Merchant Card Use Procedures

Print | PDF

This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.

Employee Compliance and Training

Approving Authority: President

Original Approval Date: May 2, 2012

Date of Most Recent Review/Revision: N/A

Administrative Responsibility: Financial Resources

Parent Policy: Merchant Card Use Policy (5.15)

Please consult 5.15 Merchant Card Use Policy for further information.

Definitions

Cardholder Data: At a minimum, cardholder data contains the full primary account number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: Cardholder name, expiration date, or service code.

PAN: Primary Account Number. Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Also referred to as “account number” or just “card number.”

Procedures

a. Employee Screening

i. New university employees in roles requiring handling of cardholder data must be screened via background checks prior to commencing employment. Examples of background checks include previous employment history, criminal record, credit history and reference checks. The level of background checking should be appropriate for the particular position. For employees whose role would provide access to only one card number at a time (e.g. retail cashiers) less stringent background checking is required.

ii. Upon hiring, and at least annually thereafter, employees must sign an agreement to comply with security policies and procedures.

b. Training

i. The direct supervisor of employees handling cardholder data is responsible for ensuring appropriate training has been provided, including cardholder data security, physical device safeguarding and tampering awareness programs. Training should be provided at the commencement of employment and at least annually thereafter. This training should be made available to all employees and be appropriate given the role of the employee.

ii. All employees with computer access to accounts, including point-of-sale, with administrative capabilities and all accounts used to view and access cardholder data or to access systems with cardholder data, must be assigned a unique ID.

Retention and Handling of Cardholder Data

Approving Authority: President

Original Approval Date: May 2, 2012

Date of Most Recent Review/Revision: N/A

Administrative Responsibility: Financial Resources

Parent Policy: Merchant Card Use Policy (5.15)

Please consult 5.15 Merchant Card Use Policy for further information.

Definitions

Cardholder Data: At a minimum, cardholder data contains the full primary account number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: Cardholder name, expiration date, or service code.

E-commerce: The selling of products or services and processing payments over the Internet.

Hashes: One-way hashes can be used to render cardholder data unreadable and are irreversible. Hash functions are appropriate when there is no need to retrieve the original number.

Index Tokens and Pads: Can be used to render cardholder data unreadable. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a private key, generated randomly, is used only once to encrypt a message that is then decrypted using a matching one-time pad and key.

Masked: The whole PAN is stored but the PAN is masked when displayed.

Media: Refers to all paper and electronic media containing cardholder data.

PAN: Primary Account Number. Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Also referred to as “account number” or just “card number.”

PCI DSS: Payment Card Industry Data Security Standard.

Sensitive Areas: Any data center, server room or any area that houses systems that store, process or transmit cardholder data.

Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.

Truncation: Only a portion (not to exceed the first six and the last four digits) of the PAN is stored/displayed.

Visitor: Refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day.

Procedures

a. General

i. All primary account numbers (PAN) must be masked when displayed, including on computer screens. The first six and last four digits are the maximum number of digits to be displayed. Stricter requirements may be used for display of the PAN on receipts. The full PAN can be displayed to those with a legitimate business need to view.

ii. The storage of cardholder data should be kept to a minimum. In exceptional circumstances (e.g. electronic merchant system failure), a manual imprinter can be used by an authorized employee. The handling, retention, storage and disposal of imprinter receipts are addressed below (a.iii – ix & b). When not in use, imprinters should be securely stored.

iii. Cardholder data should be retained the minimum amount of time required. Retention of the merchant transaction receipt is 24 months. (Retention of sales records is governed by the Canada Revenue Agency). In addition, within the limited circumstances provided in a.ii, full cardholder data should only be retained for the time sufficient to resolve any disputes or chargebacks (3 months). All departments storing cardholder data must have in place a quarterly process to identify and securely delete stored cardholder data that exceeds defined retention requirements.

iv. Departments retaining cardholder data are responsible for safeguarding the information during the retention period. Secure storage of media containing cardholder data must include an annual inventory of all media.

v. All movement and transmission of cardholder data must be strictly controlled:

• approved by relevant manager,
• marked as confidential,
• sent via a traceable delivery method (e.g. courier).

vi. Access to cardholder data and system components should be limited to those individuals whose job requires such access and the access level should be the minimum required. Access should be limited by:

