Payment Card Industry Security Standards Council
For the University to take payments by credit or debit cards we have to follow the standards set by the PCI council. PCI-DSS stands for the Payment Card Industry – Data Security Standards and is a set of rules we must obey when processing credit/Debit card payments.
For more information on what is required to meet PCI Standards check out their Frequently Asked Questions
If an organisation that takes credit/debit card payments is non-compliant with PCI-DSS it can occur penalties for taking payment by credit/debit card. If an organisation has a data breach that results in the loss of Card holder data because it has not been following it's PCI-DSS requirements then the fines can be huge. Because of the potential for fines it is then in the Universities interests to make sure that they meet their PCI-DSS requirements.
PCI-DSS at the University
The responsibility for looking after and coordinating the Universities PCI-DSS responsibilities is with the Campus Cards systems team. In addition to the Campus Cards systems team their is a PCI-DSS group, made up of interested parties from around the University, that meets up to discuss our PCI-DSS requirements.
The University has to register its PCI-DSS processes with each of its Merchant Acquirers. A Merchant Acquirer is a company who process each card payment and make sure the money received from card payments is deposited in our bank. The Merchant Acquirer also acts as our primary contact with the PCI Council and it is with each of our Merchant Acquirers that we must do an individual PCI-DSS assessment with. The assessments are also dependant on how we process credit card payments, so for example we need to do one for our EPOS system and another for our online shop.
PCI-DSS and your responsibilities
If you are responsible for staff that take credit/debit card payments for the University you are responsible for ensuring that they have received the necessary training. If you are a member of staff that takes credit/debit card payments for the University you must be trained on how to take these payments, if you haven't please speak to your line manager. The Universities latest PCI-DSS requirements and procedures can be found here.
If you plan to purchase any system or hardware to take credit/debit card payments then you will need to speak to someone at either the Campus Card systems team or the Treasury team (email@example.com) before this purchase can be completed.
If you have ordered replacement hardware that is designed to take credit card payment then you will have to inform the Campus Card Systems team so that their list of such devices is kept up to date as per the universities PCI-DSS responsibilities.
If you find any complete Credit/debit card details (i.e. credit card number, expiry date or card csv number) in emails, electronic or paper documents or stored within a system you control, then it should be removed/destroyed as soon as you have discovered the data. The exception to this rule will be those systems that mask the middle 6 digits of the credit card number so that only the first 6 digits and final 4 digits are revealed. If you need any further advice on this then please email firstname.lastname@example.org
Make sure you have received PCI-DSS training from your line manager first before taking card payments and keep up to date with the universities latest PCI-DSS requirements and Procedures here.