Financial Services Policies & Procedure
These procedures are designed to ensure that all bank card transactions at Thompson Rivers University are conducted in the most secure, confidential and reliable method possible. All Merchants that accept debit or credit cards for payment must follow these procedures for the protection of cardholder data, along with all University Policies relating to bank card transactions and data security and the most current version of the Payment Card Industry Data Security Standards (PCI DSS).
Policy and Procedure
All TRU Merchants must comply with the following to ensure the security of cardholder data and to protect the University from reputational, financial and legal liability:
- the most current version of the PCI DSS;
- the terms and conditions of the Merchant Agreement with the Merchant Account Provider (this agreement can be obtained from Financial Services);
- all Card Brand Rules and Regulations and the operating manual of any point of sale device;
- Thompson Rivers University Financial Procedures
- Thompson Rivers University Information Security Standards and Policies
Basic Payment Card Guidelines
How do I get approval for bank card processing?
Financial Services must approve all bank card processing activities at the University, including processing transactions online (ecommerce), through an outsourced third party and through point of sale devices.
Departments and units may only accept payments if Merchant Accounts have been established and approved by Financial Services. Merchant Accounts must be established using the University's preferred payment card processing provider(s). Departments and units are prohibited from entering into other payment arrangements with any other service provider(s), including PayPal.
Use of an alternative payment provider and/or payment gateway may be approved on a case-by-case exception by the TRU PCI Steering Committee.
What are the costs associated with accepting bank card payments?
All costs associated with accepting bank card payments will be charged to departmental accounts centrally by Financial Services. These costs include (but are not limited to):
- Setup fees;
- Transaction fees;
- Merchant discount fees;
- Monthly service fees;
- Terminal rental fees.
In addition, Merchants will be responsible for any costs associated with achieving and maintaining compliance with PCI DSS, which may include security scanning, auditing and remediation work to ensure PCI compliance. Merchants will also be responsible for costs associated with any security breaches as a result of the non-compliance with the requirements of this policy and associated procedures.
Is mandatory awareness training required for all employees involved in bank card processing?
Employees must be knowledgeable about how to process bank card transactions and must be aware of the sensitivity of cardholder data. In particular, the credit card number, card verification code, card expiry date and cardholder name comprise information that must be protected at all times. Employees must understand that they are responsible to hold cardholder data in confidence at all times and that it should only be disclosed for a required business purpose.
Unit leaders must know their bank card processes and be aware of their employees and their backgrounds. Hiring managers must complete appropriate background investigation prior to hiring potential candidates who will have access to cardholder data. The background check necessary must be appropriate for the level of access to cardholder data of the position. Background investigations can include previous employment history, criminal check, enhanced reliability clearance, etc.
Training for bank card processing must be provided to all new employees and at least annually to existing employees.
Employees must be aware of TRU's Breach Protocol and understand how to report a potential bank card information breach.
All employees must attend annual PCI Awareness Training per the TRU - Information Security and Privacy Awareness Training Standard.
How can bank card payments be accepted at TRU?
The following methods for accepting debit and credit card payments are permitted:
- Point of Sale (POS) processing using the designated payment processor;
- eCommerce solutions including eForms that use an approved payment gateway which provides web-based processing using a PCI compliant service provider. This ensures cardholder data is not entered into a web page which is hosted on TRU's network.
Use of alternative methods may be approved, on a case-by-case basis, by the TRU PCI Steering Committee. To further ensure compliance, all Payment Applications must provide an Attestation of Compliance (AOC) certificate on an annual basis. This AOC must be forwarded to the TRU PCI Steering Committee.
What are the rules around electronic storage and transmission of cardholder data?
The electronic storage of cardholder data at Thompson Rivers University is strictly prohibited without approval of the TRU PCI Steering Committee. This includes storage on a computer, database, server or hard-copy. Any stored cardholder data must use strong encryption at all times. Cardholder data must be securely erased immediately after authorization or in the case of stored data as soon as the business process is completed.
Electronic media (e-mail, text messaging, etc.) is not a secure method to send or receive cardholder data and is strictly prohibited as a means of accepting cardholder data. Merchants must inform the customer that electronic media is not an accepted form of receiving payment information and provide the customer with a PCI compliant option to process their payment. Merchants are strictly prohibited from processing payments using cardholder data received over electronic media.
If cardholder data is received via e-mail, it must be deleted from all folders. The trash folder must also be purged. If you reply to an e-mail containing cardholder data, this information must be removed.
