The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined and published by the Payment Card Industry Security Standards Council. The standard was created to help prevent payment card fraud through increased controls around the data and its exposure to compromise and applies to all organisations that hold, process or exchange cardholder information.
It is our responsibility to ensure card details and personal data on customers are stored securely by us (and any third party which stores, transmits or processes such card data on our behalf) and only used for the purposes intended. The cardholder must be able to feel confident the University is taking all necessary measures to safeguard their personal details.
Card details must never be transmitted through email as this is considered an unsecure environment.
The University must meet these PCI DSS standards at all times to remain a member of the card scheme and to ensure that we can continue to have the ability to process card payments. An annual audit is carried out based on our Merchant Level which is dependent on the number of card transactions processed per year.
The PCI Data Security Standards
The twelve requirements are summarised below. However, the full standards can be viewed on the PCI website: https://www.pcisecuritystandards.org.
| Goals | PCI DSS Requirements |
|---|---|
| Build and Maintain a secure Network and Systems |
1. Install and maintain network security controls 2. Apply secure configuration to all system components |
| Protect Account Data |
3. Protect stored account data 4. Protect cardholder data with strong cryptography during transmission over open, public networks |
| Maintain a Vulnerability Management Program |
5. Protect all systems and networks from malicious software 6. Develop and maintain secure systems and software |
| Implement Strong Access Control Measures |
7. Restrict access to system components and cardholder data by business need to know 8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks |
10. Log and monitor all access to system components and cardholder data 11. Test security of systems and networks regularly |
| Maintain an Information Security Policy | 12. Support information security with organisational policies and programmes |
University Policy
The Finance Division and UIS are responsible for ensuring the University is PCI DSS compliant, and its policy includes the following:
• the University will undertake a PCI Compliance review on an annual basis
• if anyone identifies that this policy is compromised or is at risk of compromise this must be reported immediately to the PCI Compliance Officer via Cash Management
• all staff who handle card transactions in any form must undertake PCI Compliance training on an annual basis
• all customer present card transactions must take place using a PCI compliant electronic point of sale system
• wherever possible, customer not present card transactions should be processed using the University’s online e-Sales system
• card and cardholder details should not be stored or transmitted electronically, other than through the University’s online e-Sales system. This includes emailing and scanning of paper copies
• if there is a valid requirement to scan documents that also contain card transaction details, the card details must be redacted before scanning
• where possible, any paper notes or copies containing card transaction details must be destroyed (cross shredded) immediately after use
• where paper copies containing card transaction details need to be retained for a valid reason i.e., chargebacks, they must be retained in a secure, locked cabinet or room at all times
• the retention period for all paper copies containing card transaction details is:
- Merchant copies should be kept for a minimum of 6 months (this is the time limit with which chargebacks can be registered).
- Beyond this, copies should be kept for a further 12 months. Therefore, total storage time equals 18 months from date of transaction
• paper copies should be filed by date of transaction
• the University will carry out appropriate University network security testing
• Departments must use University equipment that is kept updated with all software updates, including anti-virus software, to protect the University network when handling card payments
| Additionally, departments should follow all the procedures laid out under the section, Document Retention |