PCI Standards

What We Are Doing

SFU needs to ensure that all our business processes and systems that handle credit card information meet security standards to protect the information. For that reason, a PCI team was formed to ensure that all departments that accept process, store or transmit credit card data and/or operate point of sale (POS) systems must comply with the PCI Data Security Standards. Our goal is to comply with the standards by April 2010.

Leadership Team

We have a senior level team to provide direction and monitor progress. The team consists of:

Pat Hibbitts  

VP, Finance and Administration

Jacky Shen

Director Treasury

Brad Burfield

Chief Information Office

Janet Backe

Director, Enterprise Systems and Project Management

Kirk Benedict

Enterprise Systems/Project Management Office

Our Approach

We are working on several activities to get to compliance and stay compliant going forward.

  • Assessment – finding and reviewing all the business processes and systems handling credit cards
  • Remediation – fixing or addressing processes that are not compliant
  • Policy – introducing policy direction to ensure that SFU initiatives  recognize and follow compliance practices
  • Control – establishing steps in our business to ensure that we do not violate or undermine compliance
  • Compliance – producing the annual compliance attestation for audit and acceptance

Best Practices

Common Best Practices are as follows:

  • Only employees who have a legitimate business authority should have access to cardholder information.
  • Only retain credit card information long enough to reconcile payments.
  • Never e-mail credit card information.
  • Blackout credit card numbers on any document (first 12 digits) before making a copy. Shred the original and retain the copy.
  • If credit card information is stored online, ensure that the online storage is secured.
  • Protect computer networks with firewall and intrusion detection.
  • Maintain all OS and antivirus updates.
  • Lock computer terminals and paper cabinet areas when unattended.
  • Shred documentation containing credit card information when it is no longer needed for business or legal reasons.


Best Practices suggested by PCI DSS official website:

Skimming Prevention

Overview of the PCI SSC Skimming Prevention

To protect cardholder data:

PCI Storage Do’s and Don’ts

Myth, facts and explanation:

Ten common myths of PCI DSS

For more information and updates on the best practices please refer to this fact sheets in the official PCI DSS website and FAQ.

Contact Us

To contact SFU PCI team or ask a question, please send an email to pci_info@sfu.ca  


SFU Business #11852 0725 RT0001

Strand Hall 3000
8888 University Drive
Burnaby, BC V5A 1S6

Hours:  Monday - Friday
Weekends & Holidays: Closed

If you need assistance, visit Contact Us or email finance@sfu.ca