Skip to main content

Join us at Laurier

Being a Golden Hawk means more than just cheering on our (really good) varsity teams – it means being a student who cares about your community, who works hard in the classroom, and who takes advantage of all the learning opportunities that can happen outside the classroom, too.


This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.

Approving Authority: President

Original Approval Date: May 2, 2012

Date of Most Recent Review/Revision: N/A

Office of Accountability: VP: Finance and Administration

Administrative Responsibility: Financial Resources

Purpose

1.00 Electronic payment processing is increasingly becoming a common payment method. This policy sets out acceptable practices for processing and handling electronic payment, including e-commerce transactions, across the University community. Central to this policy is the practice that there is no electronic storage of cardholder data on the University network. This moves the risk and Payment Card Industry Data Storage Standard (PCI DSS) compliance requirements to our merchant and/or e-commerce provider.

Definitions

2.01 Cardholder Data: At a minimum, cardholder data contains the full primary account number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: Cardholder name, expiration date, or service code.

2.02 E-commerce: The selling of products or services and processing payments over the Internet.

2.03 PCI DSS: Payment Card Industry Data Security Standard.

Jurisdiction/Scope

3.00 This policy applies to all University departments at any campus or location which collect payments via credit card. Any direct supervisor of employees, and/or employees handling cardholder data must follow the Merchant Card Use Policy and its related procedures where applicable. A list of procedures is in section 5.01 of this policy. 

Policy

4.01 Employee Screening and Training:

All employees handling cardholder data must be screened prior to commencing employment and receive training regarding the security of this information. Employees and supervisors of employees handling cardholder data must follow the Employee Compliance and Training Procedures

4.02 Handling, Use and Storage of Data:

a. In order to provide adequate security for cardholder data, Retention and Handling of Cardholder Data Procedures must be followed. It is imperative that there be no electronic storage of cardholder data on the University network.

b. Cardholder data will only be held for the minimum amount of time required as specified in the Retention and Handling of Cardholder Data Procedures.  

c. Data will be kept secure, and personal information will be used for only the purpose for which it was obtained (see policy 10.1 Information Availability and Privacy Protection).

4.03 E-Commerce:

a. Web pages designed to collect electronic payment for goods and services must be developed in consultation with Finance and Administration and Information Technology Services.

b. All e-commerce should be directed to a third party hosted pay page provided by the University’s approved electronic merchant and/or e-commerce provider.

c. A University-wide e-commerce system will provide all departments with the ability to process electronic payments. All departments are required to use the University-wide system and pay the applicable user fee. Exceptions may be made for departments where it is infeasible to use the University-wide system. Legacy systems that are fully PCI DSS compliant will be allowed to continue but will be phased out within 5 years.

d. All third party providers of card processing activities used by the University must meet PCI DSS and provide annual proof of monitored compliance. Departments approved to engage their own third party hosted pay pages may be subject to an external audit at the expense of the department and must comply with University standards for data security. These departments will be responsible for all aspects of negotiating and managing the relationship with the third party provider (see policy 5.5 Signing Authority for External Contracts for Services Other than Teaching Provided by the University).

e. Departments may not enter into separate arrangements with Financial Service Providers (see policy 5.6 Selection of Financial Service Providers).

4.04 Creation of New Merchant Accounts:

When new merchant accounts are created, Establishing Merchant Accounts Procedures will be followed.

4.05 Review and Validation Process:

a. An annual review process shall take place to identify threats and vulnerabilities resulting in a formal risk assessment. This will be conducted by the office of administrative responsibility, and the necessary updates will be made.

b. The university shall comply with any validation requirements set out by PCI DSS.

Related Policies, Procedures and Documents

5.01 Related Procedures:

5.02 Related Policies:

5.03 PCI Security Standards Council Guidelines and Standards

×

We see you are accessing our website on IE8. We recommend you view in Chrome, Safari, Firefox or IE9+ instead.

×