University of the West of England, Bristol
PDQ (Process Data Quickly) Management Policy and Procedure
Version
0.1
0.2
0.3
0.4
Issue Date
18/11/2014
01/01/2015
26/01/2015
04/02/2015
Author
Sue Bressington
Sue Bressington
Sue Bressington
Sue Bressington
Detail
Initial draft
Final draft
Final document
Update to include Merchant Account
requirements
Contents
Executive Summary .......................................................................................................................................... 3
1
Background ..................................................................................................................................... 4
1.1
PDQ types and connection options .................................................................................................. 4
1.2
Scope ............................................................................................................................................... 4
1.3
Security requirements ..................................................................................................................... 4
2
Responsibilities ............................................................................................................................... 5
3
PDQ application process .................................................................................................................. 6
3.1
Application process for ordering a PDQ ........................................................................................... 6
3.1.1
Requesting a new PDQ terminal for your outlet or service .............................................................. 6
3.1.2
Requesting a temporary PDQ for an event ...................................................................................... 6
3.2
Removing a PDQ terminal from your outlet or service .................................................................... 6
3.2.1
Removing/de-commissioning a PDQ terminal from your outlet or service ...................................... 6
3.2.2
Returning a PDQ terminal ................................................................................................................ 6
3.2.3
Cancelling a merchant account ........................................................................................................ 6
3.3
Making changes to a PDQ terminal in your outlet or service ........................................................... 6
3.3.1
Replacing an old or faulty PDQ terminal .......................................................................................... 7
3.3.2
Moving a PDQ terminal to another location .................................................................................... 7
4
Decision-making and approval process for PDQ applications .......................................................... 7
4.1
Approval of new PDQ applications .................................................................................................. 7
4.2
Rejected PDQ applications .............................................................................................................. 7
5
PDQ Cost recharges – hire charges and transaction charges ............................................................ 7
6
PDQ Inventory ................................................................................................................................. 8
6.1
Annual audit of devices ................................................................................................................... 8
7
PDQ Training ................................................................................................................................... 8
7.1
PDQ use and security ....................................................................................................................... 8
8
Merchant Account (MID) control ..................................................................................................... 9
8.1
Barclaycard (Merchant Acquiring Bank) .......................................................................................... 9
8.2
American Express (AMEX) ............................................................................................................... 9
Finance Document
Page 2 of 9
Executive Summary
The University of the West of England has an obligation to protect confidential cardholder data through
compliance with the Payment Card Industry Data Security Standards (PCI DSS), version 3.0. Therefore, the
secure processing of card payment transactions using card terminals, is key to achieving compliance.
Failure to comply with this policy could result in cardholder data becoming compromised, data security breaches,
substantial fines, severe reputational damage and/or the loss of income, and/or the removal of PDQ machines.
The purpose of this policy/procedure is to set out the University’s requirements with regards to the management
and change control of all Card terminals (PDQ’s) in use, whilst considering its obligations under PCI DSS. It applies
to all outlets and services within the University that process card payments via a PDQ.
This policy should be compatible and read in conjunction with the financial UWE PCI DSS Policy, IT Security Policy,
UWE Data Protection Policy and the processes and associated financial control framework.
Note: wherever a statement in this policy refers to ‘Card’, the statement applies to credit, debit, charge, and
procurement cards, unless specifically stated otherwise.
Finance Document
Page 3 of 9
1 Background
1.1 PDQ types and connection options
Chip and PIN machines / devices are more commonly known as PDQ terminals (or PDQ’s). They are used to
process debit or credit card payment transactions, face-to-face, where the customer is present.
There are several types of PDQ terminal:

The counter top machine is for use in point of sale transactions and uses a telephone or
broadband connection

Portable terminals use Bluetooth technology and are common in cafés, restaurants, bars or
wherever a PDQ terminal is taken to the customer to carry out a transaction

The mobile terminal uses a SIM card and GPRS to allow payments away from business
premises
PDQ’s may be connected to an IT network infrastructure by any of the following means:

Shared phone line between your phone and your card machine(s). This option means you
can't use both at the same time.

