The PCI Security Standards Council (PCI SSC) established the Payment Card Industry Data Security Standard (PCI DSS) to help protect consumers’ payment card data. The PCI DSS requires all organizations that process, transmit and store payment card information to comply with a set of data controls, establish IT and physical security measures and meet policy requirements in order to mitigate the risk of loss, theft or abuse of payment card data.
The University of Ottawa is contractually obligated to comply with PCI DSS in order to continue accepting card payments. Non-compliance could result in the University losing the privilege of accepting card payments. It could also result in costly fines, increased validation requirements and harm to the University’s reputation.
Financial Resources and Information Technology have put together a team to work with the campus sectors to understand the changes needed to ensure the PCI DSS compliance of their online payment applications and ultimately support the adoption and implementation of an action plan to make them compliant. Work with units is scheduled to begin in the fall of 2019.
Other measures were implemented in the past and were focusing on POS terminals and employees using these terminals for processing payments:
- Replacement of all POS terminals with 3G POS terminals
- Mandatory training for all employees using a terminal to process payments
- Mandatory signature of the employee cardholder data compliance statement
It is mandatory for all uOttawa sectors that process, transmit and store payment card information to comply with PCI DSS. They need to ensure that their systems and payment infrastructure are secure and that employees who have access to this information follow the standard and get the appropriate training.
Terminology and resources
Cardholder data: Any personal data that allows a cardholder to be easily identified: account number, expiry date, name, address, etc.
Merchant or point-of-sales (POS): uOttawa sector with approval of Financial Resources to accept debit or credit card payments for goods or services.
Payment card: Debit or credit card.
PCI Security Standards Council (PCI SSC): Organization responsible for establishing norms aiming at protecting users’ credit card data.
Merchant ID responsible person: uOttawa employee in charge of a POS.
POS terminal: ʺA terminal used in place of a cash register in a store for customer checkout and such added functions as recording inventory data, transferring funds and checking credit.ʺ
POS user (POS employee): Any employee working in a uOttawa POS.
- To find out more about PCI SSC and PCI DSS compliance, visit PCI SSC, where you can find a full range of resources to help you prevent fraud.
- The information in this page was adapted from Information Supplement Skimming Prevention: Best Practices for Merchants (PDF), published by PCI SSC.
- For more information on e-commerce at uOttawa, refer to the section Financial System > E-Commerce on the Accounting, Financial Resources website.