Fax machines may only be used to receive cardholder data if the machine is connected using an analog phone line. If the fax machine is connected through a network connection, it is considered electronic media and prohibited as a means of accepting cardholder data.
Voicemail is also considered electronic media. If you receive cardholder data via voicemail the message must be deleted immediately. Storing cardholder data on voicemail is strictly prohibited.
Access to Cardholder Data
Access to cardholder data must be limited to those who require this information for business purposes. The assignment of these privileges must be based on job classification and function. Unit leaders must identify and document positions that require access to cardholder data. Privileges and access must be revoked immediately upon termination or reassignment of roles.
Visitors must be authorized before entering areas where cardholder data is processed or stored. Visitors must sign a visitor log, be identified with a visitor badge and be escorted when in highly sensitive areas. This does not include areas where only point of sale devices are present.
All default vendor-supplied passwords must be changed. Operational procedures managing vendor defaults and other security parameters must be documented, in use and known to those who process bank card transactions.
Retention of Cardholder Data
Cardholder data should only be stored for the minimal period of time necessary to process the transaction. Cardholder data must be kept in a secure location at all times (i.e. in a locked cabinet, inside of a locked room). Storage of cardholder data must be kept to a minimum by implementing data retention and disposal policies.
The three or four digit verification code can only be requested if it is necessary to complete a card not present transaction. This code cannot be retained after the authorization of payment.
Transaction records for audit purposes must be retained for a period of seven years. All paper-based records containing credit or debit card information should be kept in a secure area with access restricted to only those employees who require it. All paper-based documents containing credit card information must be inventoried annually.
Disposal of Cardholder Data
Each Merchant must abide by the TRU Information Classification Standards for destruction of cardholder data. All documents containing cardholder data should be properly disposed immediately upon completion of business need.
Cardholder data that is no longer required must be destroyed using a crosscut shredder or using TRU's approved vendors.
Point of Sale Devices
All point of sale (POS) devices must be secured and protected at all times. This includes securing the device in a locked safe, cash drawer and/or other secured areas when the device is not in use. Your POS devices must be inspected daily to detect any signs of tampering or replacement of a device.
All employees who operate POS devices, and those who supervise these employees, must be properly trained on the devices. This includes the detection of tampering with a POS device and what to do if tampering is suspected. An incident response plan must be clearly communicated to all employees and easily accessible (for example, a printed copy near the point of sale device.)
Merchants with POS devices should refer to Point of Sale Device Integrity List to ensure proper procedures are followed to secure and inspect their POS devices. All boxes in the list must be initialed after inspection of each item. If any evidence of tampering is identified, contact the TRU Information Security Office immediately.
All POS devices must be registered in one of TRU's PCI VLANs. The Merchant must identify to ITS a network connected POS device has been installed and added to the network. ITS will ensure the device is placed into an appropriate PCI VLAN.
Processing Bank Card Transactions
The ability to process bank card transactions through any payment system (including point of sale terminals) must be limited to those individuals whose job requires such access.
The Merchant must ensure that all transactions represent a legitimate sale of goods or services in the ordinary course of your business. All refunds of bank card transactions must be processed directly back to the card the purchase was made on. No cash refunds shall be given for transactions that were originally processed on a bank card.
The Merchant cannot discriminate against a method of payment that it has agreed to accept. For example, the merchant must offer chip and pin technology if the merchant accepts bank card payments through a point of sale terminal.
The Merchant must reconcile daily receipts and record all revenue and bank deposits to the Finance department on a daily basis.
TRU's Breach Protocol
All Merchant leaders and employees who process or have access to cardholder data must read and understand TRU's Breach Protocol. This plan must be displayed for employees in areas where bank card transactions are processed and where cardholder data is stored.
If a Merchant knows or suspects that cardholder data has been compromised, or that a point of sales device has been tampered with, the incident must be reported following the steps outlined in TRU's Breach Protocol.
Security alerts and information must be monitored, analyzed and distributed to the appropriate personnel. This information can be communicated to the Merchant by the payment processor, the Manager Information Security, Financial Services and/or the TRU PCI Steering Committee.
TRU's Breach Protocol can be found here.
Changes to Your Bank Card Processing Environment
Any changes in your payment applications and/or your bank card processes that would affect TRU's PCI environment must be reported to the TRU PCI Steering Committee for approval. No changes are permitted to your bank card processing environment without approval from Financial Services.