skip to content
Home

Finance Division

 

Chapter 6c - PCI DSS

This procedure, together with the PCI DSS Policy, helps the University comply with the Payment Card Industry Data Security Standards (PCI DSS), which set out the requirements the University follows to protect cardholder data and ensure secure payment transactions.

Complementary information on approved P2PE devices and forms are available to further support the policy and procedures.

 

1. Purpose and scope

  1. 1.1 This Procedure outlines the controls and mandatory behaviours of institutions with card machines or payment streams that involve credit and debit card transactions that must be in place to protect cardholder data, and should be read in conjunction with the University Payment Card Industry (PCI DSS) Policy and any Institutional PCI DSS Policy.
  2. 1.2 The Head of Institution (HoI) is responsible for ensuring full compliance with PCI DSS requirements within their respective institution. This responsibility is typically delegated to the Institution PCI Compliance Lead, who is accountable for implementing and maintaining adherence to the University PCI DSS Policy and associated procedures. The Institution PCI Compliance Lead may also use this procedure to support developing an institution specific information.
  3. 1.3 All Institution employees and connected persons have a role in supporting the Institution PCI Compliance Lead in implementing the University PCI DSS Policy and this Procedure.
  4. 1.4 Compliance with the PCI DSS Policy and Procedure is overseen by the PCI DSS Compliance Oversight Group (PCI COG). Any PCI DSS related questions can be submitted to the PCI COG at pcidss@admin.cam.ac.uk. The PCI DSS webpages provide more information on PCI DSS devices, documents and compliance.
2. Requesting systems and devices

  1. 2.1 Only PCI COG approved PDQ devices and online payment facilities can be used for accepting debit and credit card payment. More information can be obtained by contacting PCI COG.
  2. 2.2 If an institution wants to obtain a centrally provided payment facility, a request form must be completed by the Institution PCI Compliance Lead and submitted to the PCI COG.
  3. 2.3 If an alternative system is required, an application must be made by completing the [form] and submitted to the PCI DSS.
  4. 2.4 If an alternative system is approved, the Institution PCI Compliance Lead must ensure that any third party that stores, processes, or transmits cardholder data on behalf of the University, must be PCI DSS compliant, as demonstrated by a valid Attestation of Compliance (AOC) submitted to the PCI COG.
  5. 2.5 The Institution PCI Compliance Lead is responsible for completing and emailing the relevant Self-Assessment Questionnaire (SAQ) to the PCI COG annually to demonstrate compliance within the department and for audit purposes.
3. Processing customer present PDQ payments

  1. 3.1 When a successful payment is processed, if there is a paper ‘merchant copy’ receipt generated by the machine, it must be stored securely in a locked draw or cabinet and the ‘customer copy’ handed to the customer.
  2. 3.2 If the transaction is declined, the customer must be informed immediately and the customer must provide an alternative card.
4. Processing customer not present payments

  1. 4.1 Payments taken on PDQ devices must normally be taken on a ‘customer present’ basis. Written approval must be sought from the PCI COG to take customer not present payments (including over the phone) and is only permitted when other methods of payment are not possible. Approval must be sought annually.
  2. 4.2 If approval has been given by the PCI COG and a payment is taken over the phone, the Institution PCI Compliance Lead must inform staff that card details are to be entered directly by the staff member taking the call into the PDQ machine, that card details should never be read back to the customer (if necessary, the customer can repeat the number back for clarification) and that call recording must be disabled while taking card details.
5 Cardholder data storage and handling
  1. 5.1 Storage of cardholder data - whether in paper form or electronically (including but not limited to local hard drives, shared storage, cloud services, or removable media) - is strictly prohibited unless prior written authorisation has been obtained from the PCI COG. The Institution’s PCI Compliance Lead is responsible for ensuring that all Payment Device Operators (PDO) responsibilities are aware of this policy and have received appropriate training.
  2. 5.2 Storage of cardholder authentication data (including magnetic track data, CVV2, and PIN information) after authorisation is strictly prohibited under all circumstances.
  3. 5.3 All confidential and sensitive data must be retained only for as long as necessary to meet legal, regulatory, and legitimate business requirements, and must always be stored in a secure location. Cardholder data may only be recorded in writing when there is a genuine operational necessity (for example, temporary network failure preventing immediate transaction processing).
  4. 5.4 The Institution’s PCI Compliance Lead must conduct periodic reviews to verify that all confidential and sensitive data is retained only as long as legally, regulatorily, and operationally required, and that such data is stored securely.
  5. 5.5 Cardholder data must never be transmitted or received through end-user messaging technologies such as email, instant messaging, or online chat.
  6. 5.6 If cardholder details are inadvertently received via email or end-user messaging technologies, the recipient must:

 - immediately delete the email or message from the inbox and the deleted items folder (if possible)

