Payment Card

Payment Card Industry Data Security Standards (PCI DSS)

We handle payment card information for products and services and are dedicated to meeting the mandatory Payment Card Industry Data Security Standards.

PCI DSS explained

What is PCI DSS?

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS).

The aim is to assist organizations in actively safeguarding cardholder data against theft, compromise, or misuse. The Data Security Standards offer a comprehensive framework consisting of 12 specific requirements for securing cardholder data that is either stored, processed, or transmitted by merchants and other entities.

PCI Data Security Standard overview

Build and maintain a secure network and systems

  • Install and maintain network security controls
  • Apply secure configurations to all system controls

Protect account data

  • Protect stored account data
  • Protect cardholder data with strong cryptography during transmission over open, public networks

Maintain a vulnerability management program

  • Protect all systems and networks from malicious software
  • Develop and maintain secure systems and software

Implement strong access control measures

  • Restrict access to system components and cardholder data by business need to know
  • Identify users and authenticate access to system components
  • Restrict physical access to cardholder data

Regularly monitor and test networks

  • Log and monitor all access to system components and cardholder data
  • Test security of systems and networks regularly

Maintain an information security policy

  • Support information security with organisational policies and programs

Are these standards relevant to me and why is it important?

The PCI Data Security Standards are relevant for anyone at the University who handles cardholder data or takes payments by credit or debit card.

This set of rules informs people how to handle the data safely to avoid the risk of it being lost, stolen or intercepted and used for fraudulent activities. It covers:

  • how to take a payment safely
  • what to do with sensitive cardholder information which we get when we process a payment
  • how to store information and rules around the destruction after use
  • how to manage our IT network to ensure that all data is safe

As a University, if we do not comply with PCI DSS we face significant fines and ultimately we could lose the right to take credit and debit card payments across the whole organisation.

For more information on what is required to meet PCI DSS check out their frequently asked questions.

We are here to help

This is an important area with lots of rules and regulations around it. If you require support and advice in this area please contact the Finance Service and Support Manager.

The Finance Service and Support team are also happy to train staff on using card payment processing terminals (PDQ terminals).

Golden rules to follow

PCI DSS is an important but comprehensive area, so anyone who handles cardholder data must always remember the following points:

  1. Payments — when taking a payment, check that the payment system has not had anything unusual added to it (a USB drive or dongle for example) and after the payment has been taken immediately put the merchant receipt and any related paperwork safely away in a designated secure area.
     
  2. Sensitive Information — never write down on paper, in an electronic document or email, or add to any system the following: 
    • PAN number (the 16-digit number on the front of the card)
    • 3-digit security number on the back of the card
    • customers own PIN (for chip and pin cards) — we should never be asking for this information.

Staff must never request for sensitive cardholder data to be emailed for the purpose of processing a payment upon receipt.

If in doubt about the security of the data or integrity of the payment system or device, please do not use it and contact the Finance Service and Support team immediately.

  1. Paperwork — sensitive credit and debit card paperwork must be stored in a secure area and never sent in the internal mail, as it is as valuable as cash.
    • Storage — sensitive credit and debit card paperwork must be stored in a safe and secure location, this is defined as: within a safe or
    • within a locked cash box or
    • within a locked cabinet

Sensitive paperwork must never be stored on PCs in any format (email, access database, excel spreadsheets, pen drives) as this breaches the Security Standard Regulations and effectively makes the University non-compliant.

  1. Destroy — sensitive credit and debit card paperwork must not be stored for longer that is necessary for business reasons. At the end of the retention period, sensitive paperwork must be destroyed securely using a cross cutting shredder.