Payment Card Data Security Policy
Related Documents: Information Classification Standard and Handling Guidelines; Commercial Activities Policy
- Owner: Chief Information Security Officer
- Approver: Chief Financial Officer and Vice President Administration and Operations
- Approval Date(s): June 2019
I. Purpose
1. To communicate the rules and expectations necessary to ensure that Toronto Metropolitan University (the "University") remains in compliance with the Payment Card Industry Data Security Standard (“PCI-DSS”) regulation.
2. The PCI-DSS is a regulation created by the major credit-card companies that defines the protective controls required by all Merchants who store, process, transmit or have access to any form of cardholder data (“CHD”) or sensitive authentication data (“SAD”).
3. PCI-DSS compliance is a requirement that authorizes Merchants to accept card-based payments. Failure to comply with PCI-DSS could result in the University incurring financial penalties and increases the possibility of a sensitive data breach.
II. Scope and Application
1. This Policy applies to all Merchants who accept any form of credit- or debit-card payments (including e-commerce/online or point-of-sale).
2. This Policy applies to the following areas/activities:
a. All applications/systems involved in payment-card processing;
b. All entities/systems/databases that store, process or transmit CHD and/or SAD;
c. All authorized University merchants operating commercial activities with approval as described in the Commercial Activities Policy;
d. Staff, faculty, volunteers, or students who handle or process debit and/or credit-card transactions and data, for academic, administrative or commercial purposes;
e. Third parties who handle or process debit and/or credit transactions and data on the University's behalf, such as vendors, contractors, partners, etc.; and
f. IT staff who develop and maintain payment solutions for the IT infrastructure that supports the payment solutions.
This Policy does not apply to payments made by cash or cheque.
III. Definitions
1. Cardholder Data (“CHD”): The full credit or debit account number as well as any of the following: cardholder name, expiration date and/or service code.
2. Merchant: Any University entity/department that accepts payment cards (credit or debit) as payment for goods and/or services.
3. Self Assessment Questionnaire (“SAQ”): A required document which merchants must fill out annually in order to be PCI-DSS certified. There are several different types of SAQ; therefore, it is important to select the questionnaire type best suited to the specific types of transactions conducted by the merchant.
4. Sensitive Authentication Data (“SAD”): Security-related card information, including card magnetic strip data, personal identification numbers (PINs), card validation value (CVV) etc.
IV. Policy
Each University Merchant is accountable for maintaining PCI-DSS compliance in accordance with this Policy and any additional requirements described in Appendix A - PCI-DSS Council Requirements. In addition to the implementation of the required business processes and safeguards, Merchants will also be responsible for sharing all costs associated with the operation of the PCI compliance program.
General Requirements
1. Data Sensitivity and Controls: CHD and SAD is classified as highly-sensitive data as such must be handled following the controls described in the Information Classification Standard and Handling Guidelines.
2. Cardholder or Sensitive Authentication Data Storage: CHD and SAD must not be stored on any University system. This includes email, PDFs, Excel spreadsheets, databases, shared drives, Word documents, Google drive, etc.
3. Payment Processing: Merchants must use University approved PCI-DSS certified payment processing services for all card payments. Some examples of approved services include payment PIN pads or authorized virtual terminals directly connected to PCI-certified payment providers.
4. Fax-Based Payment: Fax transmission of CHD is permissible only if the receiving fax machine is a dedicated fax machine (non-multipurpose) and it is connected via analog telephone line and the machine itself is in a secure location.
5. Paper Records: Paper-based records of CHD must be stored in a physically-secure location with highly-restricted access, and when no longer needed these records must be securely destroyed, such as through a University-approved shredding provider.
6. New Payment Methods/Equipment: All merchants seeking to significantly change payment methods (such as switch providers or add new PIN pads) must first consult with and gain approval from Financial Services and the Chief Information Security Officer.
7. Merchant Duty to Report: All suspected or known policy violations or suspected loss of CHD or SAD must be reported to the Chief Information Security Officer and follow the steps in the Cardholder Data Incident Response Plan and the Privacy Incident Response Process.
8. Clarification of This Policy: Each merchant conducting payment transactions should seek clarification from the Chief Information Security Officer about the interpretation of this Policy.
9. Payment of Fines for PCI Non-Compliance: Each Merchant is responsible for the payment of any fines incurred for PCI-DSS non-compliance.
V. Roles and Responsibilities
1. Merchants shall:
a. Identify and document all of the forms of card-payment activities which occur in their business area and maintain a list of associated systems used to process these payments;
b. Assign responsibility for the following tasks to individual(s) in their department:
i. Inspection of PIN pads, terminals or payment processing workstations for signs of tampering, unauthorized new accounts or card skimming devices on a weekly basis.
ii. Completion of the applicable (SAQ) on an annual basis and send to Financial Services.
iii. Request all contracted payment processing organizations for an Attestation of Compliance (AOC) document on an annual basis.
iv. Maintain an up-to-date list of individuals, including full-or part-time employees, temporary employees, volunteers, contractors, consultants, or who may access cardholder data.
v. Ensuring all individuals involved in handling cardholder transactions annually complete PCI Awareness Training when instructed to do so.
vi. Ensuring that an authorized and certified PCI payment method is used for all card payments;
c. Be accountable for their share of the costs associated with operating the PCI compliance program.
2. Financial Services shall:
a. Annually collect and store all SAQs from merchants;
b. Plan, authorize, and fund external PCI-DSS audits as needed;
c. Review and approve all new merchants and payment providers onboarding;
d. Plan and authorize PCI-DSS awareness training program activities; and
e. Maintain authorized list of payment providers and PIN pad hardware.
3. Chief Information Security Officer shall:
a. Chair and conduct PCI-DSS Steering Committee meetings on a regular basis. The committee will provide strategic oversight to merchants to ease PCI compliance;
b. Ensure that all PCI-related hardware and systems are properly designed and isolated from all other systems;
c. Provide technical consultation to new merchants on how best to offer payment systems and streamline business processes for card payments;
d. Ensure quarterly external scans are conducted by an Approved Scanning Vendor as required by the PCI-DSS standard; and
e. Assist merchants to complete the SAQ’s as needed.
4. Internal Audit shall:
a. Consider the applicability of PCI-DSS as part of all audits conducted;
b. Execute PCI-DSS audits for specific merchants if requested by the PCI Steering Committee or executive leadership; and
c. Report PCI-DSS-related audit findings to the PCI Steering Committee.
Appendix A: Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Requirements
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.