Policy number: CS-1009-2014
Policy title: Acceptance of Payment Cards Policy
Policy owners: Chief Financial Officer & Chief Information Officer
Effective date: June 2014
Last revised: April 27, 2023
On this page:
- Application and Scope
- Accountability and Compliance
- Policy Revision Date
- Specific Links
The purpose of Mohawk College’s Acceptance of Payment Cards Policy is to outline the responsibilities of individuals who accept and process payment cards on behalf of the College. This policy will also establish procedures for accepting, processing and storing information relating to payment card transactions at the College that will minimize risk and are within the rules, regulations and guidelines established by the Payment Card Industry (PCI).
This policy applies to all Mohawk College employees who are responsible for accepting and processing payment cards on behalf of the College. This policy also applies to external vendors who collect, process, or store payment card data on behalf of Mohawk College.
“Biometric Authentication” is any process that validates the identity of a user by a natural characteristic such as finger prints, retinal scans, face recognition, voice prints or typing patterns.
“Cardholder” means an individual to whom a payment card is issued or an individual authorized to use the payment card.
“Cardholder Data” means any personally identifiable data associated with the payment cardholder which includes the primary account number (PAN), cardholder name, card expiration date, card validation code CVC2 (MasterCard), or card verification value CVV2 (VISA) and magnetic stripe data.
“Card Skimming Devices” are modifications to card readers that are disguised to look like part of the payment terminal. These devices capture and copy the data present on a payment card which is then copied onto a counterfeit card for use.
“E-Commerce” means the payment processing service that provides the College with a secure, electronic, on-line commerce solution allowing College customers to use payment cards to pay for College services and goods.
“End User Messaging Technologies” refers to any client communication software such as e-mail, instant messaging or chat clients.
“FOAPAL” is an acronym meaning the College’s chart of account (Fund, Organization, Account, Program, Activity, and Location).
“IT Infrastructure” is any piece of equipment such as computers, routers, firewalls and any additional computing equipment deemed in-scope for PCI DSS.
“Payment Card” means the credit cards or debit cards issued by a financial institution.
“Payment Card Industry (PCI)” means the council formed by the payment card industry to establish Data Security Standards (DSS) for the industry.
“Payment Card Industry’s Data Security Standards (PCI DSS)” means the security guidelines established by the payment card industry to ensure that all organizations that process, store or transmit payment card information maintain a secure environment to protect cardholder data.
“Point-of-Sale (POS) Terminal” is the electronic payment device which reads a customer's bank name and account number when a payment card is passed through a magnetic stripe reader. The device, in conjunction with the e-commerce payment processing service, electronically contacts the bank and if funds are available, transfers the customer approved amount to the College’s bank account and prints a receipt.
“Sensitive Area” means any physically secured room which contains a fax machine that has been authorized to receive payment card information and/or a virtual terminal.
“Multi-factor Authentication” is used to identify a user with something they know and something they have and/or something that they are. For example, this could be a staff member having a Staff ID card for door access and having a key code assigned to open the door and/or may include the use of biometric authentication.
A. Secure Handling of Payment Card Transactions: College departments are responsible for ensuring that all transactions involving payment cards are handled in a secure and confidential manner in accordance with appropriate internal controls.
B. Safe Handling of Cardholder Information: Mohawk College is committed to maintaining a secure environment to protect payment cardholder data when processing, storing or transmitting payment card information. The College meets the Payment Card Industry's Data Security Standards (PCI DSS) as it relates to:
- How information on the College’s Information Technology network is stored;
- The College’s process for accepting payment card information; and
- The College’s physical storage of any payment cardholder information.
5.1 Accountability Framework
This policy has been approved by the Senior Leadership Team.
The Chief Financial Officer and Chief Information Officer are authorized to ensure that information within this policy is applied.
6.1 Acceptable Payment Cards
Mohawk College currently accepts all bank debit cards as well as MasterCard and VISA debit/credit cards. The College has negotiated contracts with vendors for processing payment card transactions. Individual College departments are not authorized to negotiate contracts with banks, credit card companies or payment card processing companies.
6.2 Requesting Approval for Payment Card Acceptance
Departments wishing to accept payment cards must submit a request to the Manager, Accounting Services. Requests will be jointly reviewed by the Manager, Accounting Services and the Information Security Officer before processing privileges can be granted (Refer to P.1 in Appendix A).
