Skip to main content Skip to site utility navigation Skip to main site navigation Skip to site search Skip to footer
Menu

Payment Card Industry Compliance Policy

Ref. No. Executive sponsor Policy steward Approval authority First approved Last reviewed Effective date Next review
62.31 Vice President, College Services and Strategy Chief Financial Officer Executive Council Nov. 22, 2016 April 2024 May 9, 2024 2029
  1. Purpose
    1. The purpose of this policy is to establish guidelines for processing credit card payments to ensure compliance with Payment Card Industry Data Security Standards (PCI-DSS).
    2. PCI-DSS defines the security requirements for transferring, handling and storing credit card information. Adhering to these standards will provide reasonable assurance that sensitive cardholder data received by NSCC during the processing of credit card payments is protected to the greatest extent possible.
  1. Scope
    1. This policy applies to all NSCC employees who are involved in accepting or processing credit card payments and pertains to all credit card transactions processed by NSCC.
  1. Definitions
Term Definition
Cardholder Data Credit card information that can be compromised including the primary account number used with any of the following: expiration date, cardholder name or Card Verification Value code.
Cardholder Data Environment (CDE) The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
Card Verification Value (CVV) The 3 or 4 digit code that is typically located on the back of the credit card. For American Express cards, the code is a 4 digit unembossed number printed above the card number on the face of the credit card. This code is used to assist in the verification of the legitimacy of the credit card.
Merchant Services Provider
Provides point-of-sale (POS) terminal rentals and credit/debit card processing services that facilitate the processing and settling of payment card transactions.
Payment Card Industry (PCI) The security-council founded by the major credit card providers
Payment Card Industry Data Security Standards (PCI-DSS) The standards developed by the PCI Security Standards Council. These standards govern the transferring, handling and storing of credit card information to ensure protection against fraud and unauthorized access.
Point-of-sale (POS) terminals Used to process debit and credit transactions.
Primary account number (PAN) The 14 or 16 digit numeric code located on the front of the credit card. This number is used to identify the individual account holder.
Quality Assurance (QA) recording system Any system that uses audio or voice recordings, typically in call centers, as a means of assessing the quality of service provided.
Quality Security Assessor (QSA) Certified by the PCI Security Standards Council to conduct audits to ascertain an organization’s level of compliance with PCI-DSS.
  1. Policy
    1. Payment Channels
      NSCC can accept credit card payments via telephone, mail, in-person or online.
      1. In-Person Payments, Mail and Telephone Payments
        1. Cardholder data manually recorded via mail, telephone or in-person transactions must only be retained for as long as it is required for business purposes. When cardholder data is retained, it must be stored in a locked area where access is restricted to staff who are authorized to process credit card transactions.
        2. Manually recording cardholder data during in-person transactions is not permitted unless the point-of-sale terminal is unavailable at the time the payment is submitted. Whenever possible, credit card payments must be completed using the point-of-sale terminal when customers are present using a chip card if available.
      2. Online Payments
        All online payments must be processed using a PCI-compliant third party service provider that has been approved by the Director, Financial Services.
      3. Unacceptable Payment Channels
        1. Email Payments
          If payment information is received by email, NSCC must: 
          1. Inform the sender that the payment will not be processed until it is submitted through an accepted payment channel. All cardholder data must be deleted prior to sending the email response.
          2. Delete the email according to the guidelines outlined in the Payment Card Industry Compliance Procedures.
        2. Fax Payments
          If information is received by fax, NSCC must inform the sender that the payment will not be processed until it is submitted through an acceptable payment channel.
    2. Storage Restrictions and Retention Limits
      1. Any manually recorded cardholder data that contains the cardholder’s credit card number, expiry date and CVV code must be shredded or placed in the designated confidential shred receptacles immediately after the credit card payment has been processed. Redacting cardholder data is not sufficient when disposing of cardholder data.
      2. Cardholder data will not be stored electronically in any format on a local computer, server, tablet, smartphone or on any removable storage devices such as USB keys, CDs or DVDs. This includes Excel and Word files.
      3. The CVV code must never be stored under any circumstances after the transaction has been authorized. Paper documents where the CVV code has been recorded must be shredded or placed in a designated confidential shred receptacle immediately after the payment has been processed.
      4. Multifunction machines must be set up by the vendor to ensure that faxed information is not retained in memory at any time. The vendor must provide a letter certifying that this set up has been completed on all NSCC multifunction machines.
      5. Cardholder data must never be included in voicemail messages.
      6. Cardholder data must never be recorded while using a QA recording system. If a QA recording system is being used, the recording must be suspended whenever cardholder data is discussed.
    3. Distribution and Transmission of Cardholder Data
      1. Documents containing credit card information must not be sent via interdepartmental mail between campuses or between departments within the same location.
      2. Credit card payments received via mail, in-person or by telephone must be processed by the Campus and/or Central Office department that receives the payment information. Any related documents that need to be sent to a different campus or department must not contain any credit card information.
      3. Refund requests sent to Central Finance must not contain any cardholder data.
        1. The refund request should be sent Central Finance with a note that the refund is to be made to a credit card.
        2. Central Finance will contact the initiating Campus or Central Office department via telephone to obtain the credit card information required to process the refund.
      4. Credit card information must never be photocopied or scanned using a photocopier or multifunction device.
    4. Training and Awareness Program
      Employees with work responsibilities that include accepting, storing, transmitting and/or processing credit card transactions, are required to complete online PCI DSS training on an annual basis.  Training records will be kept for audit purposes.
    5. PCI Certification
      NSCC will undergo an audit by a Qualified Security Assessor (QSA) to obtain the required PCI-DSS compliance certification on an as required basis as determined by the Chief Financial Officer and the Chief Information Officer. 
    6. Policy Review
      This policy will be reviewed annually to ensure its continued effectiveness in addressing PCI-DSS requirements. Updates will be done as required to reflect all changes to PCI standards or changes to the Cardholder Data Environment (CDE).
  1. Policy Supports

Payment Card Industry Compliance Procedures (login required)

Top