University of Reading cookie policy

We use cookies on reading.ac.uk to improve your experience, monitor site performance and tailor content to you.

Read our cookie policy to find out how to manage your cookie settings.

PCI-DSS requirements and procedures for those taking card payments

Before taking credit/debit card payments on behalf of the University you will need to complete your training with your line manager first before taking payments.

In general though you need to follow these guidelines listed below, but your individual department may have additional requirements as well:

  1. At the beginning of your shift each day before using the Chip and Pin device, you make sure it has not been tampered with. Obvious signs of tampering are extra devices or cables that have been added to the unit, missing or changed security labels, broken or differently coloured casing , or other changes to external markings. Once you have checked the device and are satisfied that it has not been tampered with.
  2. If there appears to be anything wrong with the device contact Campus Card systems (campuscard@reading.ac.uk) or your line manager, do not use the machine until Campus Card systems have checked the device and say it is safe to use.
  3. If any person who is not a member of the Campus Card systems team attends your site to fix or substitute the chip and pin reader contact Campus Card systems or your line manager before using this device.
  4. If you notice anyone suspicious (i.e. people trying to look/video others entering their PIN numbers, or people unplugging chip and pin devices) when credit/debit cards are being processed please contact your line manager.
  5. When taking payment by Chip and PIN do not look at the chip and pin machine when the customer types in their PIN number.
  6. Never write down/email/text someone’s credit/debit card or CSV from a customer’s Credit/debit card. If a customer experiences an issue with a credit/debit card you can email campus card systems the last four digits only of their credit card only.
  7. When accepting credit card details by telephone type everything directly into the till interface (or directly into the chip and pin device) do not write down to process later.
  8. When accepting payments by telephone, do not repeat aloud a customer’s card details, you do not know who is listening.
  9. All Chip and Pin readers or devices connected to a Chip and Pin Reader are only to be used for the purpose they have been designed for and that you will only use these devices in the way instructed by your line manager.

General procedure for loss of Card holder data

If we have a data breach that results in the loss of card holder data then follow steps 1& 2 of the procedure:

1. Contact campus card systems (campuscard@reading.ac.uk) immediately, stating;

  • Where the data breach has occurred
  • When did it occur? and has it been fixed yet?
  • How many people it has affected?

2. Leave the compromised systems alone -don't access them or alter them in anyway. For example, don't log-on or change your passwords.

3. Don't turn off compromised systems -instead, unplug any network cables to disconnect them from your network

4. Back-up immediately -carry out a back-up of your systems to preserve their current state

5. Do not take card payments until you have been informed that it is safe to do so by Campus Card systems.

Once Campus Card systems has this information, a member of the team will then contact the relevant Merchant Acquirer of the incident for further advice. Depending on the type of card holder data breach the Campus Card systems team will also contact any relevant University department or external service provider the University uses for card payments.

General procedure for loss of card holder data for EPOS Systems

If we have a data breach that results in the loss of card holder data then follow steps below of the procedure:

1. Contact campus card systems (campuscard@reading.ac.uk) immediately, stating;

  • which till the data breach has happened
  • Transaction number or numbers of the data breach
  • Serial number of the credit card machine attached to the till

2. Do not switch off the till and use it until told to do so by Campus Card systems.

3. Do not take card payments until you have been informed that it is safe to do so by Campus Card systems.

Once Campus Card systems has this information, a member of the team will then contact the relevant Merchant Acquirer of the incident for further advice. It will be the duty of the Campus Card systems team to record any reference numbers from the Merchant Acquirer in to the IT helpdesk system, under the category PCI-DSS, so that all information of the incident can be recorded electronically in one area. For all types of card holder data breach with the EPOS system the Campus Card systems team will also contact the following:

IT department - To make sure that the EPOS VLAN is working correctly.

MCR systems - To make sure the EPOS hardware and software is not compromised

Audit - To make sure all University policy has been followed

IMPs - To see if we have a legal requirement to report a compromise to any other Party.

MCR systems will also be requested too make sure that all data has been backed-up according to our current contract with them.

Are you a department looking to take payments online?

Download Now

Once you have filled in the relevant form please send to the below email address along with any supporting images.

Contact us

Email:

ecommerce@reading.ac.uk