Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster Logo McMaster logo

PCI Incident Reporting

Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard defined by the Payment Card Industry which outlines security requirements for organizations that handle payment card data.  Payment cards include credit cards, debit cards and pre-paid cards; payment card data includes:

  • credit cardholder name, account number and expiry date
  • credit card verification or CVV code
  • credit, debit or pre-paid card Personal Identification Number (PIN)
  • information that is stored on the magnetic stripe
  • the card itself

The purpose of the PCI-DSS Standard is to protect individual card holders from identity theft.
For more information about PCI at McMaster University, please visit the Financial Affairs department web site:
https://financial-affairs.mcmaster.ca/services/banking-ecommerce/pci-training/

Identifying PCI Incidents

Debit and credit card fraud is the most common type of incident and is essentially any attempt to obtain cardholder information with the intent of using that information to complete unauthorized transactions.

Skimming is the term used to describe the theft of credit card information described above.  This can be done manually by copying or stealing receipts, or automatically by modifying a point of sale (POS) device.  Merchants are advised to always attend closely to their POS devices, and to examine them for modifications daily.

Inappropriate or unauthorized access to PCI virtual terminals (C-VT), hosted pay page (HPP), or to systems hosting payment card data (D) may put cardholder data at risk.  IT Security has published guidelines to safeguard the configuration of C-VT, POS or HPP based systems (eCommerce).  System administrators are advised to monitor these systems closely for signs of unauthorized access.

Finally, card not present (CNP) is also a high risk scenario in which a merchant must trust that the transaction is authorized by the card holder without the card being present(i.e. via phone call).  Merchants are advised to be cautious and vigilant about verifying the authenticity and authority of the purchaser to use the information they provide when performing CNP transactions.

Reporting a PCI Incident

Upon detection of a PCI related information security incident, merchants and/or staff are instructed to:
NOT logoff or power off the affected system!
DO take note of pertinent information, including:

  • the time that the suspected incident occurred
  • the condition of the affected system
  • your merchant number

If the incident involves an active physical threat, including theft or tampering with a POS device, report this immediately to:

McMaster Security Services
905-525-9140 ext 24281, or 905-522-4135
Dial “88? from any University phone

  • Report the incident, including the information detailed above, directly to Moneris: 1(866) 319-7450 only after the physical threat has been contained.
  • Report the incident, including the information above, directly to the IT Security team: c-it-security@mcmaster.ca OR (905) 525-9140 x28299 only after it has been reported to Moneris.

If the incident involves a known act of fraud, or tampering with a POS device, C-VT virtual terminal or Hosted Pay Page server:

  • Report the incident, including the information detailed above, directly to Moneris: 1(866) 319-7450.
  • Report the incident, including the information above, directly to the IT Security team: c-it-security@mcmaster.ca OR (905) 525-9140 x28299 only after it has been reported to Moneris.

If the incident involves a suspected act of fraud, or tampering with a POS device, C-VT virtual terminal or Hosted Pay Page server, take the following action:

  • Report the incident, including the information above, directly to the IT Security team: c-it-security@mcmaster.ca OR (905) 525-9140 x28299