Separate phone lines for each card machine and your phone. This provides a faster process
than a shared line and won't prevent you receiving calls during transactions. However,
sharing a line between two card machines means you won't be able to use both devices
simultaneously

Broadband offers an even faster connection and you don't need a dedicated phone line.
Your card machine simply plugs into your router

Mobile GPRS network connection allows your machine to work similar to a mobile phone.
It has a SIM card and doesn't need a phone line or broadband connection, so you can use it
on the go
Online Payments are the University’s preferred method and best practice for taking payments. Customers are
encouraged to make payment for goods and services themselves using the Online Store or the online
payment facilities provided by the University.
However, where the customer is present and able to enter their card directly into a card terminal, payment
by PDQ is acceptable. Customers will be able to verify and authorise the transaction by entering their PIN.
The full card number (PAN) is not displayed on the merchant or customer copy of the receipt.
1.2 Scope
The main service areas to which this policy applies are:




Outlets and services responsible for processing payment transactions using PDQ’s
Finance - Income office
I T Services
Merchant acquirer (Barclaycard)
1.3 Security requirements
It is imperative that adequate security measures for the device are deployed, not only whilst in use, but also
whilst not in use, in order to deny unauthorized access, and to mitigate the risk of the device being tampered
with.
Note: Real-time fraudulent activity includes the act of device skimming. Skimming is the unauthorized capture
and transfer of payment data to another source. This is a serious threat which can hit any merchant’s
environment, and is used to steal payment data directly from the consumer’s payment card or from the
merchant’s payment system infrastructure.
Therefore, devices must be properly supervised when in use, and must not be removed from staff view. They
must also be securely stored in a locked receptacle when not in use. Access to the locked receptacle should
be restricted to appropriate staff, as determined by the outlet or service’s manager.
Any confirmed or potential breaches of security should be dealt with in accordance with the Incident
response plan as stated in the PCI DSS policy.
Finance Document
Page 4 of 9
Failure to observe this requirement may result in the theft of cardholder data, and money being taken from
student/customer bank accounts. Therefore, a breach will be taken very seriously, and reported to the
relevant Head of Service / Director of Finance and Planning for a decision on the action to be taken.
2 Responsibilities
The key responsibilities in connection with the PDQ management policy are given below:
The Director of Finance and Planning has ultimate responsibility for this policy.
Finance Business Systems is responsible for:

Maintaining the PDQ management policy in accordance with PCI DSS developments and policy
The Head of Financial Services must ensure that:


The controls over the management of PDQ’s are effective, relevant and secure, and regularly reviewed
The Director of Finance and Planning is advised if an investigation of material non-compliance is
required
The Income Office Manager has overall responsibility for:









Maintaining a comprehensive and complete inventory of all PDQ’s in use throughout the University
Completing an annual audit of PDQ terminals in use throughout the University
Ensuring that PDQ’s are only authorised and allocated in accordance with the PDQ application process
as stated in this policy
Ordering PDQ’s from Barclaycard
Reporting all changes (including new allocations, removal of equipment, location changes, PDQ
hardware updates) to the Treasury Manager
Returning old/obsolete equipment to Barclaycard in a timely manner
Cancelling obsolete merchant accounts in a timely manner, and ensuring that future charges are not
made
Retaining PDQ hire agreements
Ensuring that the PDQ management policy is strictly adhered to
The Treasury Manager has overall responsibility for:


