Policy
Policy information pertaining to the Payment Card Industry – Data Security Standard (PCI-DSS), and UBC Merchant requirements, is incorporated in UBC Policy SC14 (PDF) and the Information Security Standards. UBC has targeted policy compliance for the university at the Self Assessment Questionnaire (SAQ) "C" level in order to cover the majority of our merchants who are using SAQ-A through C processes. SAQ-D merchants must have additional gap policies beyond what is covered by Policy #106.
Compliance
All UBC merchants are required to be in compliance with the PCI-DSS and UBC Policies, specifically Policy SC14. Overall responsibility for coordination of PCI compliance rests with UBC Finance, details can be found on their site here: https://finance.ubc.ca/banking-leases/pci-dss-compliance.
Guidelines
The following guidelines are presented to assist Merchants with understanding their role in compliance with PCI-DSS.
- Point of Sale - Security Recommendations (PDF)
- Understanding Terminal Manipulation at Point of Sale (POS) (PDF)
- Skimming Prevention - Best Practices for Merchants (PDF)
- Virtual Terminal Segmentation to De-scope to SAQ-C (PDF)
Resources/Tools
The following resources and tools are provided to assist merchants with achieving and maintaining PCI compliance at UBC. They are provided as an option to reduce the effort required by a merchant to achieve and maintain compliance; however, it is the merchant's choice as to whether or not to use these resources and tools.
Procedural templates
In addition to the policy requirements for PCI-DSS, there are procedural requirements. To assist with this, the university has developed templates for procedures that are needed for SAQ-C compliance. SAQ-A through C merchants should find all of the procedural templates required in this package.
SAQ-D merchants will require additional procedures beyond what is included in this package (ZIP).
Sophos Endpoint Security
The university has licensed products from Sophos to protect its digital assets. UBC IT has deployed a Sophos Enterprise Console, which has been configured for PCI Virtual Terminals to segment and protect them via host-based firewall, anti-malware, anti-virus, network access control (NAC), device control, and data loss prevention (DLP). If you are an IT Administrator, please contact Software Licensing for further information.
Virtual Firewalls
Network firewalls are required by PCI for segmenting processes; UBC IT provides a virtual firewall service for UBC merchants in conjunction with Virtual Networks.
Virtual Networks
Are required for the virtual firewall service but are also advantageous for routing/grouping similar systems, used in merchant processes into a virtual network protected by a single firewall. E.g. placing Point of Sale (POS) terminals from multiple networks into a single virtual network managed by a firewall.
