Payment Card

Payment Card Industry Data Security Standards (PCI DSS)

As a University we process payment card information for a variety of products and services and are committed to maintaining and achieving the mandatory requirements of the Payment Card Industry Data Security Standards (PCI DSS).

Page Content

What is PCI DSS?

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS).

The intention is to help organisations proactively protect cardholder data from theft, compromise or misuse, and the Data Security Standards provide a detailed, 12 requirements structure for securing cardholder data that is stored, processed and/or transmitted by merchants and other organisations.

PCI Data Security Standard – High Level Overview

Build and Maintain a Secure
Network and Systems

1.       Install and maintain network security controls

2.       Apply secure configurations to all system controls

Protect Account Data

3.       Protect stored account data

4.       Protect cardholder data with strong cryptography during transmission over open, public networks

Maintain a Vulnerability
Management Program

5.       Protect all systems and networks from malicious software

6.       Develop and maintain secure systems and software

Implement Strong Access
Control Measures

7.       Restrict access to system components and cardholder data by business need to know

8.       Identify users and authenticate access to system components

9.       Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10.   Log and monitor all access to system components and cardholder data

11.   Test security of systems and networks regularly

Maintain an Information
Security Policy

12.   Support information security with organisational policies and programs

Are these standards relevant to me and why is it important?

The PCI Data Security Standards are relevant for anyone at the University who handle cardholder data or take payments by credit or debit card.

This set of rules informs people responsible for taking credit and debit card payments how to handle the data safely to avoid the risk that it could be lost, stolen or intercepted and used for fraudulent activities. It covers:

  • How to take a payment safely
  • What to do with sensitive cardholder information which we get when we process a payment
  • How to store information and rules around the destruction after use
  • How to manage our IT network to ensure that all data is safe.

As a University, if we do not comply with PCI DSS we would face significant fines and ultimately we could lose the right to take credit and debit card payments across the whole organisation.

For more information on what is required to meet PCI DSS check out their Frequently Asked Questions.

We are here to help

This is an important area with lots of rules and regulations around it. If you require support and advice in this area please contact the Finance Service and Support Manager.

The Finance Service and Support team are also happy to support training staff on using card payment processing terminals (PDQ terminals).

Golden rules to follow

PCI DSS is a very important but comprehensive area, therefore anyone who handles cardholder data must always remember the following points:

  1. Payments: when taking a payment, check that the payment system has not had anything unusual added to it (a USB drive or dongle for example) and after the payment has been taken immediately put the merchant receipt and any related paperwork safely away in a designated secure area.
  1. Sensitive Information: never write down on paper, in an electronic document or email, or add to any system the:
  • PAN number (the 16-digit number on the front of the card)
  • The 3-digit security number on the back of the card
  • The customers own PIN (for chip and pin cards) – we should never be asking for this information

Staff must never request for sensitive cardholder data to be emailed for the purpose of processing a payment upon receipt.

If in doubt about the security of the data or integrity of the payment system or device, please do not use it and contact the Finance Service and Support team immediately.

  1. Paperwork: sensitive credit and debit card paperwork must be stored in a secure area and never sent in the internal mail, as it is as valuable as cash.
  1. Storage: sensitive credit and debit card paperwork must be stored in a safe and secure location, this is defined as:
  • Within a safe or
  • Within a locked cash box or
  • Within a locked cabinet

Sensitive paperwork must never be stored on PC’s in any format (email, access database, excel spreadsheets, pen drives, etc.) as this breaches the Security Standard Regulations and effectively makes the University non-compliant.

  1. Destroy: sensitive credit and debit card paperwork must not be stored for longer that is necessary for business reasons. At the end of the retention period, sensitive paperwork must be destroyed securely using a cross cutting shredder.