Commerce at Western

Financial Services Code of Procedure

These procedures are designed to ensure that all bank card transactions at Western University are conducted in the most secure, confidential and reliable method possible.  All Merchants that accept debit or credit cards for payment must follow these procedures for the protection of cardholder data, along with all University Policies relating to bank card transactions and data security and the most current version of the Payment Card Industry Data Security Standards (PCI DSS).

Policy and Procedure

All Western Merchants must comply with:

This is to ensure the security of cardholder data and to protect the University from reputational, financial and legal liability.

Approval Process

Financial Services must approve all bank card processing activities at the University, including processing transactions online (ecommerce), though an outsourced third party and through point of sale devices.

Departments and units may only accept payments if Merchant Accounts have been established and approved by Financial Services. Merchant Accounts must be established using the University's preferred payment card processing provider(s). Departments and units are prohibited from entering into other payment arrangements with any other service provider(s), including PayPal.

Use of an alternative payment provider and/or payment gateway may be approved on a case-by-case exception by the Bank Card Committee.

Costs

All costs associated with accepting bank card payments will be charged to departmental accounts centrally by Financial Services. These costs include (but are not limited to):

In addition, Merchants will be responsible for any costs associated with achieving and maintaining compliance with PCI DSS, which may include security scanning, auditing and remediation work to ensure PCI compliance. Merchants will also be responsible for costs associated with any security breaches as a result of the non-compliance with the requirements of this policy and associated procedures.

Employee Awareness and Training for Bank Card Processing

Employees must be knowledgeable about how to process bank card transactions and must be aware of the sensitivity of cardholder data. In particular, the credit card number, card verification code, card expiry date and cardholder name comprise information that must be protected at all times. Employees must understand that they are responsible to hold cardholder data in confidence at all times and that it should only be disclosed for a required business purpose.

Unit leaders must know their bank card processes and be aware of their employees and their backgrounds.  Hiring managers must complete appropriate background investigation prior to hiring potential candidates who will have access to cardholder data.  The background check necessary must be appropriate for the level of access to cardholder data of the position.  Background investigations can include previous employment history, criminal check, enhanced reliability clearance, etc.

Training for bank card processing must be provided to all new employees and at least annually to existing employees.

Employees must be aware of Western's Security Breach Protocol and understand how to report a potential bank card information breach.

All Merchants must complete Western's Unit Self-Assessment Questionnaire annually to signify compliance with all policies and procedures relating to bank card transactions at Western and the PCI DSS.

Methods of Accepting Bank Card Payments

The following methods for accepting debit and credit card payments are permitted:

Use of alternative methods may be approved, on a case-by-case basis, by the Bank Card Committee. To further ensure compliance, all Payment Applications must provide an Attestation of Compliance (AOC) certificate on an annual basis to the Merchant. This AOC must be forwarded to the Bank Card Committee.

Electronic Storage and Transmission of Cardholder Data

The electronic storage of cardholder data at Western University is strictly prohibited. This includes storage on a computer, database or server. Cardholder data must be removed or properly masked before any electronic scanning is completed to archive information.

Electronic media (e-mail, text messaging, etc.) is not a secure method to send or receive cardholder data and is strictly prohibited as a means of accepting cardholder data.  Merchants must inform the customer that electronic media is not an accepted form of receiving payment information and provide the customer with a PCI compliant option to process their payment.  Merchants are strictly prohibited from processing payments using cardholder data received over electronic media.

If cardholder data is received via e-mail, it must be deleted from all folders. The trash folder must also be purged. If you reply to an e-mail containing cardholder data, this information must be removed.

Fax machines may only be used to receive cardholder data if the machine is connected using an analog phone line. If the fax machine is connected through a network connection, it is considered electronic media and prohibited as a means of accepting cardholder data.

Voicemail is also considered electronic media. If you receive cardholder data via voicemail the message must be deleted immediately. Storing cardholder data on voicemail is strictly prohibited.

Access to Cardholder Data

Access to cardholder data must be limited to those who require this information for business purposes. The assignment of these privileges must be based on job classification and function.  Unit leaders must identify and document positions that require access to cardholder data.  Privileges and access must be revoked immediately upon termination or reassignment of roles.

Visitors must be authorized before entering areas where cardholder data is processed or stored. Visitors must sign a visitor log, be identified with a visitor badge and be escorted when in highly sensitive areas. This does not include areas where only point of sale devices are present.

