Published on Finance Division (https://www.finance.admin.cam.ac.uk)

Home > Policy & Procedures > Financial Policies > PCI DSS Policy

PCI DSS Policy

This Policy sets out the responsibilities and mandatory behaviours of the University’s administrators in institutions with card machines or payment streams that involve credit and debit card transactions.

Contents

A. Policy Statement
B. Scope
C. Key principles
D. Cardholder data
E. Devices used to process payments
F. Third parties
G. Incident response
H. Training
I. Roles and responsibilities
J. Related document and further guidance

Appendix A: Definitions applied to this Policy [1]
Appendix B: Principal PCI DSS requirements [1]

 

Version : 1.0
Effective date: 1 November 2025
Date of next review: November 2028

 

A.   Policy statement

  1. This Policy sets out the responsibilities and mandatory behaviours of the University’s administrators in institutions with card machines or payment streams that involve credit and debit card transactions. The policy and  its associated procedures outline the University’s management of customer payment card security as part of compliance with the Payment Card Industry Data Security Standard (PCI DSS).
     
  2. Due to the diverse nature of our activities, although Finance Division and UIS provides overarching guidance and support, for specialist applications, processes and procedures must be developed and documented by each institution.
     

Penalties

  1. Failure to protect cardholder data can lead to expensive investigations, litigation, loss of reputation and in the worst-case scenario, withdrawal of the ability to take payment by credit and debit cards.
     
  2. As of 2024, under the UK GDPR, a data breach can result in a fine of up to £17.5 million or 4% of annual global turnover as imposed by the Information Commissioner’s Office. The penalties apply to violations of Article 5 (data processing principles) and Article 6 (lawfulness of processing).
     
  3. Failure to follow this policy may result in disciplinary action under the University's conduct procedure.
     

Definitions

  1. The appendix provides a list of definitions as applied to this policy. The defined words are in bold font.

Back to the top

B.  Scope

  1. This policy applies to:
  • all University employees and connected persons involved with, or exposed to, handling credit and debit cards, cardholder data, or the systems processing such data. This includes those working in an environment where these activities take place, or who have a role in payment processing in any capacity.
  • all University institutions within the Academic University
  • all University activities involving card payments (sales), whether online, in the post, over the phone or face to face via card machines
  • third parties processing card payments on behalf of the University, including event management organisations. It is the responsibility of anyone procuring an external service to ensure that this policy’s requirements are part of the business contract
  1. This Policy does not apply to Cambridge University Press & Assessment, University subsidiary companies, or the Colleges. However, it is expected that these organisations would have a similar policy to meet the PCI DSS and their contractual obligations with their acquirers.

Back to the top

C.    Key principles

  1. Before an institution accepts any card payments, the Head of Accounting Services, Finance Division’s permission is needed.
     
  2. All Point-of-Sale devices that process cardholder data on behalf of the University must be connected to the University’s bank account.
     
  3. All University institutions processing card payments must have a nominated PCI Compliance Lead, reporting to the Head of Institution (HoI) on these matters.
     
  4. The PCI DSS policy standards must be followed.

Back to the top

D.    Cardholder data

  1. No University employee or connected person should handle cardholder data unless they have a business need and explicit authorisation to do so.
     
  2. Cardholder data must not be transmitted or requested to be transmitted via end-user messaging technologies such as email, instant messaging, Teams, or SMS.
     
  3. University employees and connected persons must not store cardholder data electronically. This includes storing on local hard drives, shared storage (such as University departmental file store), cloud storage solutions (for example SharePoint), or any removable media (for example memory stick, CD/DVD).
     
  4. University employees and connected persons must not store cardholder data on paper unless specifically agreed by the Head of Accounting Services. If permission is given, any cardholder data must be securely stored when not in use and destroyed in line with the University’s Confidential Waste Disposal procedure.
     
  5. Any processing of cardholder data, including by third parties, must meet the following conditions:

  1. A confirmation from the institution that they have screened and trained all handlers of cardholder data before they are allowed access. Institutions must maintain a training record and ensure the cardholders repeat it on an annual basis.

  2. Institutions only implement non P2PE devices if using strong encryption on public data networks (4G/5G) or apply the solution in accordance with its respective Implementation Guide.

  3. Cardholder data must not be stored in any voice recordings. Where cardholder data is taken over the telephone, any call recording solution must be disabled whilst cardholder data is being given. Any institution taking cardholder data over the phone must first seek advice from the PCI DSS Compliance Oversight Group (COG) to ensure they remain compliant with this policy.

Back to the top

E.    Devices used to process card sales

  1. Any device used to process cardholder data on behalf of the University must be first approved by the COG.
     
  2. Where the device is a Point-of-Sale terminal it must be of a type approved by the COG. The details (model, serial number, security features and location) of all devices in use must be recorded and supplied to the COG for inclusion in the PCI asset list.
     
