This directive from the UBC PCI Compliance Working Committee applies only to those who accept credit card payments over the phone.
The acceptance of credit card payments over the phone is deemed to be a transmission of cardholder data. If a Voice over internet protocol (VoIP) telephone is used as a means of transmission, both the credit card process and UBC VoIP system must comply with the Payment Card Industry Data Security Standard. The VoIP audit applies to the entire UBC VoIP system and not per merchant. It can be costly and subject to the highest Payment Card Industry (PCI) audit as a SAQ D level.
Achieving PCI compliance for telephone (voice services)
The telephone (voice) services at UBC's various campuses are offered to support a broad variety of business needs and are not designed for the specific controls required to achieve PCI compliance. The recommendation is to install a separate service from one of the major service providers to conduct any phone transaction with the purpose of obtaining credit card information. This recommendation is made in order for UBC to remain PCI compliant without incurring excessive costs.
UBC strongly suggests using online/web payment gateway or in-person transactions as much as possible to avoid the challenges and complexities of phone-based payments.
- If phone-based payments are necessary, a dedicated cell phone plan is the easiest path to achieve this requirement.
- A voice-only limited plan is cost-effective and avoids the complexities of attempting to run a service-provider service into UBC's buildings (which in many cases is very complex and could incur exorbitant installation costs).
The following options are available to maintain UBC’s PCI compliance and avoiding its accompanying audit cost:
- Set up and use an assigned/official cellphone for accepting credit card payments.
- The cellphone number should be advertised to customers for the purpose of accepting credit card payments only.
- All customers should be directed to a designated cell phone when accepting credit card payments.
- Refer to UBC partners, i.e. Bell Mobility, Rogers Communications and Telus Mobility, to obtain a cellphone and connection (without needing a data plan). Visit UBC Cellular Devices and Services for more information.
- Stop accepting credit card payments on a VoIP phone.
- Accept only in-person or card-present payments.
- Set up an online page using DPP (Digital Payment Program) to direct customers to pay online. Applications can be submitted to dpp.support@ubc.ca to set up an e-commerce page.
For information about uStore costs and anticipated DPP fees, please refer to this page.