University of Saskatchewan PCI DSS Compliance Program
The university has been required to embark on a formal credit card security program, to meet the requirements of the formal Payment Card Industry Data Security Standard (PCI DSS) Compliance Program. ICT Security, Access and Compliance and Financial Operations are jointly leading this compliance initiative. We are still on track to be compliant by April 13, 2016.
To help ensure we stay on track to complaicne, the following three principles will be used to help manage the scope of activities that must be completed to become compliant.
- The University of Saskatchewan and its subsidiaries, will not enter into any contract with 3rd party service provider that effects the university’s card holder data environment unless the contract includes the university’s PCI DSS contract schedule. One of our most significant challenges to compliance is helping our service providers understand their obligations under PCI DSS. This will ensure that any agreements we enter into will support compliance. The procurement professionals in Purchasing Services can help you examine whether contracts you are entering into fall under these principles.
- Any third party service provider or third party application that is not PCI DSS compliant, PA-DSS compliant, or does not have an approved PCI DSS compliance strategy by March 1, 2016, will have their merchant accounts closed effective March 31, 2016. We have worked with several units to look at their service providers to ensure compliance or establish mitigating strategies. For the university to achieve compliance, it may be necessary to close individual merchant accounts until compliant strategies can be identified.
- There will be a moratorium on any enhancement or new service that involves payment card processing and is not required for the university to achieve formal PCI DSS compliance by April 13, 2016. Such new services and enhancements will be addressed after April 13, 2016, as part of the university’s ongoing PCI DSS program. New services or enhancements to credit card acceptance solutions will impact our ability to achieve compliance by April 13, 2016. To manage this, new services and enhancements that were not included in the original PCI DSS compliance scope will be put on hold, until we have achieved our compliant status.
In 2014, it became apparent with the release of PCI DSS version 3.1, that the university would soon be requested to demonstrate formal PCI DSS Compliance. With this anticipation, the university contracted a PCI DSS Qualified Security Assessor (QSA) to perform a gap analysis and readiness review on our credit card processing governance and procedures. This gap report was completed by the end of 2014. As the gap report highlighted, PCI DSS version 3.1 requires that all service providers demonstrate to the university that they have formal PCI DSS compliance.
As suspected, the university was advised in April 2015 by Moneris, our credit card acquiring bank, that we must demonstrate formal compliance to the PCI DSS by April 2016.
The PCI DSS compliance process requires all credit card processing done by the university or on behalf of the university to be compliant. A university branded website hosted by a service provider is in scope. There can be no exceptions. Failure to achieve compliance can result in increasing fines (substantial) and service costs and increased liability and the potential for reputational damage. Consequently, the university’s Board of Governors has approved funding to begin to meet the compliance requirements.
PCI DSS Compliance FAQ
- What is PCI?
- The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
- The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
- It is important to note, the payment brands and acquirers (in the university’s case, Moneris) are responsible for enforcing compliance, not the PCI council.
- To whom does PCI apply?
- PCI applies to any organization—merchant or service provider—regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
- What is the definition of ‘merchant’?
- For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but is also a service provider if it hosts merchants as customers.
- What constitutes a Service Provider?
- Any company that stores, processes or transmits cardholder data on behalf of another entity is defined as a service provider by the Payment Card Industry (PCI) guidelines.
- If I only accept credit cards over the phone, does PCI still apply to me?
- Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.
- Do organizations using third-party processors have to be PCI compliant?
- Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
- Is PCI DSS Compliance a one time effort?
- No. The university must demonstrate annual compliance to our acquiring bank, Moneris. This includes submitting the appropriate Self-Assessment Questionnaires (SAQs) signed by the university’s PCI DSS Qualified Security Assessors (QSAs) and administration, along with the results of quarterly security testing. The PCI DSS compliance process requires all credit card processing done by the university or on behalf of the university to be compliant. A university branded website hosted by a service provider is in scope. There can be no exceptions. Failure to achieve compliance can result in increasing fines (substantial) and service costs and increased liability and the potential for reputational damage. Consequently, the university’s Board of Governors has approved funding to begin to meet the compliance requirements.
Dr. Lawrence Dobranski, P.Eng.
ICT Director of Security Access and Compliance