  3. Devices must be configured and used in compliance with the manufacturer’s Implementation Guides and the University IT policies and Finance Regulations.
     
  4. All devices must be stored securely when not in use and checked regularly for tampering or substitution. Any suspicion of tampering must be reported to the COG in line with the Incident response procedure.

Back to the top

F.    Third parties

  1. The COG must approve the appointment of any third party commissioned to process card information on behalf of the University of Cambridge. Their compliance status must be assessed by the group. If they are a PCI DSS compliant Service Provider for the contracted services they provide to the University, they must provide the University with an up-to-date version of their Attestation of Compliance before engagement and each year thereafter.
     
  2. Any contracts or written agreements with third party providers must make clear their responsibility for upholding and protecting the University’s compliance. A full list of Third-Party Payment Service Providers will be kept by COG, and the service providers PCI DSS compliance will be checked by COG annually.

Back to the top

G.    Incident response

  1. Any University employee or connected person who discovers a breach or suspected breach of this policy must report the matter immediately to their line manager, PCI lead or Head of Institution (HoI) who will inform the PCI DSS COG. The COG will respond to the incident in compliance with the University incident response process.

Back to the top

H.    Training

  1. Institutions must ensure only University employees and connected persons who have successfully completed their PCI Awareness Training will have access to PCI equipment and cardholder data.
     
  2. Training must be completed prior to starting work and refreshed annually. A record of this training must be kept.
     
  3. Local operational procedures must be incorporated into the training to cover specific activities in the institutions.

Back to the top

I.    Roles and responsibilities

  1. All University employees and connected persons have a role in ensuring adherence to this policy. It is their responsibility to follow all established procedures and security protocols to protect cardholder data and support PCI DSS compliance, including the annual completion of the PCI DSS training course.

Role

Accountability or responsibility

Head of Institution (HoI) where the institution accepts credit card payments 
  • Ensures full compliance with PCI DSS requirements within their respective institutions
  • Appoints a key contact person (PCI Compliance Lead) to function as the primary liaison for all PCI DSS-related matters, ensuring clear communication and prompt actions to maintain compliance
  • Communicates this Policy to University employees and connected persons working with cardholder data or processing card payments within their institution
  • Ensures that adequate resources are available to enable compliance
  • Ensures systems are included in institutional incident management and business continuity planning
  • Confirms contracts with and purchases from third parties are policy compliant, including software, hardware and services

Institution PCI Compliance Lead
  • Annual completion of the PCI DSS Self-Assessment Questionnaire (SAQ)
  • Complete and obtain evidence of a passing vulnerability scan with a PCI Approved Scanning Vendor (ASV), if applicable
  • Ensures devices used to process payments are regularly inspected for signs of tampering or substitution
  • Aid University Incident response team in response to an PCI related incident
  • Ensures University employees and connected persons have read and understood the PCI DSS policy and procedures, have undertaken applicable training and keep a record of the training
  • Informs the COG about any new devices, as well as discontinuing the use of a device by the institution
  • Ensures local operational procedures are created and supported to cover the specific activities in their department, and issued to all relevant staff

The PCI DSS Compliance Oversight Group (PCI COG)

This group is jointly run by the Finance Division and University Information Services (UIS)

  • Oversee the PCI DSS compliance across the University, providing guidance and support as needed
  • Check institutions meet required standards
  • Review and update this policy annually
  • Periodic inspection of any systems, databases, or physical areas within the University where cardholder data might be processed or stored. The group may delegate these inspections to a representative

Director of Finance 
  • Policy owner. This covers overall responsibility for ensuring the University’s compliance with PCI DSS policy
  • Together with the Chief Information Security Officer, is accountable for managing the risks associated with cardholder data

Chief Information Security Officer (UIS) 
  • Ensuring the University’s Information Technology and systems can support users in adhering to this policy and associated procedures. This includes addressing the challenges associated with the storage, transmission and processing of cardholder data
  • Shares accountability with the Director of Finance for managing these risks.

Head of Accounting Services
  • Disseminates the policy and any updates to all Institution PCI Compliance Leads

 J.    Related documents and further guidance

Any PCI issues or queries should be sent to PCI COG via the UFS helpdesk [5]

Source URL:https://www.finance.admin.cam.ac.uk/policy-and-procedures/financial-policies/pci-dss-policy

Links
[1] https://www.finance.admin.cam.ac.uk/policy-and-procedures/financial-policies/pci-dss-policy/pci-dss-policy-appendices [2] https://www.finance.admin.cam.ac.uk/policy-and-procedures/financial-regulations [3] https://www.finance.admin.cam.ac.uk/chapter-7-cash-and-banking-procedures [4] https://www.pcisecuritystandards.org/ [5] http://ufs_helpdeskhub@admin.cam.ac.uk