Skip to Main Content
You are now in the main content area

Payment Card Data Security Policy

I.    Purpose

1.  To communicate the rules and expectations necessary to ensure that the University remains in compliance with the Payment Card Industry Data Security Standard (“PCI-DSS”).

2.  In order to accept card-based payments, all Merchants must comply with the PCI-DSS. Failure to comply with the PCI-DSS could result in the University incurring financial penalties and increase the possibility of a sensitive data breach.

II.    Scope and Application

1.  This Policy applies to all Merchants who accept any form of credit- or debit-card payments (including e-commerce/online or point-of-sale).

2.  This Policy applies to the following areas/activities:

a.   All applications/systems involved in payment card processing;

b.   All entities/systems/databases that store, process or transmit Cardholder Data (CHD) and/or Sensitive Authentication Data (SAD); 

c.   All authorized Merchants conducting revenue-generating activities or operations as described in the Commercial Activities Policy;

d.   Staff, faculty, volunteers, or students who handle or process debit and/or credit-card transactions and data, for academic, administrative or commercial purposes;

e.   Third parties who handle or process payment card transactions and/or data on the University’s behalf, such as vendors, contractors, partners, etc.; and

f.  IT staff who develop and maintain payment solutions for the IT infrastructure that supports the payment solutions.

This Policy does not apply to payments made by cash or cheque.

III.    Definitions

“Cardholder Data” ( or “CHD”): means the full unique payment card number (credit, debit, or prepaid cards, etc.) that identifies the issuer and the cardholder account, as well as any of the following: cardholder name, expiration date and/or service code.

“Cardholder Data Incident Response Plan”: means the documented procedure for responding to suspected or confirmed breaches of Cardholder Data, and outlines roles, responsibilities, communication, containment, investigation and recovery steps in compliance with PCI-DSS requirements.

“Merchant” means any University entity/department that accepts, processes, stores, or transmits payment cards (credit or debit) as payment for goods and/or services.

“PCI-DSS” (or “PCI”) means a standard created by the Payment Card Industry Security Standards Council that provides a baseline of technical and operational requirements to encourage payment card account data security and facilitate the broad adoption of consistent data security measures by all Merchants who store, process, transmit or have access to any form of cardholder data or Sensitive Authentication Data. 

“Policy” means the Payment Card Data Security Policy.

“Self Assessment Questionnaire” (or “SAQ”):  is a required document that Merchants must fill out annually in order to be PCI-DSS certified. There are several types of SAQ; therefore, it is important to select the questionnaire type best suited to the specific types of transactions conducted by the Merchant.

“Sensitive Authentication Data” (or “SAD”):  means security-related card information used to authenticate cardholders and/or authorize payment card transactions. This information includes, but is not limited to, card verification codes, card magnetic strip data, personal identification numbers, and personal identification number blocks.

“University” means Toronto Metropolitan University.

IV.    Policy

1. Each University Merchant is accountable for maintaining PCI-DSS compliance in accordance with this Policy and any additional requirements described in Appendix A - PCI-DSS Council Requirements.  In addition to the implementation of the required business processes and safeguards, Merchants will also be responsible for sharing all costs associated with the operation of the University’s PCI compliance program.

General Requirements

2. Data Sensitivity and Controls: CHD and SAD are classified as highly-sensitive data and, as such, must be handled following the controls described in the Information Classification Standard and Handling Guidelines.

3. Cardholder or Sensitive Authentication Data Storage: CHD and SAD must not be stored on any University system. This includes email, PDFs, spreadsheets, databases, shared drives, Word documents, Google documents, Google Drive, etc. Any unintentional or accidental storage of CHD or SAD must be promptly reported to the Chief Information Security Officer and securely deleted upon discovery.

4. Payment Processing: Merchants must use University-approved PCI-DSS certified payment processing services for all card payments. Some examples of approved services include payment PIN pads or authorized virtual terminals directly connected to PCI-certified payment providers.

5. Fax-Based Payment: Fax transmission of CHD is permissible only if the receiving fax machine is a dedicated fax machine (non-multipurpose), it is connected via an analog telephone line, and the machine itself is in a secure location.