6.3 Prohibited Payment Card Activities
Mohawk College prohibits certain payment card activities that include:
- Accepting payment cards for cash advances;
- Discounting a good or service based on the method of payment;
- Adding a surcharge or additional fee to payment card transactions; and
- Using a paper imprinting system to process payment cards unless special approval is granted by the Manager, Accounting Services.
6.4 Acceptable Methods of Processing Payment Cards
Acceptable methods of processing payment card transactions are:
- in-person through the College’s approved POS system or approved off-site PinPad terminal;
- the College’s secure on-line applications;
- fax (located in a secure area with limited access); or
Payment card information should never be received or sent via e-mail. If payment card information is received, the customer should be advised to use one of the acceptable methods listed above. After notifying the customer, the email must be deleted immediately (refer to P.2 Appendix A).
6.5 Departmental Responsibilities for Processing Payment Cards
Each department approved for handling payment card transactions must ensure that:
- Written payment card procedures tailored for their area are available;
- Transactions are processed in accordance with the College’s Cash Handling Policy CS-1008-2014;
- The Manager, Accounting Services is notified of any additions/deletions to staff handling payment card data;
- On an annual basis, each staff member handling payment card transactions must complete the applicable online Security Awareness Education Course (as directed by IT or Accounting Services). Staff will be notified via email with a link to the training;
- The department must demonstrate compliance with this policy and PCI standards on an annual basis;
- Adequate provision and training is in place for back-up employees for all payment card activities;
- All staff are aware of how to detect and report a possible security incident (refer to R.1 and R.2 in Appendix B);
- All staff are required to inspect their payment terminal at the beginning of each shift to identify if the device has been tampered with. If staff become aware of any suspected tampering they are to report the incident immediately as per Appendix B of this policy;
- Staff must not install, replace, or return devices without verification from management. Upon any authorized changes to devices employees must e-mail helpdesk [at] mohawkcollege.ca (helpdesk[at]mohawkcollege[dot]ca) the merchant number, location, model, and serial number of both the old and new devices.
- Staff must verify the identity of any third-party persons claiming to be repair or maintenance personnel prior to granting them access to modify or troubleshoot devices;
- Access to cardholder data is restricted to authorized staff only, whose job responsibilities require such access.
- Access to sensitive areas must be requested through the IT Self Service portal as these requests are formally tracked for audit purposes.
- Upon termination of an employee it is the Manager’s responsibility to revoke access to sensitive areas by completing an Access Change form for the individual that has been terminated available on the IT Self Service Portal.
- Each staff member handling payment card information has read the Acceptable Employee Use of IT Resources Policy CS-1502-2002.
Staff must ensure cardholder data is not stored physically or electronically after successfully processed or reconciled payments (refer to P.2 in Appendix A).
Departments found not to be in compliance with this Policy and/or having inadequate security may have payment card processing privileges suspended.
Refer to P.3 in Appendix A for Financial Manager Responsibilities.
6.6 Payment Card Fees
Each payment card transaction will have an associated fee charged to the College by the payment card company. At the end of each monthly billing cycle, payment card fees will be charged to the appropriate FOAPAL as identified by Accounting Services.
When a good or service is purchased using a credit card and a refund is necessary, the funds are refunded back to the original payment card. Exceptions must be approved by the Manager, Accounting Services.
Occasionally a customer will dispute a payment card transaction, ultimately leading to a chargeback. In the case of a chargeback, the College department initiating the transaction is responsible for providing additional information to Accounting Services to support the charge. If not resolved, the transaction will be charged back against the College department’s FOAPAL.
6.9 Retaining & Deleting Cardholder Data
Cardholder data should not be retained or stored. Once the transaction is processed, payment card information on hardcopy materials must be cross-shredded so cardholder data cannot be reconstructed. Cardholder data on electronic media must not exist unless it is masked appropriately. Only the last 4 digits of the PAN may be displayed at any time (refer to P.2 in Appendix A).
6.10 Maintaining Payment Card Security
For new hires of positions that will oversee payment card information or the PCI environment, Human Resources should perform applicable background checks as outlined in the Recruiting and Selection Policy, CS-1313-2006.
Each College staff person with access to electronic cardholder data must have a unique username and password, and payment card information should never be written down for future reference or forwarded to anyone within or outside the College. Information Technology staff that administer IT Infrastructure considered to be in scope for PCI DSS must configure all in scope systems to be in compliance with the Information Technology Division Payment Card Industry Technical Standards document with full alignment to the PCI DSS standards. The IT Security department must be consulted for any new systems or changes to systems related to payment cards.
