skip to content
 

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined and published by the Payment Card Industry Security Standards Council. The standard was created to help prevent payment card fraud through increased controls around the data and its exposure to compromise and applies to all organisations that hold, process or exchange cardholder information.

It is our responsibility to ensure card details and personal data on customers are stored securely by us (and any third party which stores, transmits or processes such card data on our behalf) and only used for the purposes intended. The cardholder must be able to feel confident the University is taking all necessary measures to safeguard their personal details.

Card details must never be transmitted through email as this is considered an unsecure environment.

The University must meet these PCI DSS standards at all times to remain a member of the card scheme and to ensure that we can continue to have the ability to process card payments. An annual audit is carried out based on our Merchant Level which is dependent on the number of card transactions processed per year.

The PCI DSS Standards

The standards are detailed in full on the PCI website at but they can be summarised into the following 12 requirements.

University Policy

The Finance Division and UIS are responsible for ensuring the University is PCI DSS compliant its policy includes the following.

  • The University will undertake a PCI Compliance review on an annual basis.
  • If anyone identifies that this policy is compromised or is at risk of compromise this must be reported immediately to the PCI Compliance Officer via the Helpdesk at UFS_CM@admin.cam.ac.uk
  • All staff who handle either customer present or customer not present card transactions in any form must undertake PCI Compliance training on an annual basis.
  • All customer present card transactions must take place using a PCI compliant electronic point of sale system.
  • Wherever possible, customer not present card transactions should be processed using the University's online store (WPM e-Sales) system.
  • Card and/or cardholder details should not be stored or transmitted electronically (other than through the University's online store). This includes emailing and scanning of paper copies.
  • If there is a valid requirement to scan documents that also contain card transaction details, the card details must be obliterated using an indelible marker pen before scanning.
  • Where possible, any paper notes/or paper copies containing card transaction details must be destroyed (cross shredded) immediately after use.
  • Where paper copies containing card transaction details need to be retained for a valid reason i.e. chargebacks, they must be retained in a secure, locked cabinet or room at all times.
  • The retention period for all paper copies containing card transaction details is:
    • Merchant copies should be kept for a minimum of 6 months (this is the time limit with which chargebacks can be registered).
    • Beyond this, copies should be kept for a further 12 months (.e. TOTAL storage time equals 18 months from date of transaction).
    • File by date of transaction.
  • The University will carry out penetration testing at least annually on the University network and the results will be notified to the PCI Compliance Officer.
  • The University will use and regularly update anti-virus software to protect the University network.
  • The University will contract an approved external supplier to carry out quarterly vulnerability scans of the relevant University IP addresses and the results will be notified to the PCI Compliance Officer.

In addition departments should follow all the procedures laid out under section Document Retention.