Maintaining relations with Barclaycard regarding PDQ’s
Recharging transaction and hire costs to relevant cost centres on a regular basis and cross checking to
agreed hire charges
Outlet/Service Managers that use PDQ’s have overall responsibility for:
 Ensuring that all PDQ terminals are managed in accordance with this policy
 Reporting any changes to the Income Office Manager in a timely manner
 Regularly assessing whether continued use of a PDQ is financially viable
 Returning obsolete equipment to the Income Office Manager in a timely manner
 Removal of staff access upon leaving their employment or role
 Ensuring that all PDQ’s are adequately secure both when in use, and when not in use
 Ensuring that all staff required to use the PDQ are adequately trained
 Ensuring that all staff who process card payment transactions via PDQ understand this policy, and
adhere to the guidelines within
 Co-operate with annual audit of PDQ terminals as and when requested
 Maintaining an up-to-date training log for PDQ users; user instructions and security
Finance Document
Page 5 of 9
3 PDQ application process
3.1 Application process for ordering a PDQ
All requests for a new PDQ to be installed at an outlet or service area, be it temporary or permanent,
must be made via a completed and authorized application form (see PDQ1).
Note:
Application forms must be authorized by the Outlet/Service Manager – this is the approval to apply.
The final authorization (required by the Income Office Manager), is the approval (or rejection) to proceed
with installing a PDQ terminal at that location, be it temporary or permanent.
3.1.1 Requesting a new PDQ terminal for your outlet or service
If a new PDQ is required for an outlet or service, form PDQ1 should be completed, authorized by the
outlet/service manager, and submitted to the Income Office.
The Income Office Manager will then undertake a series of checks on the application, before
authorization to proceed is considered. Checks include the completeness of information required,
feasibility/financial viability and authorization to proceed with the application. However, financial
viability will be balanced with customer satisfaction or lack of availability of alternative payment
methods. Managers are required to consider how much the terminal will cost before deciding on
whether to install one.
3.1.2 Requesting a temporary PDQ for an event
If a PDQ is required for a one-off event, it may be hired for that event via the Income Office. Form PDQ1
should be completed, authorized by the Outlet/Service Manager, and submitted to the Income Office no
later than 14 days prior to the event start date.
The Income Office Manager will authorize the loan, and will also require the Outlet/Service Manager to
‘sign out’ the PDQ terminal, agree a date for its return, and ‘sign in’ the terminal upon return (using a
Portable Card Terminal Loan log). The terminal should be returned on, or before the agreed date.
During the hire period, the Outlet/Service Manager will be responsible for the safe use and security of
the device.
3.2 Removing a PDQ terminal from your outlet or service
All requests to remove an existing PDQ from an outlet or service area, must be made via a completed
and authorized PDQ removal request form (see PDQ2).
3.2.1 Removing/de-commissioning a PDQ terminal from your outlet or service
The Income Office Manager will review the removal request and ensure it is appropriately authorized by
the relevant Outlet/Service Manager. Confirmation will be required as to why the terminal is being
removed, and what other means of payment (if any) are on offer at the location.
3.2.2 Returning a PDQ terminal
Once the authorisation to remove a device has been granted, Outlet/Service Managers should arrange
for the PDQ to be returned to the Income Office as soon as possible, and no later than one week after
the request has been approved. The Income Office Manager will then make the necessary arrangements
with Barclaycard, as to whether the device is to be returned, or replaced with a device at another
location, before physically carrying out the return/replacement in accordance with Barclaycard’s wishes.
3.2.3 Cancelling a merchant account
Once the authorisation to remove a device has been granted, the Income Office Manager will make the
necessary arrangements to cancel a merchant account with Barclaycard, and stop the associated
charges being raised.
3.3 Making changes to a PDQ terminal in your outlet or service
All requests to make changes to an existing PDQ at an outlet or service area (including equipment
upgrades and moving terminal to another location), must be made via a completed and authorized PDQ
change control form (see PDQ3). It is perfectly acceptable for Outlet/Service Managers to deal with
Finance Document
Page 6 of 9
Barclaycard directly when devices are faulty/need replacing, however it is essential that the changes
made are reported to the Income Office Manager via the PDQ3 form, within 5 working days of the
change.
3.3.1 Replacing an old or faulty PDQ terminal
All requests to replace a PDQ terminal, whether faulty or not, should be recorded on the PDQ3 change
control form, together with reasons for the request and the impact of not doing so. This form should
also be completed to report changes made where Managers have dealt with Barclaycard directly.
The Income Office Manager will review the change request and ensure it is appropriately authorized by
the relevant Outlet/Service Manager, prior to contacting Barclaycard if applicable.
The Income Office Manager should forward details of the replacement to the Treasury Manager, who
will ensure that the merchant account charge records are accurate and up-to-date.
3.3.2 Moving a PDQ terminal to another location
All requests to permanently move a PDQ terminal from one location to another, should be recorded on
the PDQ3 change control form, together with reasons for the request and the impact of not doing so.
The Income Office Manager will review the move request and ensure it is appropriately authorized by
the relevant Outlet/Service Manager. Confirmation will be required as to why the terminal is being
moved, and what other means of payment (if any) are on offer at the location. When satisfied that the
request has been properly completed and authorized, the Income Office Manager will authorize the
device to be permanently moved.
