Card payment security information
This webpage gives information to University staff regarding the required security measures for taking or storing credit or debit card holder information related to card payments. The University must comply with the Payment Card Industry Data Security Standard (PCI DSS).
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is an Information Security Standard designed to protect payment card information. This worldwide, common set of security requirements was developed by the five main card brands (VISA, MasterCard, AMEX, JCB and Discover) and is managed by an independent organisation, the PCI DSS Council. It was developed in order to provide a unified approach to protecting and safeguarding sensitive card holder data against compromise and potential fraud. The standard covers all technical and operational elements included in and connected to card holder data.
Why is it important?
The University processes large amounts of card payments every year and as a result the threat of payment card fraud can be significant. A breach in the security of card holder data may result in significant reputational and financial risk (penalties, fines, loss of income). Card data is sensitive, and the University needs to ensure our customers and stakeholders have reassurance that we safeguard any information that we may be privy to regarding their card data.
What is card holder data?
Card holder data is:
- Primary Account Number (PAN) printed on the front of a payment card, name of card holder, expiry date
- Sensitive Authentication Data (SAD) - the three or four-digit security code printed on the front or back of a card or stored on the card’s magnetic strip
- Personal Identification Number (PIN) entered by the cardholder
Depending on the manner in which you take payment in your department you may
- Obtain this information from customers over the phone, fax or post when processing CNP (Customer Not Present)
- When face to face the customer will physically present the card for payment
Who is it relevant to?
PCI DSS is relevant to all members of the University that process, transmit or handle card holder data.
- Process: The steps taken when putting a transaction through. This therefore includes how the data is collected and what we do with it whilst in our possession.
- Transmit: How we connect to or pass information to our acquirer bank (This is managed by IT/Finance on set up)
- Handle: Deal with or have responsibility for card payments in any form and what subsequently happens to the data after it has been collected, stored or transmitted.
What are your obligations as a University employee and PCIDSS’s relevance to you?
Members of staff involved in any way in handling, processing or transmission of card holder data must be aware of the importance of PCI DSS and undergo training in order to ensure that the University maintains a secure environment for all card holder data.
Managers have a responsibility to ensure that their staff are fully trained on all relevant aspects of PCI DSS, any updates or changes to the standard’s requirements are communicated and understood. It is also the responsibility of the manager to ensure that where logs/registers are to be maintained and updated, that this is done.
If you are thinking of taking credit card payments (for example, using a PDQ machine), you need to contact us to make sure the device is compliant.
What are the University's obligations?
Compliance with PCI DSS is mandatory for any organisation or company which stores, processes or transmits payment cardholder data. If the University does not comply with PCIDSS we are at risk of:
- Potential fines and penalties from our acquirers/banks
- The threat of security breaches
- Increase in transaction fees levied by the bank
- Being stripped of the University’s ability to accept card payment
The University has to report its compliance annually to our acquirer/bank (Barclaycard) who in turn reports our status to the Card Companies Schemes and PCI DSS Council.