Western's 2021 PCI SAQ Validation

November 16, 2021

Western is required to validate it’s PCI compliance on an annual basis.  We have once again engaged MNP as our Qualified Security Assessor (QSA).   Alistair Thompson (Alistair.Thompson@mnp.ca) has been assigned to Western to validate our organization wide Self-Assessment Questionnaires (SAQ).  Our QSA will be reviewing our organization remotely November 22rd to November 26th.  He may want to virtually visit randomly selected Western Merchants to validate that proper procedures are being followed when accepting debit or credit card transactions.  With this in mind, the Bank Card Committee would like to highlight a few key areas of our policies and procedures.

Point of Sale Devices

  1. All point of sale (POS) devices must be inspected on a daily basis, at minimum. This can be done with the Interac or Moneris Point of Purchase Integrity Checklist available here.  If requested, a Western Merchant must be able to produce an inspection log for their POS devices. 
  2. All employees who operate POS devices must be properly trained.
  3. All employees who operate POS devices must be properly trained on how to detect if a POS device has been tampered with and what to do if they suspect that a POS device has been tampered with.  The physical protection of these devices is the responsibility of Western Merchants and is a PCI DSS requirement.  You may be asked to provide your daily checklist for review. 

Western’s Security Breach Plan

Western’s Security Breach Protocol must be clearly communicated and easily accessible to all employees.  This protocol gives Western Merchants the proper procedures to follow in reporting a suspected breach of their PCI environment.  Staff should know what to do and who to contact in case of a breach.  Your staff may be asked if they know what to do in case of a breach.

Credit Card Inventory Logs

PCI DSS requires all stored cardholder data to be inventoried, including cardholder data stored only until it can be processed.  This inventory log should include the card type, cardholder name, last four digits of the credit card number and a contact number.  The log must not include the full credit card number, the expiration date or the CVV code.  While the inventory log can be saved electronically (as it does not contain the full account number, expiry date or CVV code), the electronic storage of cardholder data remains strictly prohibited at Western.  Western Merchants must be able to produce this inventory list if requested.

Ecommerce Solutions

Western Merchants must never enter credit card numbers into their ecommerce application on behalf of a customer.  Merchants should direct all customers to their website to enter credit card data to complete payment.  This is a PCI DSS requirement.  This does not pertain to POS devices.  Merchants processing payments manually, one at a time, through a POS device remains a PCI compliant practice.

Electronic Media

Electronic media (e-mail, text messaging, etc.) is not a secure method to send or receive cardholder data and is strictly prohibited as a means of accepting cardholder data.  Transactions where cardholder data is received via electronic media must not be processed.  Cardholder data should not be accepted over Western campus telephones (VoIP telephones and Jabber). Western VoIP traffic (including Jabber) is not secured and there is risk of unauthorized internal and external access.

Please refer to the Policy and Procedure tab on the Commerce at Western website for the updated Codes of Procedure.


Published on  04/19/2024 19:46:20 and maintained in Cascade CMS.