Western's 2020 SAQ Validation

November 20, 2020

Western is required to validate it’s PCI compliance on an annual basis.  We have once again engaged MNP as our Qualified Security Assessor (QSA).   Melanie Dodson Melanie.Dodson@mnp.ca has been assigned to Western to validate our organization wide Self-Assessment Questionnaires (SAQ).  Our QSA will be reviewing our organization remotely November 23rd to November 27th.  She may want to virtually visit randomly selected Western Merchants to validate that proper procedures are being followed when accepting debit or credit card transactions.  With this in mind, the Bank Card Committee would like to highlight a few key areas of our policies and procedures.

Point of Sale Devices

All point of sale (POS) devices must be inspected on a daily basis, at minimum.  This can be done with the Interac or Moneris Point of Purchase Integrity Checklist available here.  If requested, a Western Merchant must be able to produce an inspection log for their POS devices.  All employees who operate POS devices must be properly trained, including training on how to detect if a POS device has been tampered with and what to do if they suspect that a POS device has been tampered with.  The physical protection of these devices is the responsibility of Western Merchants and is a PCI DSS requirement.  You may be asked to provide your daily checklist for review.  If your unit is still working remotely, when operations resume to normal, ensure that you inspect the devices before useThis can be done with the Interac or Moneris Point of Purchase Integrity Checklist

Western’s Security Breach Plan

Western’s Security Breach Protocol must be clearly communicated and easily accessible to all employees.  This protocol gives Western Merchants the proper procedures to follow in reporting a suspected breach of their PCI environment.  Staff should know what to do and who to contact in case of a breach.  Your staff may be asked if they know what to do in case of a breach.

Credit Card Inventory Logs

PCI DSS requires all stored cardholder data to be inventoried, including cardholder data stored only until it can be processed.  This inventory log should include the card type, cardholder name, last four digits of the credit card number and a contact number.  The log must not include the full credit card number, the expiration date or the CVV code.  While the inventory log can be saved electronically (as it does not contain the full account number, expiry date or CVV code) the electronic storage of cardholder data remains strictly prohibited at Western. Western Merchants must be able to produce this inventory list if requested.

Hosted Pay Page Solutions

Western Merchants must never enter credit card numbers into a hosted pay page (HPP) solution on behalf of a customer.  Merchants using a HPP solution should direct all customers to their website to enter credit card data to complete payment.  This is a PCI DSS requirement.  This does not pertain to POS devices.  Merchants processing payments manually, one at a time, through a POS device remains a PCI compliant practice.

Electronic Media

Electronic media (e-mail, text messaging, etc.) is not a secure method to send or receive cardholder data and is strictly prohibited as a means of accepting cardholder data.  Transactions where cardholder data is received via electronic media must not be processed.  Cardholder data should not be accepted over Western campus telephones (VoIP telephones and Jabber). Western VoIP traffic (including Jabber) is not secured and there is risk of unauthorized internal and external access.

Please refer to the Policy and Procedure tab on the Commerce at Western website for the updated Codes of Procedure.


Published on  04/19/2024 19:46:17 and maintained in Cascade CMS.