PCI Compliance Resources

Policy

Policy information pertaining to the Payment Card Industry – Data Security Standard (PCI-DSS), and UBC Merchant requirements, is incorporated in UBC Policy SC14 (PDF) and the Information Security Standards. UBC has targeted policy compliance for the university at the Self Assessment Questionnaire (SAQ) "C" level in order to cover the majority of our merchants who are using SAQ-A through C processes.

All UBC merchants are required to be in compliance with the PCI-DSS and UBC Policies, specifically Policy SC14. Overall responsibility for coordination of PCI compliance rests with UBC Finance, details can be found on their site here: https://finance.ubc.ca/banking-leases/pci-dss-compliance

Guidelines

The following guidelines are presented to assist Merchants with understanding their role in compliance with PCI-DSS.

Resources/Tools

The following resources and tools are provided to assist merchants with achieving and maintaining PCI compliance at UBC. They are provided as an option to reduce the effort required by a merchant to achieve and maintain compliance; however, it is the merchant's choice as to whether or not to use these resources and tools.

Procedural templates

In addition to the policy requirements for PCI-DSS, there are procedural requirements. To assist with this, the university has developed templates for procedures that are needed for SAQ-C compliance. SAQ-A through C merchants should find all of the procedural templates required in this package.

SAQ-D merchants will require additional procedures beyond what is included in this package (ZIP).

Cisco AMP for Endpoints

The university has licensed products from Cisco to protect its digital assets. UBC provides Cisco AMP for Endpoints on PCI Virtual Terminals to protect systems against malware and malicious activities. Details on how AMP meets existing PCI DSS compliance requirements can be found on Cisco's website.

Virtual Firewalls

Network firewalls are required by PCI for segmenting processes; UBC IT provides a virtual firewall service for UBC merchants in conjunction with Virtual Networks.

Virtual Networks

Virtual networks are required for the virtual firewall service but are also advantageous for routing/grouping similar systems. E.g. placing Point of Sale (POS) terminals from multiple networks into a single virtual network managed by a firewall.