PCI DSS Compliance
Payment Card Industry Security Standards Council
For the University to take payments by credit or debit cards we have to follow the standards set by the PCI council. PCI-DSS stands for the Payment Card Industry – Data Security Standards and is a set of rules we must obey when processing credit/Debit card payments.
For more information on what is required to meet PCI Standards check out their Frequently Asked Questions
If an organisation that takes credit/debit card payments is non-compliant with PCI-DSS it can occur penalties for taking payment by credit/debit card. If an organisation has a data breach that results in the loss of Card holder data because it has not been following it's PCI-DSS requirements then the fines can be huge. Because of the potential for fines it is then in the Universities interests to make sure that they meet their PCI-DSS requirements.
PCI-DSS at the University
The responsibility for looking after and coordinating the Universities PCI-DSS responsibilities is with the Campus Cards systems team. In addition to the Campus Cards systems team PCI-DSS issues will be raised to the Information Security Group.
The University has to register its PCI-DSS processes with each of its Merchant Acquirers. A Merchant Acquirer is a company who process each card payment and make sure the money received from card payments is deposited in our bank. The Merchant Acquirer also acts as our primary contact with the PCI Council and it is with each of our Merchant Acquirers that we must do an annual individual PCI-DSS assessment with. The assessments are also dependant on how we process credit card payments, so for example we need to do one for our EPOS system and another for our online shop.
PCI-DSS and your responsibilities
If you are responsible for staff that take credit/debit card payments for the University you are responsible for ensuring that they have completed the necessary online training before they can take payment. If you are a member of staff that takes credit/debit card payments for the University you must complete the online training on how to take these payments, if you haven't please speak to your line manager. The Universities latest PCI-DSS requirements and procedures can be found here.
If you plan to purchase any system or hardware to take credit/debit card payments then you will need to speak to someone at either the Campus Card systems team or the Treasury team before this purchase can be completed.
If you have ordered replacement hardware that is designed to take credit card payment then you will have to inform the Campus Card Systems team so that their list of such devices is kept up to date as per the universities PCI-DSS responsibilities.
If you find any complete Credit/debit card details (i.e. credit card number, expiry date or card csv number) in emails, electronic or paper documents or stored within a system you control, then it should be removed/destroyed as soon as you have discovered the data and you should inform email@example.com of your find. The exception to this rule will be those systems that mask the middle 6 digits of the credit card number so that at most only the first 6 digits and final 4 digits are revealed. If you need any further advice on this then please email firstname.lastname@example.org
Make sure you have completed the necessary online PCI-DSS training before taking card payments, or working in an environment where you may come into contact with card data. Keep up to date with the universities latest PCI-DSS requirements and Procedures.