Skip to main content
University of Ontario Institute of Technology logo

Payment Card Industry (PCI) Sustainability Policy

Classification number LCG 1143
Framework category Legal, Compliance and Governance
Approving authority Board of Governors
Policy owner Vice-President, Administration
Approval date November 28, 2019
Review date November 2022
Last updated Editorial Amendment May 30, 2022

Purpose

The purpose of this Policy is to establish the foundations required for the University of Ontario institute of Technology to maintain compliance of the Payment Card Industry (PCI) Data Security Standard (DSS), and maintain the integrity of the PCI Cardholder Data Environment.

Definitions

For the purposes of this Policy the following definitions apply:

“Authentication Factor” means Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as a password, passphrase, a token device, smart card or a biometric.

“Cardholder Data” means the full information displayed on a credit card including the Primary Account Number, or the full Primary Account Number along with Cardholder name, Expiration date or Service code.

 “Cardholder Data Environment” or “CDE” means the segmented area of the network which encompasses applications, hardware, and network services in the transmission, processing, or storing of cardholder data.

 “Dual Factor Authentication” means a Method of authenticating a user whereby two factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).

“Finance” means the organization under the direction of the Chief Operations Officer

“Hardened” means a secured computer system.

“Merchants” means departments, faculties and vendors using payment processing technologies deployed on the University of Ontario Institute of Technology networks, whether employees, students, vendors, contractors or business partners.

“Multi Factor Authentication” or” MFA” means a method of authenticating a user whereby at least two factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).

“Password” means the string of characters that serve as an authenticator of the user.

“PCI DSS” means Payment Card Industry Data Security Standard.

 “PCI Zone” means anything that is in scope for PCI DSS compliance.

“Role-Based Access Control” or “RBCA” means a system of permissions where access to a specific resource is defined by permissions assigned to specific roles; a role is given to a user based on their position/needs in relation to the organization.

“Unauthorized Network Equipment” means unauthorized devices connected to the network that poses a significant risk to the organization.

“Vulnerabilities” means a type of weakness in a computer system, in a set of procedures, or in anything that leaves information security exposed to a condition or an activity that have a potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization.

 “Workstations” means a computer dedicated to a user or group of users engaged in business or professional work.

Scope and authority

This Policy applies to all Merchants using payment processing technologies deployed on the University of Ontario Institute of Technology networks, whether employees, students, vendors, contractors or business partners. Exemptions from this policy will be permitted only if approved in advance and in writing by the Chief Financial Officer (CFO).
The Vice-President, Administration, or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration and interpretation of this Policy.

Policy

Finance shall ensure that the following activities are performed: 

  1. Ensure that payments taken over the phone leverage the PCI DSS acceptable third-party solution. 
  2. Regularly, and prior to the annual PCI DSS compliance assessment, update inventory of critical PCI related technology such as cash registers and pin pads.
  3. Maintain a list of Merchants whose products are used to process credit card payments on behalf of the university. Ensure the service providers' PCI DSS compliance is monitored regularly, and prior to the annual assessment.
  4. Secure written agreements with Merchants that includes an acknowledgement that Merchants will maintain all applicable PCI DSS requirements to the extent the Merchant handles, has access to, or otherwise stores, processes, or transmits the customer’s Cardholder Data or sensitive Authentication data, or manages the customer's Cardholder Data Environment on behalf of a customer.
  5. Ensure there is an established process for engaging PCI related Merchants including proper due diligence prior to engagement.
  6. Ensure new Merchants wanting to accept credit card information on campus are not allowed to process electronic transactions using the campus network infrastructure. New Merchants should use cellular enabled pin pads for in person transactions wherever possible. Exceptions need approval from the Executive Director of Information Technology Services.
  7. Ensure that if Cardholder Data is available through remote-access technologies, special precautions must be taken.
    1. Personnel with a valid business need to see Cardholder Data must be authorized by Chief Financial Officer
    2. Copying, moving, or storing Cardholder Data onto local hard drives and removable electronic media is prohibited
Finance will ensure that Merchants responsible for PCI account access shall perform the following activities as needed:

  1. Creating, controlling and managing user accounts that can access the (CDE).
    1. Every user must use a unique user ID and a personal secret Password for access to campus information systems and networks.
    2. User accounts must be created with the lowest required access level appropriate for the user, following the Role-Based Access Control principle.
    3. User privileges are to be reviewed on a regular basis and removed if the privileges are no longer required.
    4. Mechanisms such as tokens, digital certificates, or other means of Multi Factor Authentication may be used in addition to Passwords for the identification and Authentication of users, and must also be unique to each user.
    5. Where possible, users must be forced to change their Password when they first log on to the system.
Finance shall ensure the following activities are performed as needed:

  1. User accounts are only to remain active for the period required for users to fulfill their responsibilities.
  2. Central IT accounts of staff will be disabled once the staff no longer appear on payroll.
  3. Password Aging Rule
    1. Administrators who operate their own systems associated with the Cardholder Data Environment (CDE) are responsible for implementing a process to force Aging of Passwords at least every 90 days.
  4. Merchants processing credit cards shall perform the following activities on a regular basis:
    1. Ensure that they understand the PCI standards
    2. Inspect pin pad devices for signs of tampering or substitution such as broken seals or incorrect serial numbers.
    3. Ensure that credit card information at rest is encrypted if electronic, and physically secured if on paper.
    4. Ensure that Multi Factor Authentication is used to access payment workstations remotely.
IT Services shall ensure that the following activities are performed on a regular basis:

  1. Ensure that the network and data flow diagram(s) accurately reflect the network architecture.
  2. Ensure that the Credit Card Data information in transit is secure and encrypted within the campus infrastructure.
  3. Review firewall and router rulesets pertaining to the PCI Zone at least every six months
  4. Regularly, and prior to the annual assessment, update inventory of all CDE locations, hardware / software / applications and networks.
  5. Update configuration standards as necessary and ensure the Workstations used are Hardened and comply with the PCI Standard.
  6. Review Vulnerabilities in a timely fashion once the software publisher provides security alerts.
  7. Install applicable vendor-supplied patches: critical within one month, non-critical within three months for all IT Assets in the CDE.
  8. Scan for the presence of all Unauthorized Network Equipment in the PCI Zone
  9. Ensure that Multi Factor Authentication is used to administer or access payment Workstations remotely
    1. All remote-access technologies must be configured to automatically disconnect sessions after 30 minutes of inactivity.
    2. All remote-access technologies and associated accounts used by Merchants to access the CDE must be activated only when needed, with immediate deactivation after use. Activating these remote-access paths and accounts requires submitting a request to the IT Service Desk.
  10. Engage and manage an Approved Scanning Vendor (ASV) to conduct external vulnerability scanning.
  11. Review, and update as necessary, the organization’s information security related policies, procedures, and standards from a PCI perspective.

IT Services shall ensure that the following activities are performed on a regular basis:

  1. Confirm the location(s) of the CDE and flow of Cardholder Data and ensure that they are included in the PCI DSS scope, including backups.
  2. Review compensating controls to ensure that they are properly documented and are still applicable.
  3. Conduct a formal threat risk assessment at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.).
  4. Run an awareness program for Merchants. Confirm they’ve read and understand the policy/procedures.

Monitoring and review

This Policy will be reviewed as necessary and at least every three years.  The Vice-President, Administration, or successor thereof, is responsible to monitor and review this Policy.

Relevant legislation

This section intentionally left blank.

Related policies, procedures & documents

Information Security Policy
Acceptable Use of Technology Policy
PCI Sustainability Procedure