• user ID,
• job classification and function,
• authorization by management that specifies required privileges,
• automated access control system.

vii. Visitors to areas where cardholder data is present must be authorized and logged (name, firm represented, employee authorizing access). Logs should be maintained for one year.

viii. All employees are responsible for taking precautions for the security of personal information and ensuring it is used for only the purpose for which it was obtained (see 10.1 Information Availability and Privacy Protection).

ix. If cardholder data is shared with external service providers, policies and procedures must be implemented, including the following:

• maintain a list of active external service providers,
• maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data in their possession,
• ensure there is an established process for contracting service providers, including proper due diligence prior to engagement.

b. Physical Records

i. With the exception of a.ii, if stored, PANs must be rendered unreadable (e.g. truncated).

ii. Card data must be able to be physically separated from other documentation with a different retention period.

iii. Following the retention period, cardholder data should be disposed of through the University’s contracted shredding service.

c. Electronic Records

i. If stored, cardholder data must be rendered unreadable using one of the following approaches:

• one-way hashes based on strong cryptography,
• truncation,
• index tokens and pads (pads must be securely stored),
• strong cryptography with associated key management processes and procedures (refer to PCI – DSS requirements on cryptography).

If disk encryption is used, the method cannot have a direct association with the operating system and decryption keys cannot be associated with user accounts.

ii. Caching should not be permitted in any device used to display, store or transmit cardholder data.

iii. Under no circumstances should sensitive authentication data be stored after authorization is completed. This includes:

• magnetic stripe or track data,
• card-verification code or value,
• personal identification number (PIN) or the encrypted PIN block.

iv. Electronic storage and transmission of cardholder data must be in 1024 bit encrypted format rather than clear text formats such as email and basic html forms or end-user technologies (e.g. instant messaging, email). Following the retention period, data must be rendered unrecoverable so that it cannot be reconstructed.

v. Media backups must be stored in a secure location, and off-site storage is recommended. The location’s security must be reviewed annually.

vi. Appropriate facility entry controls should be used to limit and monitor the physical access to systems in the cardholder data environment. Access to sensitive areas (excludes areas housing only point-of-sale terminals) should be monitored by video cameras and/or access control mechanisms. Data collected should be reviewed, correlated with other entries and stored for one year. Physical access to publicly accessible network jacks, wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunications lines must be restricted.

d. Telephone-based Payment Card Data

i. Telephone extensions used in the collection of cardholder data should have call recording and message options disabled, ensuring there is no recording of cardholder data.

ii. All third party providers of card processing activities used by the University must meet PCI DSS and provide annual proof of monitored compliance. The use of third party call centres is subject to the approval of Finance and Administration.

iii. Cardholder data transmitted by phone should be entered directly through an approved e-commerce tool (see section 4.03 of the Merchant Card Use Policy). Physical records of cardholder data should be treated as outlined in b. PANs should be masked when displayed.

Establishing Merchant Accounts Procedures

Approving Authority: President

Original Approval Date: May 2, 2012

Date of Most Recent Review/Revision: N/A

Administrative Responsibility: Financial Resources

Parent Policy: Merchant Card Use Policy (5.15)

Please consult 5.15 Merchant Card Use Policy for further information.

Procedures

1.0 The establishment of new merchant accounts must be authorized by the appropriate individual as outlined in Appendix 1.

2.0 All merchant accounts must be established with the University’s provider of electronic merchant services (see section 4.03 of the Merchant Card Use Policy).

3.0 Each authorized merchant account user must be provided with a unique username/password to access system components and/or cardholder data.

4.0 For all relevant systems, including those related to merchant accounts, all vendor-supplied defaults (passwords and other security parameters) must be changed before installing a system on the network. Unnecessary accounts should be eliminated.

5.0 Physical pinpads, terminals and point of sale PCs must be secured to reduce the risk of tampering. Properly securing devices could include:

• applying tamper-evident tape on housing and plugs,
• use of security cables,
• application of OS hardening, including the removal of Local Administrator privileges.

6.0 Dedicated PCs for point-of-sale services and any virtual terminal software should be used if cardholder data passes through the PC.

Appendix 1: Authorization of New Merchant Accounts

¹ Including the Faculty of Social Work and the Toronto office.