You are here:
Home > Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS)

Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled and maintained by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations, which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

How does that relate to ePayment?

UBC has a mandate from the Province of British Columbia to be PCI Compliant and maintain that compliancy here forth. This is applicable to all merchants across UBC; ePayment has completed an official assessment with an external auditor to show that we are PCI Compliant. This assessment has been done for all ePayment merchants and must be conducted again every year to ensure that compliancy is maintained.

Due to ever changing technology and emerging vulnerabilities, a new version of PCI DSS is released every two years. Consequently, PCI DSS compliancy is not a one-time thing. You and others who use ePayment within your department/unit must follow secure procedures and have appropriate technology in place. If you are not able to continue compliancy, then your access to ePayment will be removed. If this is at the departmental or unit level, then your ePayment account will be closed.

Currently the security officer at UBC is reviewing the latest version of PCI DSS. If there are new procedures that must be followed or technology that must be deployed, you will be notified appropriately.

For more information on PCI DSS and UBC, please visit UBC Finance.

Key Responsibilities

In order to maintain compliancy, you and your staff members who use ePayment must comply and adhere to the following key responsibilities. In addition, since PCI DSS relies on having appropriate technology in place, a clear relationship must be maintained between you and either your IT administrator or your Developer so that they understand and adhere to their key responsiblities.

If you are using ePayment Web Service or ePayment Student Financial Account:

You and your staff members:

•    Must provide the intended use of your merchant system that relates to ePayment. If it changes, you will need to inform ePayment Support.
•    Must NOT store, transmit or receive any sensitive credit card data, such as the full 16 card number and security code.
•    Must NOT process any payments on the behalf of your customers.

•    Must not provide dedicated computers for your customers to use to make credit card payments

•    Must not explicitly direct your customers to use a specific UBC or merchant computer to make credit card payments.

•    Must comply with all necessary PCI DSS changes.

Your Developer:

•    Must provide the IP address(es) of your merchant system for vulnerability scans. If it changes, they will need to inform ePayment Support.
•    Must rectify any issues that ePayment Support raises in regards to your merchant system in a timely manner.
•    Must comply with all necessary PCI DSS changes.

If you are using ePayment Virtual Terminal:

You and your staff members:

•    Must provide details on how you are using ePayment Virtual Terminal. If it changes, you will need to inform ePayment Support.
•    Must only store, transmit, receive and dispose of sensitive credit card data via UBC PCI DSS approved methods.
•    Must report all data security incidents as per UBC IT’s Incident Response Plan (IRP).
•    Must attend all training sessions required by ePayment Support.
•    Must comply with all audits required by ePayment Support.
•    Must access Virtual Terminal only on approved Virtual Terminal machines.
•    Must inform ePayment Support of any staff changes that affect ePayment Virtual Terminal.
•    Must comply with all necessary PCI DSS changes.

Your IT Administrator:

•    Must provide the IP address(es) of all your approved Virtual Terminal machines for vulnerability scans. If it changes, ePayment Support must be informed.
•    Must comply with all audits required by ePayment Support.
•    Must ensure that Virtual Terminal machines are looked after and have appropriate PCI software controls installed and enabled at all times.
•    Must rectify any issues on the Virtual Terminal machines in a timely manner as per UBC IT's Incident Response Plan (IRP).
•    Must log and document all changes or issues detected on the Virtual Terminal machines.
•    Must comply with all necessary PCI DSS changes.

A place of mind, The University of British Columbia

UBC Information Technology
6356 Agriculture Road
Vancouver, BC V6T 1Z2,

Emergency Procedures | Accessibility | Contact UBC | © Copyright The University of British Columbia