Payment Card Industry (PCI) Compliance
All the University of Guelph departments that accept credit card payments must process those payments in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS). These requirements are developed and maintained by the PCI Security Standards Council, which includes many of the large credit providers and financial services institutions.
Compliance with PCI is mandatory - all merchants on campus must comply with PCI. The goal of compliance is to help protect cardholder data. For the purposes of the PCI, a merchant is defined as any entity that accepts payment cards, online or in-person, as payment for goods and/or services.
Visit the Financial Services site for a full overview of credit and debit card payments on campus - https://www.uoguelph.ca/finance/departments-services/treasury-operations/deposits-cash-credit-cards-other/overview-credit-and-debit
- Obtaining formal approval from Financial Services prior to setting up payment processing services.
- Processing web-based payments using a PCI-compliant provider approved by Financial Services. Currently we use Moneris and Global Payments.
- The ongoing protection of cardholder data.
- Prohibit any and all storage (electronically or in paper form) of credit card information.
- Overall awareness of cardholder data collection processes, protection mechanisms, and adherence to the standards and directives.
- Ensuring that safeguards designed to protect cardholder data are not tampered with or modified.
- Immediately reporting suspected security breaches to CCS Information Security and Financial Services.
- Completing an annual PCI self-assessment questionnaire and submitting to regular compliance scans.
- Obtaining guidance from CCS and Financial Services when making any changes to payment processing.
- Restricting access to systems and areas where cardholder data is processed.
- Configuring all in-scope systems to be PCI compliant.
What is PCI?
- The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
- The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
- It is important to note, the payment brands and acquirers (such as Moneris and Global Payments used by the University of Guelph) are responsible for enforcing compliance, not the PCI council.
To whom does PCI apply?
- PCI applies to any organization—merchant or service provider—regardless of size or number of transactions, that accepts or transmits any cardholder data. If any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
What is the definition of ‘merchant’?
- For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in processing or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but is also a service provider if it hosts merchants as customers.
What constitutes a Service Provider?
- Any company that processes or transmits cardholder data on behalf of another entity is defined as a service provider by the Payment Card Industry (PCI) guidelines.
If I only accept credit cards over the phone, does PCI still apply to me?
- Yes. All business that process or transmit payment cardholder data must be PCI Compliant.
Do organizations using third-party processors have to be PCI compliant?
- Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
Is PCI DSS Compliance a one time effort?
- No. Organizations must demonstrate annual compliance. This includes submitting the appropriate Self-Assessment Questionnaires (SAQs) signed by a PCI DSS Qualified Security Assessors (QSAs) and administration, along with the results of quarterly security testing. The PCI DSS compliance process requires all credit card processing done by or on behalf of the organization to be compliant. Failure to achieve compliance can result in significant fines, service costs, increased liability, and the potential for reputational damage.
For more information on PCI compliance, contact:
Director Treasury Operations
Manager, Information Security