Commerce at Western

Financial Services Code of Procedure

These procedures are designed to ensure that all bank card transactions at Western University are conducted in the most secure, confidential and reliable method possible.  All Merchants that accept debit or credit cards for payment must follow these procedures for the protection of cardholder data, along with all University Policies relating to bank card transactions and data security and the most current version of the Payment Card Industry Data Security Standards (PCI DSS).

Policy and Procedure

All Western Merchants must comply with:

This is to ensure the security of cardholder data and to protect the University from reputational, financial and legal liability.

Approval Process

Financial Services must approve all bank card processing activities at the University, including processing transactions online (ecommerce), though an outsourced third party and through point of sale devices.

Departments and units may only accept payments if Merchant Accounts have been established and approved by Financial Services. Merchant Accounts must be established using the University's preferred payment card processing provider(s). Departments and units are prohibited from entering into other payment arrangements with any other service provider(s), including PayPal.

Use of an alternative payment provider and/or payment gateway may be approved on a case-by-case exception by the Bank Card Committee.

Costs

All costs associated with accepting bank card payments will be charged to departmental accounts centrally by Financial Services. These costs include (but are not limited to):

In addition, Merchants will be responsible for any costs associated with achieving and maintaining compliance with PCI DSS, which may include security scanning, auditing and remediation work to ensure PCI compliance. Merchants will also be responsible for costs associated with any security breaches as a result of the non-compliance with the requirements of this policy and associated procedures.

Methods of Accepting Bank Card Payments

The following methods for accepting debit and credit card payments are permitted:

Use of alternative methods may be approved, on a case-by-case basis, by the Bank Card Committee. To further ensure compliance, all Payment Applications must provide an Attestation of Compliance (AOC) certificate on an annual basis to the Merchant. This AOC must be forwarded to the Bank Card Committee.

Processing Bank Card Transactions

The ability to process bank card transactions through any payment system (including point of sale terminals) must be limited to those individuals whose job requires such access. [see Hiring, Training and Employee Awareness for Bank Card Processing]

The Merchant must ensure that all transactions represent a legitimate sale of goods or services in the ordinary course of your business. All refunds of bank card transactions must be processed directly back to the card the purchase was made on. No cash refunds shall be given for transactions that were originally processed on a bank card. Your refund and exchange policy must be clearly displayed and communicated to the customer.

The Merchant cannot discriminate against a method of payment that it has agreed to accept. For example, the merchant must offer chip and pin technology if the merchant accepts bank card payments through a point of sale terminal.

The Merchant must reconcile daily receipts and record all revenue and bank deposits into PeopleSoft Financials on a timely basis.

Merchants must never enter credit card numbers into a hosted pay page (HPP) solution on behalf of a customer.  Merchants using a HPP solution should direct all customers to their website to enter credit card data to complete payment.  This is a PCI DSS requirement.  This does not pertain to POS devices.  Merchants processing payments manually through a POS device remains a PCI compliant practice.

Accepting Cardholder Data

Electronic media (e-mail, text messaging, etc.) is not a secure method to send or receive cardholder data. Merchants are strictly prohibited from accepting and processing payments using cardholder data received over electronic media.  Merchants must inform the customer that electronic media is not an accepted form of receiving payment information and provide the customer with a PCI compliant option to process their payment. 

If cardholder data is received via e-mail, it must be deleted from all folders. The trash folder must also be purged. If you reply to an e-mail containing cardholder data, this information must be removed.

Fax machines may only be used to receive cardholder data if the machine is connected using an analog phone line. If the fax machine is connected through a network connection, it is considered electronic media and prohibited as a means of accepting cardholder data.

Voicemail is also considered electronic media. If you receive cardholder data via voicemail the message must be deleted immediately. Storing cardholder data on voicemail is strictly prohibited.

Access to Cardholder Data

Access to cardholder data must be limited to those who require this information for business purposes. [see Hiring, Training and Employee Awareness for Bank Card Processing]

Visitors must be authorized before entering areas where cardholder data is processed or stored. Visitors must sign a visitor log, be identified with a visitor badge and be escorted when in highly sensitive areas. This does not include areas where only point of sale devices are present.

All default vendor-supplied passwords must be changed. Operational procedures managing vendor defaults and other security parameters must be documented, in use and known to those who process bank card transactions.

Retention of Cardholder Data

The electronic storage of cardholder data at Western University is strictly prohibited. This includes storage on a computer, database or server. Cardholder data must be removed or properly masked before any electronic scanning is completed to archive information.

Cardholder data should only be stored for the minimal period of time necessary to process the transaction. Cardholder data must be kept in a secure location at all times (i.e. in a locked cabinet, inside of a locked room). Storage of cardholder data must be kept to a minimum by implementing data retention and disposal policies.

