Payment Card Industry Data Security Standards (PCI DSS) Compliance

The procedures outlined below deals with the controls required over the transmission, processing, and storage of all data and information received in respect of all card receipts accepted by the University.

Please refer to the ‘Information Security Policy – Responsibilities of Staff’ at http://www.aber.ac.uk/en/infocompliance/policies/securitystaff/

The management and control of data and information received in respect of cards at the University involves departments and the Finance Department.

Key controls for controlling card data are as follows:

 

Receiving or obtaining card data

Card data should be received by appropriate methods only; preferably using face-to-face (chip & pin) transactions, where the customer is present and able to enter their card details directly into the card terminal; or via the online payments system.

Receiving card payments, where the customer is not present, is discouraged, but if it is necessary, the preferred method is to receive the card details by phone and enter them immediately into the card terminal.

Card details must never be sent by email or by other electronic method, or be entered into any online payment system other than that approved by the University.

Telephone recording systems must not keep a record of card data eg on tape and must be destroyed as soon as practicable or seek software to mask the card information.

Do not request card data via whatever form by non-secure means i.e. internal mail or e-mail.

Transmitting card data (to remotely held card terminals)

Where personal card data has to be transmitted (from order taking / receiving location to card processing location), the card data must be recorded on ‘card authorisation forms’ and the forms must be kept secure at all stages of the transmission, these forms should have the card data shown at the bottom of the form where it can easily be removed and destroyed after authorisation.

Sending card authorisation forms to the Central Cash Office must be by hand.

Where card authorisation forms are to be transmitted to card terminals held in departments, they must be hand delivered. Card data must be treated as if it were cash.

Do not transmit card authorisation form data via email or any other electronic method, or send the forms by internal or external post.

Storing card data

Sensitive card data such as card numbers and start/expiry dates and the security number on the back of payment cards must never be retained after being used for processing

All records of card security details or authentication data must be destroyed. The bottom of the card authorisation form, where such card details are recorded, must be cut off and shredded or destroyed by other means.

No track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere (card electronic data) must be stored.

The rest of the ‘card authorisation form’, and till rolls supporting card transactions, can be stored, as long as they are held with access restricted to authorised personnel only, which must be reported to the Finance Department.

All past records must be reviewed to ensure no card data has been held unless stored securely with restricted access for specific needs as agreed by the Finance Department. If no such agreement is in place then please seek guidance immediately.

Card data received and processed online

Only the University approved online payment facility must be used for payment by card online.

EPOS systems must be compliant with PCI DSS requirements and this policy, where applicable.

Do not transmit card data over the University network.