Payment Card Industry Data Security Standards (PCI DSS) Compliance

The procedures outlined below deals with the controls required over the transmission, processing, and storage of all data and information received in respect of all card receipts accepted by the University.

Please refer to the Information Security Policy

The management and control of data and information received in respect of cards at the University involves departments and the Finance Department.

Online Payments

The University has multiple online payment platforms for processing payments provided by third party payment service providers, customers should be directed to these online platforms to process payments.

Upon successful payment an email receipt will be sent to the customer confirming payment was successful and any card information masked.

No card information is stored on the University network during the online payment process.

Face to face (Customer present)

There are two methods in which face to face payments can be made EPOS and Non EPOS:

  • EPOS (Electronic Point Of Sale) - Payment can be made at an EPOS location across the University campus. Sales are entered into the EPOS system and the total amount due paid at the terminal connected to the Till. Customers can process card payments using either chip & PIN or contactless technology. Under no circumstance should the member of staff processing the transaction:
    • record the data from a card
    • physically handle the customer’s card

Receipts are only to be issued at the request of the customer and no copies of receipts stored.

  • Non-EPOS - Approved departments can take payment on non-EPOS locations. Sale amounts are entered directly into the card terminal for the customer to pay by either chip & PIN or contactless technology. Under no circumstance should the member of staff processing the transaction:
    • record the information from a card
    • physically handle the customer’s card

Receipts are only to be issued at the request of the customer and no copies of receipts stored.

MOTO (Mail Order/Telephone Order) (Customer not present)

Under no circumstance should the University be accepting payment by mail, e-mail or telephone.

  • Mail (Post) – If card details are received through the postal service they must be shredded and disposed of in the confidential waste immediately. The customer should be contacted to make arrangements to make payment in person or via the available online platform.
  • Email – If card details are received by email it should be deleted immediately from the inbox and subsequently deleted from the deleted folder, Information Governance are to be contacted immediately to begin the process of removing the email from the servers. The customer can be contacted in a new email thread advising to pay in person or via the available online platform.
  • Telephone – Payments should not be taken over the telephone, customers should be advised to make payment in person or via the available online platform.