PCI DSS

Payment cards

The PCI Security Standards Council established the PCI DSS to help protect consumers’ card payment data. 

The University of Ottawa is working on implementing measures to comply with the Payment Card Industry Data Security Standard (PCI DSS). The first phase of the implementation focuses on verifying the University’s point-of-sale (POS) terminals. More measures will follow in the coming months.

PCI DSS standard

The PCI Security Standards Council (PCI SSC) established the Payment Card Industry Data Security Standard (PCI DSS) to help protect consumers’ payment card data. The PCI DSS requires all organizations that process, transmit and store payment card information to comply with a set of data controls, establish IT and physical security measures and meet policy requirements in order to mitigate the risk of loss, theft or abuse of payment card data.

Reasons to comply with PCI DSS

The University is contractually obligated to comply with PCI DSS in order to continue accepting card payments.

Non-compliance could result in the University losing the privilege of accepting card payments. It could also result in costly fines, increased validation requirements and harm to the University’s reputation.

POS terminals

Sectors needing to comply to the POS terminal measures

All uOttawa point of sale (merchants) that currently accept card payments for goods and services must comply with this standard.

POS terminals measures

In order to help merchant ID responsible people prevent fraud associated with card skimming attacks, uOttawa has implemented the following measures:

  • Verification of POS terminals
    Merchant ID responsible people and their employees must verify their terminals to ensure they have not been tampered with. 
  • Mandatory training
    All employees who use a terminal as part their work functions must complete the mandatory training, which includes how to verify a POS terminal and the terminal environment.
  • Consent form
    Once employees have completed the training, they will be required to sign an electronic form indicating they accept the measures and rules related to PCI DSS.
Steps to preventing POS terminal fraud

The steps to follow to prevent POS terminal fraud depend on the role you play within the POS. The detailed steps are presented in the mandatory online training and are tailored to your role. At any time, you can also refer to the "Checking your POS terminal" Quick Guide found in the Quick Links or Guides, Training and Consent Form sections of this page.

Guides, training and consent form

Guides


Mandatory training

All employees who use a terminal as part their work functions must complete the mandatory training, which includes how to verify a POS terminal and the terminal environment.


Consent form

Once employees have completed the training, they will be required to sign an electronic form indicating they accept the measures and rules related to PCI DSS.

If you discover something suspicious
  • Carefully move any POS terminals to a secure area.
  • Do not touch anything else, it may be considered a potential crime scene.
  • Contact uOttawa Protection Services at 613-562-5411.
Terminology and resources

Terminology

Cardholder data: Any personal data that allows a cardholder to be easily identified: account number, expiry date, name, address, etc.

Merchant or point-of-sales (POS): uOttawa service or sector with approval of Financial Resources to accept debit or credit card payments for goods or services.

Payment card: Debit or credit card.

PCI Security Standards Council (PCI SSC): Organization responsible for establishing norms aiming at protecting users’ credit card data.

Merchant ID responsible person: uOttawa employee in charge of a POS.

POS terminal: ʺA terminal used in place of a cash register in a store for customer checkout and such added functions as recording inventory data, transferring funds and checking credit.ʺ  

POS user (POS employee): Any employee working in a uOttawa POS.


Resources

Back to top