All default vendor-supplied passwords must be changed. Operational procedures managing vendor defaults and other security parameters must be documented, in use and known to those who process bank card transactions.

Retention of Cardholder Data

Cardholder data should only be stored for the minimal period of time necessary to process the transaction. Cardholder data must be kept in a secure location at all times (i.e. in a locked cabinet, inside of a locked room). Storage of cardholder data must be kept to a minimum by implementing data retention and disposal policies.

All cardholder data that is stored must be inventoried.  This log should include the card type, cardholder name, last four digits of the personal account number and a contact number.  This inventory is to ensure that Merchants can easily determine the cardholder data that is missing in the event of a breach.  This inventory must not contain the full personal account number, the expiration date or the CVV code.  An example of an inventory log sheet can be found on the documentation page.

Forms should be designed to allow for the removal of the credit card number, verification number and expiry date (i.e. at the bottom of the form) after the payment has been processed.

The three or four digit verification code can only be requested if it is necessary to complete a card not present transaction. This code cannot be retained after the authorization of payment.

Transaction records for audit purposes must be retained for a period of seven years. All paper-based records containing credit or debit card information should be kept in a secure area with access restricted to only those employees who require it. All paper-based documents containing credit card information must be inventoried annually.

Western Archives is considered to be a secure and confidential storage location for records that are not required for operational purposes but are needed to satisfy audit requirements.

Disposal of Cardholder Data

Each Merchant must maintain a disposal policy for documents containing cardholder data. All documents containing cardholder data should be properly disposed immediately upon completion of business need.

Cardholder data that is no longer required must be destroyed using a crosscut shredder or through Western’s Eco-Shred program.

Point of Sale Devices

All point of sale (POS) devices must be secured and protected at all times. This includes securing the device in a locked safe, cash drawer and/or area when the device is not in use. Your POS devices must be inspected daily to detect any signs of tampering or replacement of a device.

All employees who operate POS devices, and those who supervise these employees, must be properly trained on the devices.  This includes the detection of tampering with a POS device and what to do if tampering is suspected. An incident response plan (Western's Security Breach Plan) must be clearly communicated to all employees and easily accessible (for example, a printed copy near the point of sale device.)

Merchants with POS devices should refer to the Point of Purchase Integrity Checklist (found here) to ensure proper procedures are followed to secure and inspect their POS devices.

All POS devices must be registered in one of Western's six PCI VLANs.  The Merchant must identify to the Network Operations Centre (NOC) a network connected POS device has been installed and added to the network.  The NOC will ensure the device is placed into an appropriate PCI VLAN.

Processing Bank Card Transactions

The ability to process bank card transactions through any payment system (including point of sale terminals) must be limited to those individuals whose job requires such access.

The Merchant must ensure that all transactions represent a legitimate sale of goods or services in the ordinary course of your business. All refunds of bank card transactions must be processed directly back to the card the purchase was made on. No cash refunds shall be given for transactions that were originally processed on a bank card. Your refund and exchange policy must be clearly displayed and communicated to the customer.

The Merchant cannot discriminate against a method of payment that it has agreed to accept. For example, the merchant must offer chip and pin technology if the merchant accepts bank card payments through a point of sale terminal.

The Merchant must reconcile daily receipts and record all revenue and bank deposits into PeopleSoft Financials on a timely basis.

Western Merchants must not enter credit card information into a hosted pay page solution for a customer.  This action is prohibited by PCI DSS and Western.

Western's Security Breach Plan

All Merchant leaders and employees who process or have access to cardholder data must read and understand Western's Security Breach Plan. This plan must be displayed for employees in areas where bank card transactions are processed and where cardholder data is stored.

If a Merchant knows or suspects that cardholder data has been compromised, or that a point of sales device has been tampered with, the incident must reported following the steps outlined in Western's Security Breach Plan.

Security alerts and information must be monitored, analyzed and distributed to the appropriate personnel.  This information can be communicated to the Merchant by the payment processor, the CISO, Financial Services and/or the Bank Card Committee.

Western's Security Breach Plan can be found here.

Changes to Your Bank Card Processing Environment

Any changes in your payment applications and/or your bank card processes that would affect Western's PCI environment must be reported to the Bank Card Committee for approval. This includes changes to the Merchant's business processes relating to bank card processing.