skip to content | Accessibility Information

Financial and Legal Services Cashiers Service

student_banner1.png

Payment Card Industry Data Security Standards (PCI DSS)

As a University we process payment card information for a variety of products and services and are committed to maintaining and achieving the mandatory requirements of the Payment Card Industry Data Security Standards (PCI DSS).

 

What is PCI DSS?

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS).

The intention is to help organisations proactively protect cardholder data from theft, compromise or misuse, and the Data Security Standards provide a detailed, 12 requirements structure for securing cardholder data that is stored, processed and/or transmitted by merchants and other organisations.

PCI Data Security Standard – High Level Overview

Build and Maintain a Secure Network and Systems

1.       Install and maintain a firewall configuration to protect cardholder data

2.       Do not use vendor-supplied defaults for systems passwords and other security parameters

Protect Cardholder Data

3.       Protect stored cardholder data

4.       Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5.       Protect all systems against malware and regularly update anti-virus software or programs

6.       Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7.       Restrict access to cardholder data by business need to know

8.       Identify and authenticate access to systems components

9.       Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10.   Track and monitor all access to network resources and cardholder data

11.   Regularly test security systems and processes

Maintain an Information Security Policy

12.   Maintain a policy that addresses information security for all personnel

 

Are these standards relevant to me and why is it important?

The PCI Data Security Standards are relevant for anyone at the University who handle cardholder data or take payments by credit or debit card.

This set of rules informs people responsible for taking credit and debit card payments how to handle the data safely to avoid the risk that it could be lost, stolen or intercepted and used for fraudulent activities. It covers:

  • How to take a payment safely
  • What to do with sensitive cardholder information which we get when we process a payment
  • How to store information and rules around the destruction after use
  • How to manage our IT network to ensure that all data is safe.

As a University, if we do not comply with PCI DSS we would face significant fines and ultimately we could lose the right to take credit and debit card payments across the whole organisation.

For more information on what is required to meet PCI DSS check out their Frequently Asked Questions (https://www.pcisecuritystandards.org/faq/)

We are here to help

This is an important area with lots of rules and regulations around it. If you require support and advice in this area please contact the Cash Operations Manager.

The Cashiers team are also happy to support training staff on using card payment processing terminals (PDQ terminals).

Golden rules to follow

PCI DSS is a very important but comprehensive area, therefore anyone who handles cardholder data must always remember the following points:

1. Payments: when taking a payment, check that the payment system has not had anything unusual added to it (a USB drive or dongle for example) and after the payment has been taken immediately put the merchant receipt and any related paperwork safely away in a designated secure area.

2. Sensitive Information: never write down on paper, in an electronic document or email, or add to any system the:

  • PAN number (the 16-digit number on the front of the card)
  • The 3-digit security number on the back of the card
  • The customers own PIN (for chip and pin cards) – we should never be asking for this information

Staff must never request for sensitive cardholder data to be emailed for the purpose of processing a payment upon receipt.

If in doubt about the security of the data or integrity of the payment system or device, please do not use it and contact the Cashiers team immediately.

3. Paperwork: sensitive credit and debit card paperwork (this is any paperwork that includes the full PAN number and expiry date) needs to be hand delivered to a Finance Service Centre or Cashiers Office during office opening hours (unless onsite secure storage of paperwork has already been agreed with the Cash Operations Manager). Sensitive paperwork must never be sent in the internal mail, as it is as valuable as cash.

4. Storage: sensitive credit and debit card paperwork must be stored in a safe and secure location, this is defined as:

  • Within a safe or
  • Within a locked cash box or
  • Within a locked cabinet

 Sensitive paperwork must never be stored on PC’s in any format (email, access database, excel spreadsheets, pen drives, etc.) as this breaches the Security Standard Regulations and effectively makes the University non-compliant.

5. Destroy: sensitive credit and debit card paperwork must not be stored for longer that is necessary for business reasons. At the end of the retention period, sensitive paperwork must be destroyed securely using a cross cutting shredder.

Article last updated: Tuesday, November 8, 2016

Page Feedback and Performance

Did you find this information useful?

Please leave any comments below

Featured Services

How do I?

about this feature

Do you need to do something specific? Most common questions are answered here.

Documents Library

about this feature

All the documents related to FLS categorised and explained.