PCI DSS
The PCI Security Standards Council established the PCI DSS to help protect consumers’ card payment data.
The University of Ottawa is working on implementing measures to comply with the Payment Card Industry Data Security Standard (PCI DSS). The first phase of the implementation focuses on verifying the University’s point-of-sale (POS) terminals. More measures will follow in the coming months.
PCI DSS standard
The PCI Security Standards Council (PCI SSC) established the Payment Card Industry Data Security Standard (PCI DSS) to help protect consumers’ payment card data. The PCI DSS requires all organizations that process, transmit and store payment card information to comply with a set of data controls, establish IT and physical security measures and meet policy requirements in order to mitigate the risk of loss, theft or abuse of payment card data.
Reasons to comply with PCI DSS
The University is contractually obligated to comply with PCI DSS in order to continue accepting card payments.
Non-compliance could result in the University losing the privilege of accepting card payments. It could also result in costly fines, increased validation requirements and harm to the University’s reputation.
POS terminals
Sectors needing to comply to the POS terminal measures
All uOttawa point of sale (merchants) that currently accept card payments for goods and services must comply with this standard.
POS terminals measures
In order to help merchant ID responsible people prevent fraud associated with card skimming attacks, uOttawa has implemented the following measures:
- Verification of POS terminals
Merchant ID responsible people and their employees must verify their terminals to ensure they have not been tampered with. - Mandatory training
All employees who use a terminal as part their work functions must complete the mandatory training, which includes how to verify a POS terminal and the terminal environment. - Consent form
Once employees have completed the training, they will be required to sign an electronic form indicating they accept the measures and rules related to PCI DSS.
Steps to preventing POS terminal fraud
The steps to follow to prevent POS terminal fraud depend on the role you play within the POS. The detailed steps are presented in the mandatory online training and are tailored to your role. At any time, you can also refer to the "Checking your POS terminal" Quick Guide found in the Quick Links or Guides, Training and Consent Form sections of this page.
Guides, training and consent form
Guides
- Checking your POS terminal — Quick guide (PDF)
- Merchant ID responsible person’s evaluation checklist (PDF)
Mandatory training
All employees who use a terminal as part their work functions must complete the mandatory training, which includes how to verify a POS terminal and the terminal environment.
Consent form
Once employees have completed the training, they will be required to sign an electronic form indicating they accept the measures and rules related to PCI DSS.
If you discover something suspicious
- Carefully move any POS terminals to a secure area.
- Do not touch anything else, it may be considered a potential crime scene.
- Contact uOttawa Protection Services at 613-562-5411.
Terminology and resources
Terminology
Cardholder data: Any personal data that allows a cardholder to be easily identified: account number, expiry date, name, address, etc.
Merchant or point-of-sales (POS): uOttawa service or sector with approval of Financial Resources to accept debit or credit card payments for goods or services.
Payment card: Debit or credit card.
PCI Security Standards Council (PCI SSC): Organization responsible for establishing norms aiming at protecting users’ credit card data.
Merchant ID responsible person: uOttawa employee in charge of a POS.
POS terminal: ʺA terminal used in place of a cash register in a store for customer checkout and such added functions as recording inventory data, transferring funds and checking credit.ʺ
POS user (POS employee): Any employee working in a uOttawa POS.
Resources
- To find out more about PCI SSC and PCI DSS compliance, visit PCI SSC, where you can find a full range of resources to help you prevent fraud.
- The information in this page was adapted from Information Supplement Skimming Prevention: Best Practices for Merchants (PDF), published by PCI SSC.
- For more information on e-commerce at uOttawa, refer to the section Financial System > E-Commerce on the Accounting, Financial Resources website.