All cardholder data that is stored must be inventoried.  This log should include the card type, cardholder name, last four digits of the personal account number and a contact number.  This inventory is to ensure that Merchants can easily determine the cardholder data that is missing in the event of a breach.  This inventory must not contain the full personal account number, the expiration date or the CVV code.  An example of an inventory log sheet can be found on the documentation page.

Forms should be designed to allow for the removal of the credit card number, verification number and expiry date (i.e. at the bottom of the form) after the payment has been processed.

The three or four digit verification code can only be requested if it is necessary to complete a card not present transaction. This code cannot be retained after the authorization of payment.

Transaction records for audit purposes must be retained for a period of seven years. All paper-based records containing credit or debit card information should be kept in a secure area with access restricted to only those employees who require it. 

Western Archives is considered to be a secure and confidential storage location for records that are not required for operational purposes but are needed to satisfy audit requirements.

Disposal of Cardholder Data

Each Merchant must maintain a disposal policy for documents containing cardholder data. All documents containing cardholder data should be properly disposed immediately upon completion of business need.

Cardholder data that is no longer required must be destroyed using a crosscut shredder or through Western’s Eco-Shred program.

Security of Point of Sale Devices

All POS devices must be registered in one of Western's PCI VLANs.  The Merchant must identify to the Network Operations Centre (NOC) a network connected POS device has been installed and added to the network.  The NOC will ensure the device is placed into an appropriate PCI VLAN.

All point of sale (POS) devices must be secured and protected at all times. Physical protection of these devices is the responsibility of Western Merchants and is a PCI DSS requirement. This includes securing the device in a locked safe, cash drawer and/or area when the device is not in use.

All point of sale (POS) devices must be inspected on a daily basis, at minimum. Merchants with POS devices should refer to the Point of Purchase Integrity Checklist (found here) to ensure proper procedures are followed to secure and inspect their POS devices.  If requested, a Western Merchant must be able to produce an inspection log for their POS devices. 

All employees who operate POS devices must be properly trained, including training on how to detect if a POS device has been tampered with and what to do if they suspect that a POS device has been tampered with. [see Hiring, Training and Employee Awareness for Bank Card Processing]

An incident response plan (Western’s Security Breach Plan) must be clearly communicated and easily accessible to all employees.

Hiring, Training and Employee Awareness for Bank Card Processing

Unit Leaders are responsible for knowing their bank card processes and for identifying which positions have the ability to process bank card transactions and access cardholder data or the cardholder data environment. The assignment of these privileges must be based on job classification and function and should include the appropriate level of awareness and adherence to the PCI standard.  These privileges, access, and required knowledge should be documented in the corresponding job description.  Privileges and access must be revoked immediately upon termination or reassignment of roles. 

Hiring managers must complete the appropriate level of background investigation prior to hiring potential candidates that will have access to cardholder data.  The background check necessary must be appropriate for the level of access to cardholder data of the position. Background investigations can include previous employment history, criminal check, enhanced reliability clearance, etc. As the level of access to cardholder data increases, the level of background investigation must also increase.

Example, a cashier who only has access to one card at a time would only be required to have an employment history check, but an employee who has access to multiple credit cards would be required to have a more detailed background investigation given.   

Training for bank card processing must be provided to all new employees and at least annually to existing employees.

Employees must be knowledgeable about how to process bank card transactions and must be aware of the sensitivity of cardholder data. In particular, the credit card number, card verification code, card expiry date and cardholder name comprise information that must be protected at all times. Employees must understand that they are responsible to hold cardholder data in confidence at all times and that it should only be disclosed for a required business purpose.

Unit leaders and employees who process bank card transactions must be aware of and abide by the Bank Card Policies and Procedures at Western, including Western's Security Breach Plan

All Merchants must complete Western's Unit Self-Assessment Questionnaire annually to signify compliance with all policies and procedures relating to bank card transactions at Western and the PCI DSS.

Western's Security Breach Plan

All Merchant leaders and employees who process or have access to cardholder data must read and understand Western's Security Breach Plan, including Western's Security Breach Protocol and understand how to report a potential bank card information breach. This protocol must be displayed for employees in areas where bank card transactions are processed and where cardholder data is stored.

If a Merchant knows or suspects that cardholder data has been compromised, or that a point of sales device has been tampered with, the incident must reported following the steps outlined in Western's Security Breach Plan.

Security alerts and information must be monitored, analyzed and distributed to the appropriate personnel.  This information can be communicated to the Merchant by the payment processor, the CISO, Financial Services and/or the Bank Card Committee.

Changes to Your Bank Card Processing Environment

Any changes in your payment applications and/or your bank card processes that would affect Western's PCI environment must be reported to the Bank Card Committee for approval. This includes changes to the Merchant's business processes relating to bank card processing.