We use cookies on this site to enhance your experience.
By selecting “Accept” and continuing to use this website, you consent to the use of cookies.
5.15 Merchant Card Use Policy
This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.
Approving Authority: President
Original Approval Date: May 2, 2012
Date of Most Recent Review/Revision: N/A
Office of Accountability: VP: Finance and Administration
Administrative Responsibility: Financial Resources
Purpose
1.00 Electronic payment processing is increasingly becoming a common payment method. This policy sets out acceptable practices for processing and handling electronic payment, including e-commerce transactions, across the University community. Central to this policy is the practice that there is no electronic storage of cardholder data on the University network. This moves the risk and Payment Card Industry Data Storage Standard (PCI DSS) compliance requirements to our merchant and/or e-commerce provider.
Definitions
2.01 Cardholder Data: At a minimum, cardholder data contains the full primary account number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: Cardholder name, expiration date, or service code.
2.02 E-commerce: The selling of products or services and processing payments over the Internet.
2.03 PCI DSS: Payment Card Industry Data Security Standard.
Jurisdiction/Scope
3.00 This policy applies to all University departments at any campus or location which collect payments via credit card. Any direct supervisor of employees, and/or employees handling cardholder data must follow the Merchant Card Use Policy and its related procedures where applicable. A list of procedures is in section 5.01 of this policy.
Policy
4.01 Employee Screening and Training:
All employees handling cardholder data must be screened prior to commencing employment and receive training regarding the security of this information. Employees and supervisors of employees handling cardholder data must follow the Employee Compliance and Training Procedures.
4.02 Handling, Use and Storage of Data:
a. In order to provide adequate security for cardholder data, Retention and Handling of Cardholder Data Procedures must be followed. It is imperative that there be no electronic storage of cardholder data on the University network.
b. Cardholder data will only be held for the minimum amount of time required as specified in the Retention and Handling of Cardholder Data Procedures.
c. Data will be kept secure, and personal information will be used for only the purpose for which it was obtained (see policy 10.1 Information Availability and Privacy Protection).
4.03 E-Commerce:
a. Web pages designed to collect electronic payment for goods and services must be developed in consultation with Finance and Administration and Information Technology Services.
b. All e-commerce should be directed to a third party hosted pay page provided by the University’s approved electronic merchant and/or e-commerce provider.
c. A University-wide e-commerce system will provide all departments with the ability to process electronic payments. All departments are required to use the University-wide system and pay the applicable user fee. Exceptions may be made for departments where it is infeasible to use the University-wide system. Legacy systems that are fully PCI DSS compliant will be allowed to continue but will be phased out within 5 years.
d. All third party providers of card processing activities used by the University must meet PCI DSS and provide annual proof of monitored compliance. Departments approved to engage their own third party hosted pay pages may be subject to an external audit at the expense of the department and must comply with University standards for data security. These departments will be responsible for all aspects of negotiating and managing the relationship with the third party provider.
e. Departments may not enter into separate arrangements with Financial Service Providers (see policy 5.6 Selection of Financial Service Providers).
4.04 Creation of New Merchant Accounts:
When new merchant accounts are created, Establishing Merchant Accounts Procedures will be followed.
4.05 Review and Validation Process:
a. An annual review process shall take place to identify threats and vulnerabilities resulting in a formal risk assessment. This will be conducted by the office of administrative responsibility, and the necessary updates will be made.
b. The university shall comply with any validation requirements set out by PCI DSS.
Related Policies, Procedures and Documents
5.01 Related Procedures:
- Employee Compliance and Training Procedures
- Retention and Handling of Cardholder Data Procedures
- Establishing Merchant Accounts Procedures
5.02 Related Policies:
- 5.7 Signing Authority Policy
- 5.6 Selection of Financial Service Providers
- 10.1 Information Availability and Privacy Protection
5.03 PCI Security Standards Council Guidelines and Standards