What is Payment Card Industry (PCI) and what are my responsibilities?
Payment Card Industry (PCI) requirements are a set of standards and practices to which all organizations that accept debit and credit card payments must comply. The requirements relate to the collection, storage and transmission of card data. University Systems is required to scan and provide secure processes to transmit data. Financial Services is required to complete an annual audit and confirm user training to ensure that our certification is maintained. Each departmental merchant is responsible for ensuring that their system users are properly training and that their department processes comply with PCI requirements.
Data Security Standards were developed in an effort to reduce credit card fraud by protecting cardholder information. An annual audit is completed to ensure compliance. Non-compliance by one department or merchant can result in withdrawal of card services for the entire university.
The main PCI responsibility for merchants is to protect cardholder information by:
- Only processing card information through pre-approved methods and systems
- In-person transactions using a Moneris PED device
- Self-serve online transactions through a secure webpage that accesses Moneris systems
- Staff-assisted online transactions through a secure webpage accessed on a UVic computer installed with Data Loss Prevention software
- Preventing unauthorized recording of card information
- Ensure that cardholder information is not stored or recorded when processing in-person or self-serve online transactions
- For staff-assisted online transactions:
- Enter information only through a secure webpage accessed on a UVic computer installed with Data Loss Prevention software
- If cardholder information is conveyed over the phone, enter the information without recording on paper
- If cardholder information is received by mail or fax, enter the transaction information as soon as possible after receipt. Ensure that the information is stored securely until entering into the secure webpage and is shredded immediately after entering.
- Never sending or receiving cardholder information electronically through email, text or instant messaging
The six main goals of the Data Security Standards are:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management system
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Financial Services, University Systems and each department merchant need to work together to ensure all aspects of the PCI requirements are compliant:
| Requirement | Financial Services | University Systems | Dept Merchant |
| Install and maintain a firewall configuration to protect cardholder data | Y | ||
| Do not use vendor-supplied defaults for system passwords and other security parameters | Y | Y | Y |
| Protect stored cardholder data | Y | ||
| Encrypt transmission of cardholder data across open, public networks | Y | ||
| Use and regularly update anti-virus software or programs | Y | Y | |
| Develop and maintain secure systems and applications | Y | ||
| Restrict access to cardholder data by business need to know | Y | Y | |
| Assign a unique ID to each person with computer access | Y | Y | |
| Restrict physical access to cardholder data | Y | ||
| Track and monitor all access to network resources and cardholder data | Y | ||
| Regularly test security systems and processes | Y | Y | |
| Maintain a policy that addresses information security for all personnel | Y | Y |