 - compose a new email or message to the customer advising that card details cannot be accepted through that method

  1. 5.7 Card payment data must always be stored safely and securely when unattended. Secure storage is defined as any of the following:

 - within a safe

 - within a locked cash stored in a locked drawer or cabinet

  1.  - within a locked drawer or cabinet

6. Security for payment devices

  1. 6.1 Payment devices must only be used by authorised and trained staff.
  2. 6.2 The payment device must always be visible to staff and difficult for others to access unobserved. The device must be in a position where it is easy for staff to observe – but difficult for others to touch unnoticed.
  3. 6.3 Payment devices must be secured and locked away when unattended.
  4. 6.4 Staff must ensure the identity (vendor issued photo ID and Government issued ID such as a driving licence) is checked for anyone who asks to check the terminal.
  5. 6.5 PDOs must be vigilant of other customers ‘shoulder surfing’ or using phone cameras to steal customer data.
  6. 6.6 PDOs must ensure that no security cameras could view customer card data and report to their line manager and Institution PCI Compliance Lead if they are concerned that this is an issue.
  7. 6.7 PDOs and other staff must not touch the payment card unless the customer is having difficulties and offers it to them. In those cases, the PDO must always keep the card in the customer’s sight.
  8. 6.8 Daily tamper checks must include verifying the following:

 within a locked drawer or cabinet

 - the serial number and other ID labels have not changed

 - labels have not been moved or peeled off

 - there are no signs of damage or forcing to the screws or the device case

 - no power, network or interface cables have been replaced

 - nothing has been attached to the device

 - there are no changes to the display

 - the receipt format has not changed

 - there are no changes to the card slot and that the card fits as expected

  1. 6.9 The Institution PCI Compliance Lead must ensure that no payment devices are connected to the University’s network unless they are properly end-to-end encrypted (for example P2PE devices).


  1. 6.1 Payment devices must only be used by authorised and trained staff.
  2. 6.2 The payment device must always be visible to staff and difficult for others to access unobserved. The device must be in a position where it is easy for staff to observe – but difficult for others to touch unnoticed.
  3. 6.3 Payment devices must be secured and locked away when unattended.
  4. 6.4 Staff must ensure the identity (vendor issued photo ID and Government issued ID such as a driving licence) is checked for anyone who asks to check the terminal.
  5. 6.5 PDOs must be vigilant of other customers ‘shoulder surfing’ or using phone cameras to steal customer data.
  6. 6.6 PDOs must ensure that no security cameras could view customer card data and report to their line manager and Institution PCI Compliance Lead if they are concerned that this is an issue.
  7. 6.7 PDOs and other staff must not touch the payment card unless the customer is having difficulties and offers it to them. In those cases, the PDO must always keep the card in the customer’s sight.
  8. 6.8 Daily tamper checks must include verifying the following:

 - within a locked drawer or cabinet

 - the serial number and other ID labels have not changed

 - labels have not been moved or peeled off

 - there are no signs of damage or forcing to the screws or the device case

 - no power, network or interface cables have been replaced

 - nothing has been attached to the device

 - there are no changes to the display

 - the receipt format has not changed

 - there are no changes to the card slot and that the card fits as expected

  1. 6.9 The Institution PCI Compliance Lead must ensure that no payment devices are connected to the University’s network unless they are properly end-to-end encrypted (for example P2PE devices).
7. Incident reporting

  1. 7.1 In the event of a discovered fault or suspected tampering, immediately cease the use of the affected device. Report the issue or suspicion without delay to the Institution PCI Compliance Lead and the Head of Department.
  2. 7.2 Promptly notify the supplier and card processor of the fault or suspicion of tampering using the contact number provided on the underside of the device.
  3. 7.3 Submit a detailed incident report in accordance with the Institution’s Incident Response Process and the PCI COG.
  4. 7.4 Ensure that all personnel are instructed not to use the device until the issue is fully resolved.
  5. 7.5 Record all actions taken during the incident, including but not limited to, initial detection, reporting, and resolution efforts.
8. Training

  1. 8.1 Card processors must undertake mandatory PCI DSS training and any additional training requested by the Institution PCI Compliance Lead. The University wide mandatory training includes annual PCI DSS and cyber security courses.
  2. 8.2 The Institution PCI Compliance Lead must ensure that training is completed, and a record kept of completion certificates.
9. Related documentation and forms

Version History
  • Version 1.0
  • Issue date: 18 Dec 2025
  • Content changes: New procedure
  • Approved: Chris Patten, Head of Accounts Payable
  • Date: 8 Dec 2025

Raven Login

Some items on this website are restricted. University members are encouraged to log in using Raven to make the best use of the site:
Login with Raven 

Study at Cambridge

About the University

Research at Cambridge