
- Do not let any technician make changes without first confirming with your POS supplier (you should have contact information in your emergency plan). DO NOT confirm with a contact person provided by the technician.
- Every two weeks, managers must complete the “POS manager’s evaluation checklist” and retain a copy of the completed checklist for two years.
Guides, training and consent form
Guides
Mandatory training
All employees who use a terminal as part their work functions must complete the mandatory training, which includes how to verify a POS terminal and the terminal environment.
Consent form
Once employees have completed the training, they will be required to sign an electronic form indicating they accept the measures and rules related to PCI DSS.
If you discover something suspicious
- Carefully move any POS terminals to a secure area.
- Do not touch anything else, it may be considered a potential crime scene.
- Contact uOttawa Protection Services at 613-562-5411.
Terminology and resources
Terminology
Cardholder data: Any personal data that allows a cardholder to be easily identified: account number, expiry date, name, address, etc.
Card skimming:
PCI SSC describes it as follows:
- “[…] the unauthorized capture and transfer of payment data to another source, for fraudulent purposes”
- Used “to capture massive amounts of account details in a short amount of time, with low risk of detection”
- First tactic used by criminals when committing fraud
Merchant or point-of-sales (POS): uOttawa service or sector with approval of Financial Resources to accept debit or credit card payments for goods or services
Payment card: Debit or credit card
PCI Security Standards Council (PCI SSC): Organization responsible for establishing norms aiming at protecting users’ credit card data
POS manager: uOttawa employee in charge of a POS
POS terminal: ʺA terminal used in place of a cash register in a store for customer checkout and such added functions as recording inventory data, transferring funds and checking credit.ʺ
POS user (POS employee): Any employee working in a uOttawa POS
Resources
- To find out more about PCI SSC and PCI DSS compliance, visit PCI SSC, where you can find a full range of resources to help you prevent fraud.
- The information in this page was adapted from Information Supplement Skimming Prevention: Best Practices for Merchants (PDF), published by PCI SSC.
- For more information on e-commerce at uOttawa, refer to the section Financial System > Commerce at uOttawa on the Accounting, Financial Resources website.