All electronically processed and transmitted payment card information must be kept secure at all times. Electronic cardholder data should not be stored in its entirety on servers, local hard drives or external media (refer to P.5 in Appendix A for Information Technology Services responsibilities).
The College requires that all external service providers that the College uses for handling payment card transactions be PCI DSS compliant. A current PCI certificate of compliance must be received from the vendor annually. There must be a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data that the service providers possess. Information Technology in conjunction with Finance must be given ample time to investigate the feasibility of any solution brought forward by the College community which may impact the scope of PCI DSS on the College infrastructure and reserves the right to suspend implementation until all requirements are met.
6.11 PCI Committee
The College must maintain a PCI committee comprised of the Chief Financial Officer, Chief Information Officer, Controller, Director of Enterprise Architecture and Information Security, Accounting Services, and Internal Audit which meets at least annually to discuss ongoing PCI requirements, conduct risk assessments of current payment card practices and assess changes required to policies and/or procedures.
7.1 Revision Date
The Chief Financial Officer and the Chief Information Officer are responsible for reviewing this policy annually.
- CS-1008-2014 Cash Handling Policy
- CS-1313-2006 Recruiting and Selection Policy
- CS-1502-2002 Acceptable Employee Use of IT Resources Policy
- GS-4202-1981 Media and Public Relations Policy
- Payment Card Industry Data Security Standards (PCI DSS)
- Information Technology Division Payment Card Industry (PCI) Technical Standards
- Trustwave Security Awareness Education Course
P1. Obtaining Approval to Process Payment Cards:
P.1.1. College departments must receive prior approval from the Manager Accounting Services to accept payment card payments.
P.1.2. Accounting works with the College department and Information Technology Services to determine whether an existing approved system will meet their requirements and to identify requirements for point-of-sale (POS) terminals and other hardware/software for accepting payment cards.
P.1.3. Fax machines receiving payment card information must be approved by IT Infrastructure and Client Services and be located in a sensitive area.
P2. Deleting Cardholder Data
The following methods should be used to delete cardholder data:
At the first opportunity the employee who receives the payment card information in an end user messaging technology must:
a) Email the helpdesk to generate a HelpDesk ticket number for tracking purposes
b) In the email specify the reason for the request as “requesting email administrators to permanently delete a message containing payment card details”.
c) In the email specify the Date/Time/Subject Line/Sent To/Sent From, so that administrators can easily identify the specific message and purge it from the system.
*these steps should be done as soon as the message is received*
Once information is processed, the payment card information should be cut off of the hardcopy and cross-shredded to prevent reconstruction of the cardholder data
- Paper Forms
Cardholder data on paper forms must be cut off and cross-shredded immediately after processing so that cardholder data cannot be reconstructed
P3. Responsibilities of Department Financial Managers
- P.3.4. Develop and apply written procedures that incorporate the principles of the College’s Acceptance of Payment Cards Policy, CS-1009-2014. Annually review the department’s accepting payment cards procedures for compliance and effectiveness.
- P.3.5. Obtain approval from the Manager, Accounting Services for their department to accept and process payment cards.
- P.3.6. Contact the Manager, Accounting Services in advance about any contemplated changes in their department’s payment card processing environment, including using the account for a new purpose and termination of employee access.
- P.3.7. Notify the Manager, Accounting Services of any additions or deletions to staff that handle payment card data so they can be added/deleted from the annual online Security Awareness Education Course
- P.3.8. Ensure that only authorized personnel have access to payment card applications and data.
- P.3.9. Employees receiving payment card information must be aware of security and confidentiality requirements, and that documents containing payment card information are securely locked up when the employee is away from their work area. These documents must abide by the CRP152 Media Relations Procedure.
Faxed documents containing cardholder data should only be sent to an approved fax machine located in a sensitive area with limited access within the department. Access must be monitored by video surveillance and multi-factor authentication. Video or logs must be maintained for at least 3 months. In sensitive areas, employees must be in possession and display their Employee ID card and visitors must sign in and be escorted at all times.
- P.3.10. Encourage College customers to use the College website for secure processing of their payment card information. College customers should be advised not to send payment card information via e-mail or other unsecure methods.
- P.3.11. Design departmental documents that request payment card information so the payment card information can easily be ripped off and cross-shredded once the payment has been processed and reconciled.
- P.3.12. Ensure that staff that handle payment cards are aware of the College’s Acceptance of Payment Cards Policy CS-1009-2014, Cash Handling Policy CS-1008-2014 and the Payment Card Industry’s Data Security Standards and are trained to follow the department’s payment card handling procedures.
