Financial Services Code of Procedure
These procedures are designed to ensure that all cardholder data transactions at Western University are conducted in the most secure, confidential and reliable method possible. All Merchants that accept cardholder data for payment must follow these procedures for the protection of cardholder data, along with all University Policies relating to cardholder data transactions and data security and the most current version of the Payment Card Industry Data Security Standards (PCI DSS).
Policy and Procedure
All Western Merchants must comply with:
- the most current version of the PCI DSS;
- the terms and conditions of the Merchant Agreement with the Merchant Account Provider (this agreement can be obtained from Financial Services);
- all Card Brand Rules and Regulations and the operating manual of any point of sale device;
- Western's Long Range Mobile Device Guidelines
- Western University Financial Procedures.
This is to ensure the security of cardholder data and to protect the University from reputational, financial and legal liability.
Approval Process
Financial Services must approve all cardholder data processing activities at the University, including processing transactions online (
Departments and units may only accept payments if Merchant Accounts have been established and approved by Financial Services. Merchant Accounts must be established using the University's preferred payment card processing provider(s). Departments and units are prohibited from entering into other payment arrangements with any other service provider(s), including PayPal.
Use of an alternative payment provider and/or payment gateway may be approved on a case-by-case exception by the Bank Card Committee.
Costs
All costs associated with accepting cardholder data payments will be charged to departmental accounts centrally by Financial Services. These costs include (but are not limited to):
- Setup fees;
- Transaction fees;
- Merchant discount fees;
- Monthly service fees;
- Terminal and accessory fees.
In addition, Merchants will be responsible for any costs associated with achieving and maintaining compliance with PCI DSS, which may include security scanning, auditing and remediation work to ensure PCI compliance. Merchants will also be responsible for costs associated with any security breaches as a result of the non-compliance with the requirements of this policy and associated procedures.
Methods of Accepting Cardholder Data Payments
The following methods for accepting debit and credit card payments are permitted:
- Point of Sale (POS) processing using the designated payment processor;
- eCommerce solutions using an approved payment gateway which provides web-based processing using a PCI compliant service provider. This ensures cardholder data is not entered into a web page which is hosted on Western's network.
Use of alternative methods may be approved, on a case-by-case basis, by the Bank Card Committee.
Processing Cardholder Data Transactions
The ability to process cardholder data transactions through any payment system (including point of sale terminals) must be limited to those individuals whose job requires such access. [see Hiring, Training and Employee Awareness for Cardholder Data Processing]
The Merchant must ensure that all transactions represent a legitimate sale of goods or services in the ordinary course of your business. All refunds of bank card transactions must be processed directly back to the card the purchase was made on. No cash refunds shall be given for transactions that were originally processed on a bank card. Your refund and exchange policy must be clearly displayed and communicated to the customer.
The Merchant must reconcile daily receipts and record all revenue and bank deposits into PeopleSoft Financials on a timely basis. A journal line into the correct general ledger bank account must be completed for each day and for each total by card type (ie. VISA and MasterCard). The line description should include the unit name, card type and date of transactions.
Merchants must never enter cardholder data into an e-commerce solution on behalf of a customer. Merchants should direct all customers to their website to enter credit card data to complete payment. To ensure merchants are not entering cardholder data on behalf of customers, PCI Mode in the Moneris Merchant Resource Centre (MRC) should be enabled. This does not apply to POS devices. Merchants processing payments manually through a POS device remains a PCI compliant practice.
Accepting Cardholder Data
Cardholder data can be received through several channels. It is prohibited to collect and store cardholder data in electronic format at Western University. This includes on a computer, tablet, mobile device, USB drive, removable media, database, server etc. Cardholder data must be removed or properly masked before any electronic scanning is completed to archive information.
Electronic media (e-mail, text messaging, etc.) is not a secure method to send or receive cardholder data and is strictly prohibited as a means of accepting cardholder data. If cardholder data is received via e-mail, it must be deleted from both the inbox and deleted items folder. The trash folder must be purged. If you reply to an e-mail containing cardholder data, this information must be removed. Transactions where cardholder data is received via electronic media must not be processed.
Cardholder data should not be accepted over Western campus telephones or messaging applications (VoIP telephones, MS Teams, Zoom etc.). VoIP traffic containing cardholder data is in scope for applicable PCI DSS controls wherever that traffic is stored, processed or transmitted internally over an entity’s network. Western VoIP traffic is not secured and there is risk of unauthorized internal and external access.