The relevant Outlet/Service Manager will be notified of this decision, and provided with information on
how to proceed.
Note: This does not include temporary loan devices.
4
Decision-making and approval process for PDQ applications
Applications for new PDQ’s will be reviewed by the Income Office manager, on an individual basis.
Consideration will be given to the feasibility/financial viability of installing a device at the location, together
with other key information (such as terminal type, connection type, Management approval etc).
Whilst every effort will be made to provide the service requested, the Director of Finance and Planning
reserves the right to refuse an application based upon the above approval criteria.
4.1 Approval of new PDQ applications
As part of the approval process, Outlet/Service Managers will be required to accept the cost of hiring the
device, and associated transaction charges to their cost centre. This information will be provided by the
Treasury Manager, prior to the device being installed.
Should Managers not agree to the charges against their cost centre, approval to install the PDQ device will be
withdrawn.
4.2 Rejected PDQ applications
The Income Office Manager will notify Outlet/Service Managers of rejected applications, providing the
reason(s) for the rejection. Should this provide a problem, the Manager should contact the Income Office
Manager to discuss further.
5 PDQ Cost recharges – hire charges and transaction charges
PDQ hire charges range from around £17 to £30 (incl VAT) per month, depending on the type of device.
Transaction charges are made by Barclaycard for every transaction processed. The rates per transaction are
as follows:
Finance Document
Page 7 of 9
Debit card (Non-international) – a set transaction charge is applied for every transaction regardless of its
value – this is set by Barclaycard and is approximately 15p;
Debit card (International) - percentage of the value taken for each transaction;
Credit card – percentage of the value taken for each transaction.
The percentages charged for Credit Cards and International Debit Cards currently range between 1.09 and
1.75% with international, Premium and Commercial being the most expensive (1.75%).
6 PDQ Inventory
The Income Office Manager will maintain a comprehensive and up-to-date PDQ inventory, which will be
located on a shared directory S://FIN/Finance/Income Office/PDQ terminals
All new PDQ’s allocated, removed, and changed will be recorded by the Income Manager within 5 working
days of the change taking place.
6.1 Annual audit of devices
The Income Office Manager will perform an annual audit on the inventory, by sending out a simple data
request form to each outlet/service area recorded, to confirm that the details held are accurate. All
outlets/service areas are required to respond within 5 working days, therefore a deadline for completion
and submission of the form should be provided.
Devices will be periodically inspected by the Income Office Manager, to confirm that the Terminal ID (TID) is
as recorded. This is important to ensure that the official device has not been substituted with one that has
been tampered with. Any incidents identified will be reported in accordance with the PCI DSS policy’s
Incident Response procedure.
7 PDQ Training
Outlet/Service Managers are responsible for ensuring that all staff required to use the PDQ terminal, are
adequately trained. Users must also be aware of this policy, and the PCI DSS policy to ensure that the security
of cardholder data is protected.
7.1 PDQ use and security
Users should be trained in accordance with the manufacturer’s instructions on how to use the device. This
should be undertaken prior to being allowed access to the device.
All staff responsible for transacting card payments via a PDQ terminal must also be adequately trained in PCI
DSS requirements and PDQ management requirements.
Managers must maintain an up-to-date training log, of all training provided to staff, which should be available
for inspection by the Director of Finance and Planning, and/or relevant staff upon request. This training must
be provided during staff induction and refreshed on an annual basis.
Training should include the following:
• How/why to verify the identity of any third-party persons claiming to be repair or maintenance
personnel, prior to granting them access to modify or troubleshoot devices;
• The correct procedures for installing, replacing, or returning devices;
• Reminder to be aware of suspicious behaviour around devices (for example, attempts by unknown
persons to unplug or open devices);
• How/where to report suspicious behaviour and indications of device tampering or substitution to
appropriate personnel (for example, to a manager or security officer);
 Reminder to be aware of signs that a device might have been tampered with or substituted include
unexpected attachments or cables plugged into the device, missing or changed security labels, broken or
differently coloured casing, or changes to the serial number or other external markings.
Managers should also ensure that there are adequate controls regarding the processing of refunds, and the
security of the Supervisor’s card that allows refund transactions to be completed.
Failure to observe this requirement may result in the theft of cardholder data, and money being taken from
student/customer bank accounts. Therefore, a breach will be taken very seriously, and reported to the
relevant Head of Service / Director of Finance and Planning for a decision on the action to be taken.
Finance Document
Page 8 of 9
8
Merchant Account (MID) control
In order for the University to collect its income by debit/credit card, each PDQ must be associated with a
Merchant ID (MID). Each device has its own Terminal ID (TID), which is associated with a MID.
8.1 Barclaycard (Merchant Acquiring Bank)
The Income Office Manager is responsible for liaising with Barclaycard, to ensure that all device TID’s are
correctly associated with a MID, and that the University is not paying for MID’s it is no longer using (there is a
standard minimum charge for a MID).
8.2 American Express (AMEX)
The Income Office Manager is also responsible for liaising with American Express to ensure that each
Barclaycard MID is associated with an AMEX MID, to ensure that payment by American Express can also be
offered.
Finance Document
Page 9 of 9