á Commerce at Western Commerce at Western

Financial Services Code of Procedure

These procedures are designed to ensure that all bank card transactions at Western University are conducted in the most secure, confidential and reliable method possible.  All Merchants that accept debit or credit cards for payment must follow these procedures for the protection of cardholder data, along with all University Policies relating to bank card transactions and data security and the most current version of the Payment Card Industry Data Security Standards (PCI DSS).

Policy and Procedure

All Western Merchants must comply with:

This is to ensure the security of cardholder data and to protect the University from reputational, financial and legal liability.

Approval Process

Financial Services must approve all bank card processing activities at the University, including processing transactions online (eCommerce), though an outsourced third party and through point of sale devices.

Departments and units may only accept payments if Merchant Accounts have been established and approved by Financial Services. Merchant Accounts must be established using the University's preferred payment card processing provider(s). Departments and units are prohibited from entering into other payment arrangements with any other service provider(s), including PayPal.

Use of an alternative payment provider and/or payment gateway may be approved on a case-by-case exception by the Bank Card Committee.


All costs associated with accepting bank card payments will be charged to departmental accounts centrally by Financial Services. These costs include (but are not limited to):

In addition, Merchants will be responsible for any costs associated with achieving and maintaining compliance with PCI DSS, which may include security scanning, auditing and remediation work to ensure PCI compliance. Merchants will also be responsible for costs associated with any security breaches as a result of the non-compliance with the requirements of this policy and associated procedures.

Methods of Accepting Bank Card Payments

The following methods for accepting debit and credit card payments are permitted:

Use of alternative methods may be approved, on a case-by-case basis, by the Bank Card Committee. To further ensure compliance, all Payment Applications must provide an Attestation of Compliance (AOC) certificate on an annual basis to the Merchant. This AOC must be forwarded to the Bank Card Committee.

Processing Bank Card Transactions

The ability to process bank card transactions through any payment system (including point of sale terminals) must be limited to those individuals whose job requires such access. [see Hiring, Training and Employee Awareness for Bank Card Processing]

The Merchant must ensure that all transactions represent a legitimate sale of goods or services in the ordinary course of your business. All refunds of bank card transactions must be processed directly back to the card the purchase was made on. No cash refunds shall be given for transactions that were originally processed on a bank card. Your refund and exchange policy must be clearly displayed and communicated to the customer.

The Merchant cannot discriminate against a method of payment that it has agreed to accept. For example, the merchant must offer chip and pin technology if the merchant accepts bank card payments through a point of sale terminal.

The Merchant must reconcile daily receipts and record all revenue and bank deposits into PeopleSoft Financials on a timely basis.  A journal line into the correct general ledger bank account must be completed for each day and for each total by card type (ie. VISA and MasterCard).  The line description should include the unit name, card type and date of transactions.

Merchants must never enter credit card numbers into a hosted pay page (HPP) solution on behalf of a customer.  Merchants using a HPP solution should direct all customers to their website to enter credit card data to complete payment.  This is a PCI DSS requirement.  This does not pertain to POS devices.  Merchants processing payments manually through a POS device remains a PCI compliant practice.

Accepting Cardholder Data

Cardholder data can be received through several channels. It is prohibited to collect and store cardholder data in electronic format at Western University. This includes on a computer, tablet, mobile device, USB drive, removable media, database, server etc. Cardholder data must be removed or properly masked before any electronic scanning is completed to archive information.

Electronic media (e-mail, text messaging, etc.) is not a secure method to send or receive cardholder data and is strictly prohibited as a means of accepting cardholder data. If cardholder data is received via e-mail, it must be deleted from both the inbox and deleted items folder. The trash folder must be purged. If you reply to an e-mail containing cardholder data, this information must be removed. Transactions where cardholder data is received via electronic media must not be processed.

Cardholder data should not be accepted over Western campus telephones or messaging applications (VoIP telephones, MS Teams, Zoom etc.). VoIP traffic containing cardholder data is in scope for applicable PCI DSS controls wherever that traffic is stored, processed or transmitted internally over an entity’s network. Western VoIP traffic is not secured and there is risk of unauthorized internal and external access. 

Contact the Bank Card Committee to discuss other options available. 

Access to Cardholder Data

Access to cardholder data must be limited to those who require this information for business purposes. [see Hiring, Training and Employee Awareness for Bank Card Processing]

Visitors must be authorized before entering areas where cardholder data is processed or stored. Visitors must sign a visitor log, be identified with a visitor badge and be escorted when in highly sensitive areas. This does not include areas where only point of sale devices are present.

All default vendor-supplied passwords must be changed. Operational procedures managing vendor defaults and other security parameters must be documented, in use and known to those who process bank card transactions.

Retention of Cardholder Data

The electronic storage of cardholder data at Western University is strictly prohibited. This includes storage on a computer, database or server. Cardholder data must be removed or properly masked before any electronic scanning is completed to archive information.

Cardholder data should only be stored for the minimal period of time necessary to process the transaction. Cardholder data must be kept in a secure location at all times (i.e. in a locked cabinet, inside of a locked room). Storage of cardholder data must be kept to a minimum by implementing data retention and disposal policies.

