Questions and Answers

The Payment Card Industry (PCI) Data Security Standard is an industry standard created by the credit card industry to improve cardholder data security. The Government of Alberta is PCI Compliant. The following are prepared responses to frequently asked questions.

Questions Index

  1. What is PCI compliance?
  2. Why is it important to Albertans that government achieve PCI compliance?
  3. Is PCI compliance necessary?
  4. Can some government offices opt out?
  5. I have heard the province will soon stop collecting credit card numbers. Does that mean I can’t pay for something using my credit card?
  6. What is the benefit of turning over the collection of credit card numbers to a third party?
  7. I sometimes make payments to the province using my credit card. How will PCI compliance affect me?
  8. How does the Government Payment Application Service (GPAS) work?
  9. How does Telepay (formerly known as TIPS - Telephone Interactive Payment Service) work?
  10. I’m used to doing things my way and don’t really understand the internet or automated telephone payment systems. Can’t you just make an exception and take my payment like you did before?
  11. When does government expect to achieve PCI compliance?
  12. Which ministries are involved?
  13. Does PCI compliance affect only government ministries?
  14. Who is responsible for the PCI compliance standards?
  15. Does the government do a lot of credit card transactions?

 

1.  What is PCI compliance?

The payment card industry (PCI) has developed a set of security standards that applies to all merchants who accept American Express, Discover Financial Services, JCB International, MasterCard Worldwide or Visa Inc.

The Payment Card Industry Data Security Standard (PCI-DSS) is the set of requirements all major merchants like the government must adhere to if they want to continue accepting credit card payments for goods and services.

For more information about the PCI Data Security Standard, visit https://www.pcisecuritystandards.org.

Back to Top

2.  Why is it important to Albertans that government achieve PCI compliance?

Albertans expect their government to accept credit card payments for things like permits, fines, and campsite reservations, but they also want to know their information is safe. The Alberta government is PCI compliant and continues to identify threats and vulnerabilities that could potentially impact the organization as well as Albertans with the growing problem of credit card fraud and identity theft.

Back to Top

3.  Is PCI compliance necessary?

The province wants to continue offering Albertans a range of payment options that work for them, including credit cards. Compliance is required by the payment card industry. Failure to comply could result in the government paying fines or no longer being allowed to accept credit cards.

Back to Top

4.  Can some government offices opt out of PCI Compliance?

All ministries that accept card payment must comply in order for the government to be certified PCI compliant.

Even if a ministry does not accept payment cards, if it has in the past, it is still subject to PCI compliance if payment information, such as cardholder data, was stored.

Back to Top

5.  I have heard the province will soon stop collecting credit card numbers. Does that mean I can’t pay for something using my credit card?

The province continues to accept credit cards as a form of payment, but the actual processing of card payments will be performed on a TD Merchant Solutions point of sale (POS) terminal or pay page.

Back to Top

6.  What is the benefit of turning over the collection of credit card numbers to a third party?

Keeping your personal information separate from your credit card information helps protect you against credit card fraud and identity theft. The province collects your personal information (what you are paying for, shipping address, name etc.) but it never possesses your credit card number.

Back to Top

7.  I sometimes make payments to the province using my credit card. How will PCI compliance affect me?

In many cases, the order process will similar, except when it comes time to provide your credit card number.

Ministries continue to process orders received by mail, phone, fax or email, although some ministries may no longer offer all of these options. During the checkout process, clients using any of these methods and paying by credit card are:

  • referred to a secure automated telephone payment system
  • referred to a secure pay page powered by TD Merchant Solutions, or
  • sent an email containing a link to a pay page.

Where available, clients can also pay in person. Card payment options may vary from Ministry to Ministry.

Back to Top

8.  How does the Government Payment Application Service (GPAS) work?

Example: You are ordering a book by email. The business unit processes the order on its GPAS system and emails you a payment request that includes a transaction number and a link to TD Merchant Solutions. You click on the link to open up the TD Merchant Solutions pay page and fill in the fields like you would in any other e-commerce pay page. After you complete your payment, GPAS emails the business unit payment notification for the service/product you ordered. GPAS then emails you a payment receipt, and you are done. The same process can be applied to fax and phone orders.

Back to Top

9.  How does Telepay (formerly known as TIPS - Telephone Interactive Payment Service) work?

Example: You are requesting a permit. The employee on the other end of the line handles your request like before, until it is time for you to provide your credit card number. The employee will ask to either put you through to Telepay, or email you a payment request just like the book order example mentioned above. If you choose to pay by phone, the system puts you through to Telepay. You simply follow the prompts and key your credit card information right into your phone. In both cases, the system generates a transaction number that ties the payment to the transaction. The credit card information goes directly to TD Merchant Solutions.

Back to Top

10.  I’m used to doing things my way and don’t really understand the internet or automated telephone payment systems. Can’t you just make an exception and take my payment like you did before?

Employees no longer accept payments in the following ways:

  • Accepting credit card numbers provided verbally over the phone,
  • Accepting card numbers provided in an email,
  • Accepting card numbers provided in a fax or mailed letter,
  • Accepting card numbers provided in a voicemail,
  • Accepting credit card payments manually without a proper point of sale (POS) terminal, or
  • Keying a credit card number into a POS terminal for a Card Not Present (CNP) transaction.

It’s all about protecting you from identity theft and credit card fraud.

In many cases, the order process will similar, except when it comes time to provide your credit card number.

Ministries continue to process orders received by mail, phone, fax or email. During the checkout process, clients using any of these methods and paying by credit card are:

  • referred to a secure automated telephone payment system
  • referred to a secure pay page powered by TD Merchant Solutions, or
  • sent an email containing a link to a pay page.

Where available, clients can also pay in person.

Back to Top

11.  When does government expect to achieve PCI compliance?

Government started phasing out the direct collection of credit card information in June 2013. The Government of Alberta achieved PCI Compliance in January 2015 and must maintain PCI Compliance with annual certification.

Back to Top

12.  Which ministries are involved?

Any ministry that accepts credit cards as payment or has collected them in the past is subject to PCI compliance.

Back to Top

13.  Does PCI compliance affect only government ministries?

PCI Compliance applies to any organization that uses credit cards to collect revenue. With respect to the Government of Alberta’s specific PCI Compliance Policy, any agency, board, crown corporation or commission that processes credit card payments under the government’s credit card contract must adhere to the government’s Merchant Services and PCI Compliance Policy.

Back to Top

14.  Who is responsible for the PCI compliance standards?

The Payment Card Industry (PCI) Security Standards Council develops, maintains and manages the PCI Security Standards. The Council has five founding global payment brands – American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

The five global payment brands also recognize the PCI Council as being qualified to validate the credentials of companies and individuals trained to validate compliance with the PCI DSS. But it is the payment card companies that enforce PCI compliance and impose penalties, not the council. The council also provides tools and guidance to help merchants as they work toward achieving compliance.

For more information about the Payment Card Industry Security Standards Council, visit:
https://www.pcisecuritystandards.org.

Back to Top

15.  Does the government do a lot of credit card transactions?

Albertans make credit card payments to the province for a variety of things, such as permits, fines, museum tickets and books. The Alberta government processed about 6.5 million credit and debit card transactions in 2016, with transaction volume roughly tripling since 2014. The government has nearly 600 merchant numbers and hundreds of point-of-sale terminals.

Back to Top

 

Page last updated:  May 16, 2017