Contact the Bank Card Committee to discuss other options available.
Access to Cardholder Data
Access to cardholder data must be limited to those who require this information for business purposes. [see Hiring, Training and Employee Awareness for Cardholder Data Processing] These responsibilities must be assigned, documented, understood and acknowledged.
Visitors must be authorized before entering areas where cardholder data is processed or stored. Visitors must sign a visitor log, be identified with a visitor badge and be escorted when in highly sensitive areas. This does not include areas where
Retention of Cardholder Data
The electronic storage of cardholder data at Western University is strictly prohibited. This includes storage on a computer, database or server. Cardholder data must be removed or properly masked before any electronic scanning is completed to archive information.
Cardholder data should only be stored for the minimal period of time necessary to process the transaction. Cardholder data must be kept in a secure location at all times (i.e. in a locked cabinet, inside of a locked room). Storage of cardholder data must be kept to a minimum by implementing data retention and disposal policies.
All cardholder data that is stored must be inventoried. This log should include the card type, cardholder name, last four digits of the personal account number and a contact number. This inventory is to ensure that Merchants can easily determine the cardholder data that is missing in the event of a breach. This inventory must not contain the full personal account number, the expiration date or the card verification code (CVC, CVV, CVV2, etc.) An example of an inventory log sheet can be found on the documentation page.
Forms should be designed to allow for the removal of the credit card number, verification number and expiry date (i.e. at the bottom of the form) after the payment has been processed.
The three or four digit card verification code (CVC, CVV, CVV2, etc.) can only be requested if it is necessary to complete a card
Transaction records for audit purposes must be retained for a period of seven years. All paper-based records containing credit or debit card information should be kept in a secure area with access restricted to only those employees who require it.
Western Archives is considered to be a secure and confidential storage location for records that are not required for operational purposes but are needed to satisfy audit requirements.
Disposal of Cardholder Data
Each Merchant must maintain a disposal policy for documents containing cardholder data. All documents containing cardholder data should be properly disposed immediately upon completion of business need.
Cardholder data that is no longer required must be destroyed using a crosscut shredder or through Western’s confidential shredding program. See Western's Preferred Vendor List to find contact information for Western’s preferred shredding services vendor.
Security of Point of Sale Devices
All POS devices (except Long-range cellular devices) must be placed in the dedicated PCI VLAN. Communication bases for long-range cellular devices that allow for IP network connection, must also be placed in the dedicated PCI VLAN. If you are unsure if your device is in the PCI VLAN, please contact the Security Operations Center at security@uwo.ca. The Merchant must identify to the Security Operations Center a network connected POS device has been installed and added to the network. The NOC will ensure the device is placed into an appropriate PCI VLAN.
Assign an individual to be responsible for the security of the POS Device in your unit and inform Financial Services. This individual should be separate from the user of the device. They must maintain an up-to-date list of devices, including make, model of device, location of device and serial number. They are also responsible for assigning responsibility and maintaining a sign-out/sign-in procedure for long-range cellular devices, permitted only to authorized users. The authorized user is responsible to maintain a chain-of-custody for the device during the signed-out period (this requires always keeping the device in sight, on-person or securely stored). Ensure a separate individual (or supervisor) confirms the device has been returned;
You must disable WIFI, Bluetooth and all unnecessary functionalities.
All point of sale (POS) devices must be secured and protected at all times. Physical protection of these devices is the responsibility of Western Merchants and is a PCI DSS requirement. This includes securing the device in a locked safe, cash drawer and/or other secured area when the device is not in use.
All point of sale (POS) devices must be inspected on a daily basis, at
All employees who operate POS devices must be properly trained, including training on how to detect if a POS device has been tampered with and what to do if they suspect that a POS device has been tampered with. [see Hiring, Training and Employee Awareness for Cardholder Data Processing]
An incident response plan (Western’s Incident and Breach Reporting Protocol) must be clearly communicated and easily accessible to all employees.
Hiring, Training and Employee Awareness for Cardholder Data Processing
Unit Leaders are responsible for knowing their cardholder data processes, and for identifying which positions have the ability to process cardholder data transactions and access cardholder data or the cardholder data environment. The assignment of these privileges must be based on job classification and function, and should include the appropriate level of awareness and adherence to the PCI standard. These privileges, access, and required knowledge should be documented in the corresponding job description. These responsibilities must be assigned, documented, understood and acknowledged.
