Skip to main content
University of Ontario Institute of Technology logo

Payment Card Industry (PCI) Sustainability Procedure

Classification number LCG 1143.01
Parent policy Payment Card Industry (PCI) Sustainability Policy
Framework category Legal, Compliance and Governance
Approving authority Audit and Finance Committee
Policy owner Vice-President, Administration
Approval date November 28, 2019
Review date November 2022
Last updated Editorial Amendment May 30, 2022

Purpose

The purpose of these Procedures is to identify the Account Management Requirements for the Compliance with the Payment Card Industry Data Security Standard (PCI DSS Compliance).

Definitions

For the purposes of these Procedures the following definitions apply:

“Authentication Factor” means Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as a password, passphrase, a token device, smart card or a biometric.
“Cardholder Data” means the full Primary Account Number, or the full Primary Account Number along with Cardholder name, Expiration date or Service code.
“Cardholder Data Environment” or “CDE” means the segmented area of the network which encompasses applications, hardware, and network services in the transmission, processing, or storing of cardholder data.
 “Dual Factor Authentication” means a Method of authenticating a user whereby two factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).
“Finance” means the organization under the direction of the Chief Operations Officer.
“Hardened” means a secured computer system.
“Merchants” means departments, faculties and vendors using payment processing technologies deployed on the University of Ontario Institute of Technology networks, whether employees, students, vendors, contractors or business partners.
“Multi Factor Authentication” or” MFA” means a method of authenticating a user whereby at least two factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).
“Password” means the string of characters that serve as an authenticator of the user.
“PCI DSS” means Payment Card Industry Data Security Standard.
“PCI Zone” means anything that is in scope for PCI DSS compliance.
“Remote Access” means access to computer networks from a remote location. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN.
“Role-Based Access Control” or “RBCA” means a system of permissions where access to a specific resource is defined by permissions assigned to specific roles; a role is given to a user based on their position/needs in relation to the organization.
“Unauthorized Network Equipment” means unauthorized devices connected to the network that poses a significant risk to the organization.
“Virtual Private Network” or “VPN” means computer network in which some of connections are virtual circuits within some larger network, such as the Internet, instead of direct connections by physical wires. The end points of the virtual network are said to be tunneled through the larger network when this is the case.
“Vulnerabilities” means a type of weakness in a computer system, in a set of procedures, or in anything that leaves information security exposed to a condition or an activity that have a potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization.
 “Workstations” means a computer dedicated to a user or group of users engaged in business or professional work.

Scope and authority

This Policy applies to all Merchants using payment processing technologies deployed on the University of Ontario Institute of Technology networks, whether employees, students, vendors, contractors or business partners. Exemptions from this policy will be permitted only if approved in advance and in writing by the Vice-President, Administration.

The Vice-President, Administration, or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration and interpretation of this Policy. 

  1. The VPAis responsible for ensuring that the appropriate policies and procedures are in place to handle credit card data securely and that the critical PCI technology inventory is updated. 
  2. Finance is responsible for keeping a PCI related list of Merchants and ensure that new vendors are not permitted to use the campus network to process payment transactions.
Executive Director of Information Technology Services responsible for:

  1. Ensuring policies regarding PCI Sustainability are carried out; confirming that diagrams, technology inventories, vulnerability list, and policy maintenance is done regularly as dictated by PCI DSS.
  2. Reviewing, monitoring, and updating compensation controls, security policy, conducting formal risk assessments, running awareness and training programs, and ensuring service provider compliance.
  3. Approval, deployment, and use of critical devices, Multi Factor Authentication implementation, and arranging for the documentation of critical device inventory, configuration of critical devices, and Remote Access technologies and reviewing firewall and router rule sets.
  4. Ensuring the running and maintaining anti-virus software and scans, deactivating user accounts (including third-party accounts) as dictated by PCI DSS, internal and external security/vulnerability scans, testing for unauthorized access and access points, and updating CDE location and flow diagrams.

Procedures

Authentication

All users of systems in the PCI Zone are required to follow strict password management procedures. In some cases, these requirements will be implemented by the owners of the relevant systems. In others, it will be the responsibility of the user to ensure these procedures are followed. The procedures below are the bare minimum requirement. If a system has procedures which are more restrictive than those outlined below, continue with the more restrictive procedures.

  1. Initial Passwords or Password Resets. 
    1. Passwords for new user accounts or after a password reset must be set to a unique random value.
    2. The unique random value password must be changed on first use. If possible, this will be required by the system. If the user is not prompted by the system to modify the password, it is their responsibility to change the password.
    3. Users must follow best practices for secure passwords. Examples can be found at http://servicedesk.ot.ca
  2. Password Aging Rule
    1. System owners and administrators are responsible for ensuring users regularly change their passwords. Enforce a password change at least every 90 days.
    2. Limit password reuse to the last 6 passwords.
  3. Multi Factor Authentication
    1. In addition to passwords, there will be situations where Multi Factor Authentication is required. The following scenarios require Multi Factor Authentication:
    2. An administrator is accessing the CDE from anywhere other than the server console.
    3.  A user is accessing the CDE through a Virtual Private Network tunnel (VPN)
    4. Users are required to contact IT services to obtain Multi Factor Authentication access if either of the situations above apply to them.
  4. Re-Authentication
    1. Any time a user steps away from a workstation that has access to the CDE should lock their computer to prevent inadvertent access by another user. At a minimum, screensavers that lock the computer should start after at most 15 minutes of inactivity, requiring re-authentication to access the system.
    2.  Systems should also have session time-outs, which require a user to re-authenticate.
  5. PCI Account Access and Management: Managers responsible for PCI account access and management are responsible for:
    1. Regularly reviewing accounts.
    2. Generate a report that contains the following types of accounts, and remediate as necessary
      • Locked accounts
      • Disabled accounts
      • Accounts with passwords exceeding the maximum age
      • Accounts with passwords that never expire
      • Accounts that cannot be associated with a business owner
  6. Revoking Access
    1. User credentials and other authentication methods need to be revoked as soon as possible upon an employee’s departure.
    2. Upon quarterly review of accounts, inactive accounts must be deactivated (at least every 90 days).
    3. Accounts must be locked out after 6 unsuccessful authentication attempts.
  7. Monitoring Inappropriate Account Usage
    1. System owners and administrators are responsible for ensuring that old accounts are not being used.
    2. Monitor account usage to identify dormant accounts, and determine appropriate action for those accounts.
    3. Monitor any attempts to use deactivated accounts.

Monitoring and review

These Procedures will be reviewed in one year from approval date and at least every three years.  The Vice-President, Administration, or successor thereof, is responsible to monitor and review these Procedures.

Relevant legislation

This section intentionally left blank.

Related policies, procedures & documents

Payment Card Industry (PCI) Sustainability Policy
Information Security Policy
Acceptable Use of Technology Policy