All cardholder data that is stored must be inventoried.  This log should include the card type, cardholder name, last four digits of the personal account number and a contact number.  This inventory is to ensure that Merchants can easily determine the cardholder data that is missing in the event of a breach.  This inventory must not contain the full personal account number, the expiration date or the card verification code (CVC, CVV, CVV2, etc.)  An example of an inventory log sheet can be found on the documentation page.

Forms should be designed to allow for the removal of the credit card number, verification number and expiry date (i.e. at the bottom of the form) after the payment has been processed.

The three or four digit card verification code (CVC, CVV, CVV2, etc.) can only be requested if it is necessary to complete a card not present transaction. This code must never be stored after authorization of payment. If the code is written down to process a transaction, it must be destroyed with a crosscut shedder or Western's Eco-Shred program. This is a PCI DSS Requirement.

Transaction records for audit purposes must be retained for a period of seven years. All paper-based records containing credit or debit card information should be kept in a secure area with access restricted to only those employees who require it. 

Western Archives is considered to be a secure and confidential storage location for records that are not required for operational purposes but are needed to satisfy audit requirements.

Disposal of Cardholder Data

Each Merchant must maintain a disposal policy for documents containing cardholder data. All documents containing cardholder data should be properly disposed immediately upon completion of business need.

Cardholder data that is no longer required must be destroyed using a crosscut shredder or through Western’s Eco-Shred program.

Security of Point of Sale Devices

All POS devices must be registered in one of Western's PCI VLANs.  The Merchant must identify to the Network Operations Centre (NOC) a network connected POS device has been installed and added to the network.  The NOC will ensure the device is placed into an appropriate PCI VLAN.

All point of sale (POS) devices must be secured and protected at all times. Physical protection of these devices is the responsibility of Western Merchants and is a PCI DSS requirement. This includes securing the device in a locked safe, cash drawer and/or area when the device is not in use.

All point of sale (POS) devices must be inspected on a daily basis, at minimum. Merchants with POS devices should refer to the Point of Purchase Integrity Checklist (found here) to ensure proper procedures are followed to secure and inspect their POS devices.  If requested, a Western Merchant must be able to produce an inspection log for their POS devices. 

All employees who operate POS devices must be properly trained, including training on how to detect if a POS device has been tampered with and what to do if they suspect that a POS device has been tampered with. [see Hiring, Training and Employee Awareness for Bank Card Processing]

An incident response plan (Western’s Security Breach Plan) must be clearly communicated and easily accessible to all employees.

Hiring, Training and Employee Awareness for Bank Card Processing

Unit Leaders are responsible for knowing their bank card processes and for identifying which positions have the ability to process bank card transactions and access cardholder data or the cardholder data environment. The assignment of these privileges must be based on job classification and function and should include the appropriate level of awareness and adherence to the PCI standard.  These privileges, access, and required knowledge should be documented in the corresponding job description.  Privileges and access must be revoked immediately upon termination or reassignment of roles. 

Hiring managers must complete the appropriate level of background check prior to hiring potential candidates that will have access to cardholder data.  The background check necessary must be appropriate for the level of access to cardholder data of the position. Background checks can include reference checks and/or a criminal background check. As the level of access to cardholder data increases, the level of background check must also increase.

Example, a cashier who only has access to one card at a time would only be required to have a reference check, but an employee who has access to multiple credit cards would be required to have a more detailed background check.    

If you have any questions regarding what level of background check is required, please contact Sue Veraart, Talent Acquisition Specialist, Human Resources (ext. 85561).

Training for bankcard processing must be provided to all new employees and at least annually to existing employees.

Employees must be knowledgeable about how to process bank card transactions and must be aware of the sensitivity of cardholder data. In particular, the credit card number, card verification code, card expiry date and cardholder name comprise information that must be protected at all times. Employees must understand that they are responsible to hold cardholder data in confidence at all times and that it should only be disclosed for a required business purpose.

Unit leaders and employees who process bank card transactions must be aware of and abide by the Bank Card Policies and Procedures at Western, including Western's Security Breach Plan

All Merchants must complete Western's Unit Self-Assessment Questionnaire annually to signify compliance with all policies and procedures relating to bank card transactions at Western and the PCI DSS.

Western's Security Breach Plan

All Merchant leaders and employees who process or have access to cardholder data must read and understand Western's Security Breach Plan, including Western's Security Breach Protocol and understand how to report a potential bank card information breach. This protocol must be displayed for employees in areas where bank card transactions are processed and where cardholder data is stored.

If a Merchant knows or suspects that cardholder data has been compromised, or that a point of sales device has been tampered with, the incident must be reported following the steps outlined in Western's Security Breach Plan.

Security alerts and information must be monitored, analyzed and distributed to the appropriate personnel.  This information can be communicated to the Merchant by the payment processor, the CISO, Financial Services and/or the Bank Card Committee.

Changes to Your Bank Card Processing Environment

Any changes in your payment applications and/or your bank card processes that would affect Western's PCI environment must be reported to the Bank Card Committee for approval. This includes changes to the Merchant's business processes relating to bank card processing.