PCI DSS
The PCI Security Standards Council established the PCI DSS to help protect consumers’ card payment data.
The PCI Security Standards Council (PCI SSC) established the Payment Card Industry Data Security Standard (PCI DSS) to help protect consumers’ payment card data. The PCI DSS requires all organizations that process, transmit and store payment card information to comply with a set of data controls, establish IT and physical security measures and meet policy requirements in order to mitigate the risk of loss, theft or abuse of payment card data.
The University of Ottawa is contractually obligated to comply with PCI DSS in order to continue accepting card payments. Non-compliance could result in the University losing the privilege of accepting card payments. It could also result in costly fines, increased validation requirements and harm to the University’s reputation.
Updates
Financial Resources and Information Technology have put together a team to work with the campus sectors to understand the changes needed to ensure the PCI DSS compliance of their online payment applications and ultimately support the adoption and implementation of an action plan to make them compliant. Work with units is scheduled to begin in the fall of 2019.
Other measures were implemented in the past and were focusing on POS terminals and employees using these terminals for processing payments:
- Replacement of all POS terminals with 3G POS terminals
- Mandatory training for all employees using a terminal to process payments
- Mandatory signature of the employee cardholder data compliance statement
Sectors responsibilities
It is mandatory for all uOttawa sectors that process, transmit and store payment card information to comply with PCI DSS. They need to ensure that their systems and payment infrastructure are secure and that employees who have access to this information follow the standard and get the appropriate training.
POS terminals
The information in this section is aimed at employees processing card payments for goods and services using POS terminals.
POS terminals measures
In order to help merchant ID responsible people prevent fraud associated with card skimming attacks, uOttawa has implemented the following measures:
- Verification of POS terminals
Merchant ID responsible people and their employees must verify their terminals to ensure they have not been tampered with. - Mandatory training
All employees who use a terminal as part their work functions must complete the mandatory training, which includes how to verify a POS terminal and the terminal environment. - Consent form
Once employees have completed the training, they will be required to sign an electronic form indicating they accept the measures and rules related to PCI DSS.
Steps to preventing POS terminal fraud
The steps to follow to prevent POS terminal fraud depend on the role you play within the POS. The detailed steps are presented in the mandatory online training and are tailored to your role. At any time, you can also refer to the "Checking your POS terminal" Quick Guide found in the Quick Links or Guides, Training and Consent Form sections of this page.
Guides, training and consent form
Guides
- Checking your POS terminal — Quick guide (PDF)
- Merchant ID responsible person’s evaluation checklist (PDF)
Mandatory training
All employees who use a terminal as part their work functions must complete the mandatory training, which includes how to verify a POS terminal and the terminal environment.
Consent form
Once employees have completed the training, they will be required to sign an electronic form indicating they accept the measures and rules related to PCI DSS.
If you discover something suspicious
- Carefully move any POS terminals to a secure area.
- Do not touch anything else, it may be considered a potential crime scene.
- Contact uOttawa Protection Services at 613-562-5411.
Terminology and resources
Terminology
Cardholder data: Any personal data that allows a cardholder to be easily identified: account number, expiry date, name, address, etc.
Merchant or point-of-sales (POS): uOttawa sector with approval of Financial Resources to accept debit or credit card payments for goods or services.
Payment card: Debit or credit card.
PCI Security Standards Council (PCI SSC): Organization responsible for establishing norms aiming at protecting users’ credit card data.
Merchant ID responsible person: uOttawa employee in charge of a POS.
POS terminal: ʺA terminal used in place of a cash register in a store for customer checkout and such added functions as recording inventory data, transferring funds and checking credit.ʺ
POS user (POS employee): Any employee working in a uOttawa POS.
Resources
- To find out more about PCI SSC and PCI DSS compliance, visit PCI SSC, where you can find a full range of resources to help you prevent fraud.
- The information in this page was adapted from Information Supplement Skimming Prevention: Best Practices for Merchants (PDF), published by PCI SSC.
- For more information on e-commerce at uOttawa, refer to the section Financial System > E-Commerce on the Accounting, Financial Resources website.