- P.3.13. Report any suspected breach in security or compromise of cardholder data immediately to Key Contact persons listed in this Policy.
P4. Responsibilities of Accounting Services
- P.4.1. Provide training to ensure that applicable College staff are trained in accepting and processing payment cards in compliance with the Acceptance of Payment Cards Policy, CS-1009-2014.
- P.4.2. Monitor the status of the online Security Awareness Education Course training to ensure applicable staff have successfully completed their training course on an annual basis.
- P.4.3. Work with the Information Technology Services and external vendors to coordinate the policies, practices, and procedures for accepting payment cards at Mohawk College.
P5. Responsibilities of Information Technology Services
- P.5.1. Install and maintain firewall configuration to protect cardholder data.
- P.5.2. Use and regularly update anti-virus software.
- P.5.3. Implement and maintain secure systems and applications for handling payment card transactions such that the scope of PCI DSS does not inadvertently impact the College network.
- P.5.4. Identify compliant application software or service providers with the required functionality to meet College business needs.
- P.5.5. Complete the PCI Data Security Standard Self-Assessment Questionnaire each year to confirm that the College is in compliance with the standards set out by the payment card industry. The questionnaire is designed to confirm Mohawk is processing and storing both electronic and paper payment card information as per specific PCI security standards.
- P.5.6. Ensure that all router, switches, wireless access points, and firewall configurations are properly secured to PCI DSS when deemed in scope
- P.5.7. Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
- P.5.8. Verify on an annual basis that all e-commerce application providers or any other external vendors who collect, process, or store payment card data on behalf of Mohawk College are PCI DSS compliant. Verify that there is a current PCI certificate of compliance on hand for each vendor, and there is a written agreement with all service providers that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
- P.5.9. Document and maintain information security policies and procedures to address applicable PCI compliance requirements.
- P.5.10. Periodically inspect the Point-of-Sale Terminals used by the College to ensure the device has not been tampered with and modifications such as card skimming devices have not been maliciously added.
Accounting Services contact
Manager, Accounting Services
Information Technology Services contact:
Information Security Officer
Tel: 905-575-1212 ext. 3664
R1. Incident Identification
Employees should be aware of their responsibilities for detecting security incidents. Examples of security incidents to be reported include, but are not limited to, the following:
- R.1.1. Any type of theft, damage or unauthorized access (e.g., unauthorized logins, papers missing from their desk, broken locks, missing log files, alerts from security, video evidence or unscheduled and unauthorized physical entry)
- R.1.2. Fraud – inaccurate information within databases, logs, files or paper records
- R.1.3. Abnormal system behavior (unscheduled system reboot, unexpected messages, abnormal errors in system log files or terminals, logs no longer being sent)
- R.1.4. Security event notifications (security alarms, antivirus notifications)
R2. Incident Reporting
The IT Infrastructure and Client Services (ICS) department and the Finance department should be notified immediately of any suspected security incidents. Employees should take the following steps:
- R.2.1. Preserve the evidence
- R.2.2. Report the security incident:
- Contact the IT Help Desk 905-575-2199
- Contact the Manager, Accounting Services 905-575-2105
- Notify your immediate supervisor
- Contact Security Services at 905-575-2316
- R.2.3. Document any information you feel is relevant to the situation
- R.2.4. Do not communicate with anyone other than those mentioned in R.2.2 above
- R.2.5. Communication to media in any form should be handled by the Media and Communications department according to the Media and Public Relations Policy, GC-4202-1981.
R3. Incident Response
The following actions should be taken by the ICS department and the Finance department once an incident has been identified:
- R.3.1. Response must be immediate.
- R.3.2 Both departments must jointly make efforts to identify the impacted community that has been affected
- R.3.3 Information Technology Services must adhere to the existing procedures defined in the Information Technology Divisions Payment Card Industry Technical Procedures documentation to isolate, contain, eradicate and recover the system or systems affected
- R.3.4 ICS department must contact :
- Chase Paymentech at 1-800-265-5158 for initial instruction
- The Canadian Anti-Fraud Centre at 1-888-495-8501
- Each payment card brand as follows:
- Visa- Provide the compromised Visa accounts to Visa Fraud Control Group within 10 business days. For assistance call 1-650-432-2978 – accounts must be securely sent to Visa as per their instructions
- MasterCard- Contact the support line at 1-636-722-4100
- R.3.5 Finance department should consult with Legal Counsel as to the requirements for reporting compromises in every province or state where clients are affected.