All default vendor-supplied passwords must be changed. Operational procedures managing vendor defaults and other security parameters must be documented, in use and known to those who process cardholder data.
Privileges and access must be revoked immediately upon termination or reassignment of roles.
Hiring managers must complete the appropriate level of background check prior to hiring potential candidates that will have access to cardholder data. The background check necessary must be appropriate for the level of access to cardholder data of the position. Background checks can include reference checks and/or a criminal background check. As the level of access to cardholder data increases, the level of
Example, a cashier who only has access to one card at a time would only be required to have a reference check, but an employee who has access to multiple credit cards would be required to have a more detailed background check.
If you have any questions regarding what level of background check is required, please contact Sue Veraart, HR Specialist, Talent, Learning & Engagement, Human Resources (ext. 85561).
Training for bankcard processing must be provided to all new employees and at least annually to existing employees.
Employees must be knowledgeable about how to process cardholder data and must be aware of the sensitivity of cardholder data. In particular, the credit card number, card verification code, card expiry date and cardholder name comprise information that must be protected at all times.
Employees must understand that they are responsible to hold cardholder data in confidence at all times and that it should only be disclosed for a required business purpose.
Unit leaders and employees who process cardholder data must be aware of and abide by the Bank Card Policies and Procedures at Western, including Western's Incident and Security Reporting Protocol.
All Merchants must complete Western's Unit Self-Assessment Questionnaire annually to signify compliance with all policies and procedures relating to cardholder data at Western and the PCI DSS. In addition, merchants may be asked to provide information on an ad-hoc basis and participate in interviews with our PCI external auditors/assessors.
Western's Security Breach Plan
All Merchant leaders and employees who process or have access to cardholder data must read and understand Western's Incident and Breach Reporting Protocol and understand how to report a potential cardholder data breach or POS device tempering. Ensure the Incident and Breach Reporting protocol is displayed for employees in areas where cardholder data is collected, processed, transmitted or stored and that employees know the first point of contact in the instance of a suspected breach. If a unit leader knows or suspects that cardholder data has been compromised or that a point-of-sale (POS) device has been tampered with, the incident must be reported using the Incident and Breach Reporting Protocol.
Western’s Incident and Breach Reporting Protocol should also be used it there is a suspected breach with cardholder data that is collected, processed, redirected, transmitted and/or stored by 3rd party service providers.
Security alerts and information must be monitored, analyzed and distributed to the appropriate personnel. This information can be communicated to the Merchant by the payment processor, the CISO, Financial Services and/or the Bank Card Committee.
3rd Party Service Providers
The use of 3rd party service providers does not relieve merchants of PCI compliance responsibilities. Merchants that use 3rd party service providers to collect, transmit, redirect, process, and store cardholder data should always exercise due diligence before engaging a service provider. The due diligence process should include confirmation that the services provider can support Western’s security policies and procedures, including our PCI DSS compliance requirements. Service providers need to demonstrate PCI DSS compliance, that covers all aspects of the services to be provided. The merchant should also have a detailed understanding of the access required by each connected-to service provider, and how that access could impact the security or our cardholder data environment.
Merchants must:
- Go through the TRAC (Technology Risk Assessment Committee) process either before using 3rd party service providers/applications or at time of renewal of an existing agreement;
- Understand and/or implement strategies to mitigate risks identified through the TRAC process;
- Maintain and implement policies and procedures to manage service providers, with whom cardholder data is shared, or that could affect the security of cardholder data. This includes e-commerce sites with service providers;
- Maintain a list of service providers including a description of the service provided (excluding Moneris);
- Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the merchant, or to the extent that they could impact the security of the merchant’s cardholder data environment;
- Ensure service providers are PCI DSS compliant by obtaining, reviewing and keeping on file the most recent Attestation of Compliance (AOC). A new AOC should be obtained after the current one expires to ensure revalidation has taken place. The AOC should confirm that all services provided are covered and should be signed by a QSA (Qualified Security Assessor);
- Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the merchant by obtaining the PCI Responsibility Matrix from the service provider;
- Ensure all merchant responsibilities identified in the responsibility matrix are assigned, documented and understood;
- Provide all the above to the Bank Card Committee for the annual PCI Compliance audit or upon request.
Changes to Your Cardholder Data Environment
Any changes in your payment applications and/or your cardholder data processes that would affect Western's PCI environment must be reported to the Bank Card Committee and/or Technology Risk Assessment Committee (TRAC) for approval. This includes changes to the Merchant's business processes relating to cardholder data processing.