Apply
  1. U of R Home
  2. Policy
  3. Browse
  4. OPS-030-010 Payment Card Data Security
University of Regina Policy

Payment Card Data Security

Category:Operations
Number:OPS-030-010
Audience:All University employees responsible for payment card transactions
Issued:December 15, 2023
Revised:December 15, 2023
Owner(s):AVP (Finance), AVP (Information Services)
Approved by:VP (Administration)
Contact:Director, Executive Reporting – 306-585-5351

Introduction

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment to protect consumers. This policy sets out the authority and responsibility for PCI DSS compliance at the University of Regina.

This policy is intended to guide the work of all University units and functions that collect money via payment cards, whether via phone, point-of-sale (POS) terminals, e-commerce/online, or any other method. PCI DSS compliance is the responsibility of all employees who process payment card transactions.

Policy

The purpose of this policy is to reaffirm the University of Regina’s commitment to maintaining secure and reliable payment processing services, and to communicate the rules and requirements to ensure the University remains in compliance with the Payment Card Industry Data Security Standards (PCI DSS).

This policy applies to all Faculties, Units, employees, and any third-parties acting on behalf of the University who accept credit-card or debit-card payments and who store, process or transmit card-holder data (CHD). This includes:

  • All applications/systems/networks involved in payment-card processing;
  • All entities/systems/databases that store, process or transmit CHD; 
  • All staff, faculty, volunteers, or students who manage or process debit and/or credit-card transactions and data for any purpose;
  • Third-parties who manage or process debit and/or credit transactions and data on behalf of the University; and
  • IS staff who develop and maintain the systems and infrastructure that support payment processing.

This Policy does not apply to payments made by cash or cheque.

Any access to CHD must be protected with an identification and authentication process. The card-holder data environment (CDE) must be designed and maintained to resist attacks, limit any potential damage/loss, and ensure continuity of critical services.

 

Roles and Responsibilities

Associate-Vice President, Information Services

  • Serve as the Chief Security Officer (CSO) as required by PCI DSS, or appoint a designate to serve in this capacity
  • Ensure IS resources are in place toactively monitor network activity relating to the Virtual Local Area Networks (VLANs) of the POS Terminals and take appropriate action to investigate any suspicious events
  • Establish and review this policy

 

Associate-Vice President, Finance

  • Distribute this policy and related procedures to relevant personnel
  • Ensure that advisories that may be received from payment processors from time to time are shared, as required

 

PCI Committee

  • Includes one representative from each of Financial Services and Information Services, appointed by the respective Associate Vice-President (AVP FS; AVP IS)
  • Coordinate the completion of the SAQ on an annual basis
  • Review PCI DSS and ensure standards are being met; where they are not met, create a plan to move to compliance
  • Recommend updates to this policy to reflect changes to business objectives or identified risks

 

Employees and/or Third-party payment processors who process payment card transactions

  • Protect CHD in accordance with PCI DSS as instructed by Financial Services and/or Information Services

 

Consequences for Noncompliance

The University is required to comply with PCI DSS requirements or face consequences that range from financial penalties up to termination of services.

Employees who do not comply with this policy may be subject to disciplinary action.

Academic/administrative units found to be in non-compliance may face interruption or termination of services, including those related to payment processing.

Processes

Related Information