Risk Management & Audit Code of Procedure
-
You agree to provide to Internal Audit information when requested for the purpose of verifying compliance with:
- Bank Card Policy;
- Security Standards of the Payment Processor;
- The Security Standards of the Card Associations, including the Payment Card Industry Data Security Standards (PCI DSS).
-
Units that do not process e-commerce transactions through the central credit card processor must engage a third-party auditor that is approved by PCI to assess compliance with the PCI DSS.
-
The unit must pass the audit prior to the Bank Card Committee approving the use of electronic payments.
-
The unit must arrange for quarterly external scans of their network.
-
Contact the Bank Card Committee to engage the external auditor and arrange for quarterly scans.
-
The unit will also need to arrange for on-going third-party audits to prove their continuing compliance with the PCI DSS.
-
Units interested in implementing or using software from an outside entity that accepts payments on behalf of Western, should refer to the Technology Risk Assessment.
-
If a security breach relating to bank card transaction occurs, the unit will require a third-party audit.
-
The unit is responsible to pay costs associated with the audits and quarterly scans.
-
Annually the Bank Card Committee will complete a formal risk assessment to identify existing and new threats and vulnerabilities relating to processing bank card transactions and to ensure that policies and practices are in place to reduce the impact of the threat or vulnerability.