PCI DSS applies to all organizations/entities that store, process or transmit CHD.
All UBC merchants that process, store or transmit credit card data as payments to the University and/or operate point of sale (POS) systems or devices must be in compliance with PCI DSS version 3.2.1.
How Credit Card Transactions Work
- The cardholder uses Visa or MasterCard to pay the merchant for the purchase of an item.
- The acquirer (the merchant’s bank) reimburses the merchant for the purchase
- The issuer (the cardholder’s bank) reimburses the acquirer, usually within 24 to 48 hours.
- The issuer collects from the cardholder by withdrawing funds from the cardholder’s bank account, if a debit account is used, or through billing if a credit account is used.
Requirements to Set Up Credit Card Processing
Please refer to the PCI requirements checklist below if you are interested in setting up a credit card processing activity. No merchant account and/or bank account will be set up if all applicable PCI requirements are not completed.
1. Confirmation of the type of credit card processing:
eCommerce, PIN pad, virtual terminal, use payment application, etc.
Important note for eCommerce:
- No staff is allowed to obtain credit card information from phone, fax or any manner and process it using the merchant’s technology resources, i.e. PC
- No staff is allowed to obtain credit card information from walk-in customer(s), if any, and process it using the merchant’s technology resources, i.e. PC
- No customer is allowed to use any computer within the facility or premises of the merchant to access the [Service Provider's] card processing facility
- No staff is allowed to process credit card information on behalf of other departments
- All customers should only use the online [Service Provider's] card processing facility
2. Statement of Business Purpose:
To ensure that the credit card processing is for official business use and not personal. Strictly for institutional use only and not for an individual.
3. Card flow process:
Blue print of credit card processing to identify if any internal UBC systems networks and hardware are in PCI scope and to verify if storage of cardholder data exists.
4. PAN (Primary Account Number) Confirmation:
Attestation that no storage of cardholder data is involved. To be signed by 2 signatories to emphasize accountability of merchant on PCI compliance.
5. PCI Compliance of Service Provider/PA DSS compliance of Payment Application/PTS compliance on POS device:
6. Copy of Agreement with the Service Provider:
Agreement to be reviewed by Treasury to ensure that nothing is prohibitive or will compromise UBC (not required if using TD Merchant Services/Moneris Solutions/Chase Paymentech)
7. Privacy Clause Statement and Check Box:
Required if the Service Provider stores personal information outside Canada (e.g. server is located outside Canada). Not required if Service Provider is a Canadian based Service Provider - not storing personal information outside Canada
8. Qualified Security Assessor (QSA) Assessment:
Required if an Acquirer's merchant account will be used (i.e TD/Moneris/Chase). Not required if there is no Acquirer's merchant account to be used but the Service Provider must be PCI compliant. PCI reporting (of SAQ) is required if payment passes through an Acquirer (i.e. TD, Moneris, Chase)
9. Privacy Impact Assessments (PIA):
A PIA is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, service, or process redesign. Required if your process involves the collection, use or disclosure of personal information. A summary of the PIA Process and Frequently Asked Questioned can be found on the Office of the University Counsel website.
10. Self-Assessment Questionnaire (SAQ):
PCI reporting requirement.