PCI DSS applies to all organizations/entities that store, process or transmit CHD.
All UBC merchants that process, store or transmit credit card data as payments to the University and/or operate Point of Sale (POS) systems or devices must be in compliance with PCI DSS version 3.2.1.
How Credit Card Transactions Work
- The cardholder uses Visa or MasterCard to pay the merchant for the purchase of an item.
- The acquirer (the merchant’s bank) reimburses the merchant for the purchase
- The issuer (the cardholder’s bank) reimburses the acquirer, usually within 24 to 48 hours and approves or declines the transaction.
- The issuer collects from the cardholder by withdrawing funds from the cardholder’s bank account, if a debit account is used, or through billing if a credit account is used.
Requirements to Set Up Credit Card Processing
Please refer to the PCI requirements checklist below if you are interested in setting up a credit card processing activity. No merchant account and/or bank account will be set up if all applicable PCI requirements are not completed.
1. Confirmation of the type of credit card processing:
eCommerce, Point of Sale (POS) device, i.e. PIN pad, virtual terminal, use of payment application, etc.
Important note for eCommerce:
- No staff is allowed to obtain credit card information from phone, fax or any manner and process it using the merchant’s technology resources, i.e. PC
- No staff is allowed to obtain credit card information from walk-in customer(s), if any, and process it using the merchant’s technology resources, i.e. PC
- No customer is allowed to use any computer within the facility or premises of the merchant to access the [Service Provider's] card processing facility
- No staff is allowed to process credit card information on behalf of other departments
- All customers should only use the online [Service Provider's] card processing facility
2. Statement of Business Purpose:
To ensure that the credit card processing is for official business use and not personal. Strictly for institutional use only.
3. Card flow process:
Blue print of credit card processing to identify if any internal UBC systems networks and hardware are in PCI scope and to verify if storage of cardholder data exists.
4. PAN (Primary Account Number) Confirmation:
Attestation that no storage of cardholder data is involved. To be signed by 2 signatories to emphasize accountability of merchant on PCI compliance.
5. PCI Compliance of Service Provider/PA DSS compliance of Payment Application/PTS compliance on POS device:
No exception. Only Attestation of Compliance (AOC) is acceptable as evidence of PCI compliance.
6. Copy of Agreement with the Service Provider:Agreement to be reviewed by Treasury and/or Procurement to ensure that nothing is prohibitive or to the detriment of UBC. Agreement from an online Service Provider is required to comply with Resolution #26 - Clickthrough Agreement.
7. Privacy Clause Statement and Check Box:
Required for ecommerce process only. Regardless of the location of the Service Provider's server (i.e. inside or outside of Canada), all personal information that will be collected/disclosed/stored is subject to review.
8. Qualified Security Assessor (QSA) Assessment:
Required for credit card process that involves the use of UBC system/network, integration with a payment application and/or POS device or any technical requirement that connects or potentially connect with the UBC system/network.
9. Privacy Impact Assessments (PIA):
A PIA is a risk management and compliance tool used to identify and correct or mitigate potential privacy and security issues, thus avoiding costly program, service, or process redesign. Mandated requirement by the UBC PCI Working Committee regardless if your process involves or not the collection, use or disclosure of personal information. A summary of the PIA Process and Frequently Asked Questioned can be found at Privacy Matters @ UBC.
10. Self-Assessment Questionnaire (SAQ):
PCI reporting requirement required annually.