6. Paper Records: Paper-based records of CHD must be stored in a physically-secure location with highly-restricted access, and when no longer needed, these records must be securely destroyed, such as through a University-approved shredding provider.

7. End-User Messaging: Merchants are not permitted to accept credit card payments or information via email or any end-user messaging platform. If a Merchant receives unsolicited credit card data via any of these platforms, the Merchant should refer to the University’s PCI training for guidance on how to properly respond to such incidents.

8. New Payment Methods/Equipment: All Merchants seeking to significantly change payment methods (for example, to implement new payment methods, switch providers or add new PIN pads) must first consult with and gain approval from Financial Services and the Chief Information Security Officer.

9. Merchant Duty to Report: All suspected or known policy violations or suspected loss of CHD or SAD must be reported to the Chief Information Security Officer and the steps in the Cardholder Data Incident Response Plan made available by the Chief Information Security Officer must be followed. For privacy incidents involving personal information, contact the Privacy Office.

10. Clarification of this Policy: Each Merchant conducting payment transactions should seek clarification from the Chief Information Security Officer about the interpretation of this Policy.

11. Payment of Fines for PCI Non-Compliance: Each Merchant is responsible for the payment of any fines incurred by the University for PCI-DSS non-compliance.

V.    Roles and Responsibilities

1.  Merchants shall:

a.   Identify and document all forms of card-payment activities which occur in their business area and maintain a list of associated systems used to process these payments;

b.   Assign responsibility for the following tasks to individual(s) in their department:

i.    Inspection of PIN pads, terminals or payment processing workstations for signs of tampering, unauthorized new accounts or card skimming devices on a weekly basis. 

ii.   Completion of the applicable Self Assessment Questionnaire (SAQ) on an annual basis.

iii.   Requiring that all contracted payment processing organizations provide the University with an Attestation of Compliance document on an annual basis.

iv.   Maintaining an up-to-date list of individuals, including full-or part-time employees, temporary employees, volunteers, contractors, consultants, or who may access CHD. PCI compliance procedures and responsibilities must be re-evaluated following any personnel changes and all such changes must be promptly reported to the Chief Information Security Officer.

v.    Ensuring that all individuals involved in handling cardholder transactions annually complete PCI Awareness Training when instructed to do so.

vi.    Ensure that an authorized and certified PCI payment method is used for all payment card transactions;

c.   Be accountable for their share of the costs associated with operating the PCI compliance program.

2.  Financial Services shall:

a.  Plan, authorize, and fund external PCI-DSS audits as needed;

b.  Review and approve all new Merchants and payment providers onboarding;

c.  Assist with PCI-DSS awareness training program activities; and

d.  Maintain an authorized list of payment providers and PIN pad hardware. 

3.  Chief Information Security Officer shall:

a.   Chair and conduct the University’s PCI-DSS Steering Committee meetings on a regular basis. The Committee reviews the operationalization of the University’s compliance requirements with the PCI-DSS and may provide guidance to Merchants to support their PCI compliance;

b.   Ensure that all PCI-related hardware and systems are properly designed and isolated from all other systems;

c.   Provide technical consultation to new Merchants on how best to offer payment systems and streamline business processes for card payments;

d.   Ensure quarterly external scans are conducted by an Approved Scanning Vendor as required by the PCI-DSS; 

e.   Assist Merchants with completing the SAQs as needed;

f.   Ensure that completed Merchant SAQs are securely stored annually;

g. Administer the Cardholder Data Incident Response Plan;

h.  Ensure that all systems and networks that process, store, or transmit CHD or SAD are securely configured and maintained; also ensure that processes are implemented to protect these systems from malware.

4.  Internal Audit shall:

a.   Consider the applicability of PCI-DSS as part of all audits conducted;

b.   Conduct assurance activities to support Financial Services and the Chief Information Security Officer in their management of the PCI compliance program; 

c.   Execute PCI-DSS audits for specific Merchants if requested by the PCI Steering Committee or executive leadership; and

d.   Report PCI-DSS-related audit findings to the PCI Steering Committee.