PCI Compliance

The University of Alberta manages PCI Compliance centrally. All departments, faculties and units are required to follow the direction from Finance, Procurement and Planning (FPP) when activating payment for goods or services through a Point of Sale terminal (POS) or e-commerce account.

Procurement and Contract Management (PCM) within FPP manages the day-to-day requirements of PCI compliance. This includes:

  • Setup of new merchant accounts
  • Closure of accounts
  • POS and e-Commerce training
  • POS terminal deployment and returns
  • Records Management

For assistance with your Merchant Account requirements, please contact the Staff Service Centre for direction.

TRAINING videos

The following videos have been developed to assist users in operating point of sale devices. Note: You must be logged in with your ualberta email address in order to view the videos.

frequently asked questions

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.

The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover, Union Pay, and JCB.).

It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Who does PCI DSS apply to?
The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Where can I find the PCI Data Security Standard (PCI DSS)?
The current PCI DSS documents can be found on the PCI Security Standards Council website.
What are the PCI compliance ‘levels’ and how are they determined?

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’).

In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level.

If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

Merchant levels as defined by Visa:

Merchant Level # 1: Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Merchant Level #2: Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.

Merchant Level #3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

Merchant Level #4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

What does a small-to-medium sized business (Level 3 or 4 merchant) have to do in order to satisfy the PCI DSS requirements?

To satisfy the requirements of PCI, a merchant must complete the following steps:

  • Determine which Self-assessment Questionnaire (SAQ) your business should use to validate compliance.
  • Complete the Self-assessment Questionnaire according to the instructions provided.
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
  • Complete the relevant Attestation of Compliance (AOC) in its entirety (located in the SAQ tool).
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of compliance, along with any other requested documentation, to your acquirer.
If we are taking credit card information by phone, how does it affect our PCI requirements?

The following post, “How Does Taking Credit Cards by Phone Work with PCI?” explains your PCI compliance responsibilities when taking credit card information over the phone (e.g., in a call center). Note that while this post was published in 2014, it is still relevant with the current version of the PCI DSS.

If I only accept credit cards over the phone, does PCI DSS still apply to me?
Yes. All businesses that store, process or transmit payment cardholder data must be PCI Compliant.
Do organizations using third-party processors have to be PCI DSS compliant?

Yes. Merely using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS.

My business has multiple locations, is each location required to validate PCI compliance?

If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV) for each location, if applicable.

Our department doesn’t store credit card data so does PCI compliance apply to us?
If you accept credit or debit cards as a form of payment, then PCI compliance applies to you. The storage of card data is risky, so if you don’t store card data, then becoming secure and compliant will be easier.
Are debit card transactions in scope for PCI?
Debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, Union Pay, and Visa International are all in scope.
Am I PCI compliant if I have an SSL certificate?
No. SSL certificates do not secure a web server from malicious attacks or intrusions.
Our unit wants to store credit card data. What methods can we use?

The university strongly discourages storing credit card data. Prior to proceeding with the storage of credit card data, please contact the Universities PCI Compliance area for direction at eilist@ualberta.ca.

Most merchants that need to store credit card data are doing it for recurring billing. The best way to store credit card data for recurring billing is by utilizing a third party credit card vault and tokenization provider. By utilizing a vault, the card data is removed from your possession and you are given back a “token” that can be used for the purpose of recurring billing. By using a third party, you move the risk of storing card data to someone who specializes in doing that and has all of the security controls in place to keep the card data safe.

If you need to store the card data yourself, your bar for self-assessment is very high and you may need to have a QSA (Qualified Security Assessor) come onsite and perform an audit to ensure that you have all of the controls in place necessary to meet the PCI DSS specifications.
What are the penalties for non-compliance?

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant.

The bank could terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to an organization.

What is defined as ‘cardholder data’?

The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

  • Cardholder name
  • Expiration date
  • Service code

Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more.

What is the definition of ‘merchant’?

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, Union Pay, JCB, MasterCard or Visa) as payment for goods and/or services.

A merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. Source: PCI SSC
What constitutes a Service Provider?

The PCI SSC defines a Service Provider this way:

“Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.” (Source: www.pcisecuritystandards.org)

The “merchant as a service provider” role is further specified by the PCI SSC as “a merchant that accepts payment cards as payment for goods and/or services…if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.” Learn more about how to achieve compliance as a Service Provider. See our blog post, “PCI Compliance and the Service Provider.

What constitutes a payment application?

The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale system in a restaurant to a website e-commerce shopping cart are all classified as payment applications.

Any software that has been designed to touch credit card data is considered a payment application.

What is a Payment Gateway?
Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, web-based connections or privately held leased lines.
What is PA-DSS?

PA-DSS refers to Payment Application Data Security Standard maintained by the PCI Security Standards Council (SSC) to address the critical issue of payment application security. The requirements within the PA-DSS are designed to ensure that vendors provide products which support merchants’ efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data.

The PCI SSC administers the program to validate payment applications’ compliance against the PA-DSS, and publishes and maintains a list of PA-DSS validated applications. See PCI Security Standards for more information. Also see the blog post on the critical difference between the PCI DSS and PA-DSS here.
Can the full credit card number be printed on the consumer’s copy of the receipt?

PCI DSS requirement 3.3 states:

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy), please note that PCI DSS does not override any other laws that legislate what can be printed on receipts

Do I need vulnerability scanning to validate compliance?
If you qualify for certain self-assessment Questionnaires (SAQs) or you electronically store cardholder data post authorization, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required to maintain compliance.
What is a vulnerability scan?

A vulnerability scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider.

The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. Learn more about vulnerability scans here.

How often do I have to have a vulnerability scan?
Every 90 days/once per quarter, those who fit the above criteria are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer.
What should I do if I’m compromised?
While many payment card data breaches are easily preventable, they can and do still happen to businesses of all sizes. If your department or unit is compromised, contact the University PCI Compliance unit immediately at eilist@ualberta.ca.