skip to content
Home

Finance Division

 

PCI DSS Policy Appendices

Appendix A: Definitions applied to this Policy

Appendix B: Principle PCI DSS requirements

 

Definitions applied to this Policy 

Term Definition
Cardholder data

This includes:

  • the Primary Account Number (PAN) 
  • cardholder name 
  • expiry date 
  • security code 
Connected persons Any individual or organisation performing services for and on behalf of the University, which may include the University’s subsidiaries, recipients of grants, partners in collaborative working arrangements and joint ventures, suppliers, distributors, business contacts, agents, advisers, assessors, and government and public bodies
Devices This includes:

  • Electronic Point-of-Sale (EPOS)
  • PIN Entry Device
  • PDQ Machine
Institutions This means any of the following for the University:

  • Departments, or a faculty that is not organised in departments
  • Schools and Faculty Boards
  • A centre or an institute
  • Other bodies under the supervision of the General Board or the Council
  • Divisions within the Unified Administrative Service
P2PE Devices A secure cryptographic device (SCD) that uses point-to-point encryption (P2PE) to protect account data 
 
PAN A “Primary Account Number” is a 14- or 16-digit number embossed on a debit or credit card and encoded in the card's magnetic strip which shows the issuer of the card and the account
Payment card A card backed by an account holding funds belonging to the cardholder or offering credit to the cardholder such as a debit or credit card
Payment Card Industry Data Security Standard (PCI DSS) This is a set of standards to help protect people from cardholder data theft or fraud. They are the minimum standards of security needed to safeguard payment card transactions. PCI DSS applies to all organisations that store, process or send cardholder data
SAQ Self-Assessment Questionnaire to evidence compliance
University employees All individuals working within the University at all levels and grades, including officers, employees (whether permanent, fixed, or temporary), workers, trainees, seconded employees, agency employees, volunteers, interns, assessors, or any other person working in any context within the institution

 

Principle PCI DSS requirements 

Goals Actions
Build and Maintain a Secure Network and Systems
  1. Install and Maintain Network Security Controls
  2.  Apply Secure Configurations to All System Components
Protect Account Data
  1. Protect Stored Account Data. 
  2. Protect Cardholder Data with Strong Cryptography. During Transmission Over Open, Public Networks
Maintain a Vulnerability Management Program
  1. Protect All Systems and Networks from Malicious Software
  2. Develop and Maintain Secure Systems and Software
Implement Strong Access Control Measures
  1. Restrict Access to System Components and Cardholder Data by Business Need to Know
  2. Identify Users and Authenticate Access to System Components
  3. Restrict Physical Access to Cardholder Data
Regularly Monitor and Test Networks
  1. Log and Monitor All Access to System Components and Cardholder Data
  2. Test Security of Systems and Networks Regularly
Maintain an Information Security Policy
  1. Support Information Security with Organizational Policies and Programs

 

Raven Login

Some items on this website are restricted. University members are encouraged to log in using Raven to make the best use of the site:
Login with Raven 

Study at Cambridge

About the University

Research at Cambridge