University of Saskatchewan PCI DSS Compliance Program
To help ensure we maintain compliance, the following principles will be used.
- The University of Saskatchewan and its subsidiaries, will not enter into any contract with 3rd party service provider that effects the university’s card holder data environment unless the contract includes the university’s PCI DSS contract schedule. One of our most significant challenges to compliance is helping our service providers understand their obligations under PCI DSS. This will ensure that any agreements we enter into will support compliance. The procurement professionals in Purchasing Services can help you examine whether contracts you are entering into fall under these principles.
- Any third party service provider or third party application that is not PCI DSS compliant, PA-DSS compliant, or does not have an approved PCI DSS compliance strategy will not be granted merchant accounts. We have worked with several units to look at their service providers to ensure compliance or establish mitigating strategies. For the university to achieve compliance, it may be necessary to close individual merchant accounts until compliant strategies can be identified.
PCI DSS Compliance FAQ
- What is PCI?
- The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
- The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
- It is important to note, the payment brands and acquirers (in the university’s case, Moneris) are responsible for enforcing compliance, not the PCI council.
- To whom does PCI apply?
- PCI applies to any organization—merchant or service provider—regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
- What is the definition of ‘merchant’?
- For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but is also a service provider if it hosts merchants as customers.
- What constitutes a Service Provider?
- Any company that stores, processes or transmits cardholder data on behalf of another entity is defined as a service provider by the Payment Card Industry (PCI) guidelines.
- If I only accept credit cards over the phone, does PCI still apply to me?
- Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.
- Do organizations using third-party processors have to be PCI compliant?
- Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
- Is PCI DSS Compliance a one time effort?
- No. The university must demonstrate annual compliance to our acquiring bank, Moneris. This includes submitting the appropriate Self-Assessment Questionnaires (SAQs) signed by the university’s PCI DSS Qualified Security Assessors (QSAs) and administration, along with the results of quarterly security testing. The PCI DSS compliance process requires all credit card processing done by the university or on behalf of the university to be compliant. A university branded website hosted by a service provider is in scope. There can be no exceptions. Failure to achieve compliance can result in increasing fines (substantial) and service costs and increased liability and the potential for reputational damage. Consequently, the university’s Board of Governors has approved funding to begin to meet the compliance requirements.
For more information on PCI compliance, contact:
Wendy Tchoursine at firstname.lastname@example.org