University of Reading cookie policy

We use cookies on reading.ac.uk to improve your experience, monitor site performance and tailor content to you.

Read our cookie policy to find out how to manage your cookie settings.

PCI-DSS requirements and procedures for those taking card payments

If you are doing any of the following tasks on behalf of the University;

  • Taking Card payments
  • Working with systems or system components that take credit card payments
  • Working with data that contains credit card information

it is then mandatory that before you can begin the task you will need to have completed the online PCI-DSS training.

If you are unsure on whether you need to take the online PCI-DSS training or not please contact Campus Card systems (campuscard@reading.ac.uk).

 

Working with card paymnets or data within the University you must at least follow these minimum requirements listed below plus any additional requirements set by your individual department:

  1. At the beginning of your shift each day before using the Chip and Pin device, make sure it has not been tampered with. Obvious signs of tampering are extra devices or cables that have been added to the unit, missing or changed security labels, broken or differently coloured casing , or other changes to external markings. If there appears to be anything wrong with the device contact Campus Card systems (campuscard@reading.ac.uk) or your line manager, do not use the machine until Campus Card systems have checked the device and say it is safe to use.
  2. If any person who is not a member of the Campus Card systems team attends your site to fix or substitute the chip and pin reader contact Campus Card systems or your line manager before using this device.
  3. If you receive a new credit card machine email Campus Card Systems with following details; make & model of device, location the device will be used, and the devices serial number. This information will then be recorded by Campus Card systems in a list of our Card reader devices so the University complies with our PCI-DSS obligations.
  4. Do not install, replace or return a device with out verification.
  5. If you notice anyone suspicious (i.e. people trying to look/video others entering their PIN numbers, or people unplugging chip and pin devices) when credit/debit cards are being processed please contact your line manager or Campus card systems as soon as it is safe to do so.
  6. When taking payment by Chip and PIN do not look at the chip and pin machine when the customer types in their PIN number.
  7. No card data should be stored (including being written down or printed on a receipt) or sent (email/text/Teams..etc) to anyone  except the first 6 digits, and last 4 digits of the main card number and expiry date. This rule should be follwed at all times including gathering information in case of a customer issue. 
  8. When accepting credit card details by telephone type everything directly into the payment interface (or directly into the chip and pin device) do not write down to process later.
  9. When accepting payments by telephone, do not repeat aloud a customer’s card details, you do not know who is listening.
  10. All Chip and Pin readers or devices connected to a Chip and Pin Reader are only to be used for the purpose they have been designed for and that you will only use these devices in the way instructed by your line manager.

System administrator and line manager responsibilities

Before any member of your team can take credit/debit card payments, or working on a system or system component that takes card payments on behalf of the University you will need to make sure they have first completed the mandatory online PCI-DSS training. If you are unsure on whether they need to take the online PCI-DSS training or not please contact Campus Card systems (campuscard@reading.ac.uk).

You will also need to follow these requirements:

1. If you have not done so yet, you will need to subscribe to the Universities PCI-DSS report to show who has completed the online training to make sure they can work with credit cards within your area.

2. If a member of staff has left your department you must deactivate any access to credit card systems or data immediately.

3. Contact Campus Card Systems if you plan to change any of your payment procedures or systems before they are implemented so it can be confirmed it will conform to PCI-DSS requirements

General procedure for loss of Card holder data

If we have a data breach that results in the loss of card holder data then follow the steps below:

1. Contact campus card systems (campuscard@reading.ac.uk) immediately, stating;

  • Where the data breach has occurred
  • When did it occur? and has it been fixed yet?
  • How many people it has affected?

2. Leave the compromised systems alone -don't access them or alter them in anyway. For example, don't log-on or change your passwords.

3. Don't turn off compromised systems -instead, unplug any network cables to disconnect them from your network

4. Back-up immediately -carry out a back-up of your systems to preserve their current state

5. Do not take card payments until you have been informed that it is safe to do so by Campus Card systems.

Once Campus Card systems has this information, a member of the team will then contact the relevant Merchant Acquirer of the incident for further advice. Depending on the type of card holder data breach the Campus Card systems team will also contact any relevant University department or external service provider the University uses for card payments.

General procedure for loss of card holder data for EPOS Systems

If we have a data breach that results in the loss of card holder data then follow steps below of the procedure:

1. Contact campus card systems (campuscard@reading.ac.uk) immediately, stating;

  • which till the data breach has happened
  • Transaction number or numbers of the data breach
  • Serial number of the credit card machine attached to the till

2. Do not switch off the till and use it until told to do so by Campus Card systems.

3. Do not take card payments until you have been informed that it is safe to do so by Campus Card systems.

Once Campus Card systems has this information, a member of the team will then contact the relevant Merchant Acquirer of the incident for further advice. It will be the duty of the Campus Card systems team to record any reference numbers from the Merchant Acquirer in to the IT helpdesk system, under the category PCI-DSS, so that all information of the incident can be recorded electronically in one area. For all types of card holder data breach with the EPOS system the Campus Card systems team will also contact the following:

IT department - To make sure that the EPOS VLAN is working correctly.

MCR systems - To make sure the EPOS hardware and software is not compromised

Audit - To make sure all University policy has been followed

IMPs - To see if we have a legal requirement to report a compromise to any other Party.

MCR systems will also be requested too make sure that all data has been backed-up according to our current contract with them.

Last update 13th January 2023