Credit Cards and Payment Card Industry (PCI)
Compliance
All Carleton University departments that accept credit card payments must process those payments in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS). These requirements were developed by the founders of the PCI Security Standards Council which include American Express, Visa International Inc., MasterCard Worldwide and Discover Financial Services.
Compliance with PCI DSS is not an option. Compliance protects Carleton University from adverse financial consequences and ensures the University’s excellent reputation.
On this page you will find the following information:
- Merchant Responsibilities
- Storage and Access of Cardholder Data
- Training
- Security Incident Response Plan – PDF version
- Resources
Merchant Responsibilities
Below is a high level summary of responsibilities to help merchants gain confidence in achieving mandatory PCI compliance. For a detailed account, please read the Cardholder Data Handling Procedures.
In General:
- The ongoing protection of cardholder data
- Awareness of and adherence to the standards and directives outlined in the Cardholder Data Handling Policy/Protocol
- Ensuring that safeguards designed to protect cardholder data are not tampered with or modified
- Immediately reporting suspected security breaches to Business Operations, Financial Services
- Completing an annual PCI self-assessment questionnaire
- Obtaining guidance from Business Operations when making any changes to credit/debit card processing
Staff/Training:
- Completing annual eLearning course on cardholder data protection standards and practices
- Ensuring all staff complete training prior to accessing cardholder data
Collection of /Processing Cardholder Data:
- Being aware of which cardholder data may be collected and for what purpose
- Processing web-based payments using a PCI-compliant provider approved by Business Operations
- Obtaining formal approval from Business Operations prior to processing when the card/customer are not present (other than via an approved e-commerce solution)
- Following best practice to never accept cardholder data via email
- Adhering to the strict protocols outlined in the cardholder policy if a business purpose exists requiring use of telephone or fax to collect cardholder information
- Restricting access to areas where cardholder data is processed
- Configuring 20/20 terminals to be PCI compliant
- Using a single purpose workstation that has been configured for PCI compliance when using a virtual terminal
Storage of Cardholder Data:
- Remaining cognizant of what data may be stored and what must be destroyed immediately
- Retaining physical copies of cardholder data only as long as there is a valid business purpose
- Masking card numbers on printed receipts and stored documents
- Locking physical copies of cardholder data in a secure area
- Restricting and monitoring access to areas where cardholder data is stored
- Ensuring cardholder data is not stored in electronic format (laptops, flash drives, etc)
- Maintaining an inventory log of all media containing cardholder data
- Properly destroying all cardholder data in a timely manner, including a quarterly review
Storage and Access of Cardholder Data
| Data Element | Storage Permitted (while business need) |
Render Stored Account Data Unreadable |
|
| Cardholder data | primary account number (PAN) | yes | yes |
| cardholder name | yes | no | |
| expiration date | yes | no | |
| Sensitive authentication data | full magnetic stripe data | no | cannot store |
| CAV2/ CVC2/ CVV2/ CID | no | cannot store after authorization, even if encrypted | |
| PIN/ PIN block | no | cannot store |
Training
Security Incident Response Plan
The ‘Cardholder Data Security Incident Response Plan‘ is the process to be followed for responding to security incidents involving the unauthorized disclosure or modification of cardholder data (as defined by the Payment Card Industry (PCI) Data Security Standard). A security incident refers to malicious attempt, either successful or unsuccessful, by an unauthorized party to negatively impact the confidentiality or integrity of cardholder data is within scope of this incident response plan.