Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Card Handling Policy - University of Reading

advertisement 
Card Handling Policy
Finance & Ecommerce
Systems
Prepared by: Colette Elson
Issued: November 2013
November 2013
Page | 1
Card Handling Policy
Contents
Page
1 Introduction
2 Responsibility
3 The PCI Data Security Standard
4 PCI DSS Requirements
5 Receiving cardholder data
6 Processing cardholder data
7 Storing cardholder data
Note: wherever a statement in this policy refers to ‘Card’ the statement applies to credit, debit, charge
and procurement/purchasing cards, unless specifically stated otherwise
November 2013
Page | 2
Card Handling Policy
1. Introduction
This policy outlines acceptable use and controls set by the University of Reading with regard to
receiving, processing and storing information in respect of all card payments and refunds.
We have three available channels for accepting card payments
1.
2.
3.
Online payments
Hand held ‘chip and pin’ card terminals, PDQ’s (customer present)
Telephone (customer not present)
As a ‘Merchant’ that accepts card payments the University must meet Payment Card Industry Data
Security Standards. These requirements are in place to protect cardholder data and are
reinforced by payment card brands American Express, Discover Financial Services, JCB
International, MasterCard Worldwide, and Visa Inc.
2. Responsibility
It is the responsibility of all University staff to ensure the safety of card holder data.
The following procedures must be adhered to:




Restrict card payment transactions to those staff that need access to it
Ensure that members of staff handling card holder data are aware of its importance,
confidentiality and the potential risk of it leaving the secure environment.
It is strictly prohibited to send card details by email, store details via electronic
methods over the University network (i.e. Excel spread sheets, Word documents) or
write down on paper. This includes occasions when the systems may be unavailable.
In this scenario the user should be informed when the systems are up and running
again and asked to go back and make payment
The merchant copy of the payment receipt should be stored in a secure location and
destroyed after 18 months as confidential waste.
The Finance team maintain a list of all members of staff who have access or authority to use hand
held ‘chip and pin’ terminals or PDQ’s. It is up to the individual departments to update Finance
with details of new starters however there will also be annual checks put in place.
3. The PCI Data Security Standard
Introduced in 2006 after a number of high profile fraud cases, the PCI Security Standards Council
was set up to act as an open global forum "responsible for the development, management,
education, and awareness of the PCI Security Standards. The following standards were put in place
to ensure that all businesses storing, transmitting or processing card data are not putting their
customers at risk of data theft and fraud.
November 2013
Page | 3
Card Handling Policy
4. PCI DSS Requirements
Requirements 1-2
Build and maintain a secure network
These sections are not covered by this policy – refer to ITS policies
Requirements 3-4
Protect cardholder data
These sections are covered by this policy where our main focus is to ensure the University does
not store or transmit card and transaction data unnecessarily. ALL organisations accepting card
payments are required to protect this data to prevent fraudulent access.
Requirements 5-6
Maintain a vulnerability management programme
As for requirements 1-2, these sections are not covered by this policy – refer to ITS policies
Requirements 7-9
Implement strong access control measures
These sections are covered by this policy and deal specifically with access to cardholder data,
restricting on a business need to know basis including physical access.
Requirements 10-11 Regularly monitor and test networks
As for requirements 1-2, these sections are not covered by this policy – refer to ITS policies
Requirement 12
Maintain an information security policy
This section is covered by this policy and requires all University employees to be aware of the
importance of card data security and their role in preventing unauthorised access.
5. Receiving cardholder data
Cardholder data should be received by the below methods only:



By directing the cardholder/payee to an Online Payments System
Using face to face chip & pin where the customer is present and able to enter their card
details directly into the terminal.
Although receiving ‘customer not present’ card payments are discouraged the preferred
method is to receive details via the telephone to be entered directly into the system
using the administration area of an online payment systems (Receipts Office Only)
PLEASE DO NOT WRITE CARD DETAILS DOWN or SEND VIA END-USER MESSAGING
TECHNOLOGIES (such as email or text message) instead please ask your customer to call
the Receipts Office on +44 (0) 118 378 6130 to process the payment immediately.
It is strictly prohibited to send card details by email, store via electronic methods over the
University Network (i.e. Excel spread sheets, Word documents) or write down
6. Processing card holder data
Card payments are accepted and refunded to the original card by the University via these two
channels:


Online Payment Systems – admin areas
Hand held chip and pin card terminals
November 2013
Page | 4
Card Handling Policy
Online Payment Systems
We use many different systems across the University because they are not only convenient but a
safe and secure way to take payment due to the fact they process the cardholder data offsite.
rd
Using PCI Compliant 3 party websites removes the risk from the University as no card payment
data is stored on the University servers. We are working to make sure ALL our systems are
managed like this.
EXAMPLE OF HOW IT WORKS
WPM Online Store
1.
2.
3.
4.
5.
Payee visits institution's website and selects to pay a fee.
Customer is seamlessly redirected to WPM Education's Secure Payment Pages.
The payee enters their payment details into the system. The PCI DSS risk is completely
removed from the institution as no card details are submitted or stored within the
institution's network.
WPM Education transfers the data to the credit card network and completes the
transaction.
Result of payment is displayed to the customer.
Hand held ‘Chip and Pin’ terminals (PDQ’s/PED’s)
Our terminals are from a range of providers – connected via either Wifi, the network or telephone
line.
If a new terminal is required please contact Finance Office Simon Mealor
Telephone
Transactions taken over the telephone are considered ‘Customer not present transactions’ and
should be avoided. Card details must be entered directly into the administration area by
approved staff only* and in no circumstances written down.
*Receipts Office
November 2013
Page | 5
Card Handling Policy
7. Storing card holder data
The goal of the PCI Data Security Standard (PCI DSS) is to ensure the highest level of protection of
card holder data this includes receiving, storing and processing. When it comes to storing card
details the general rule is “if you don’t need it, don’t store it!” If the data doesn’t serve a valuable
business purpose, consider eliminating it.
Ask yourself
Is the storage of this data and the business processes it supports worth the following?
i. The risk of having the data compromised
ii. The additional PCI DSS efforts that must be applied to protect that data
iii. The on-going maintenance efforts to remain PCI DSS compliant over time.
Processing payments on a PDQ terminal generates 2 till receipts. The customer copy must be
returned direct to the customer. The merchant copy must be stored securely in a locked location.
It is important the merchant copy is stored in the locked location directly after processing of each
transaction. Receipts can be stored for a maximum of 18 months before being destroyed as
confidential waste. It is the responsibility of the location storing the merchant receipt for ensuring
its safekeeping.
The University must never electronically store sensitive authentication data after
authorisation.
Sensitive data includes:
 full track contents of the magnetic strip or chip (which holds information about the
card and cardholder)
 card verification codes and values CVC or CVV (the 3 digits on the back of card)
 PINs and PIN blocks (personal identification number)
November 2013
Page | 6
Related documents
Credit Card Authorization form
Credit Card Authorization form
cts-software-engineer-junior
cts-software-engineer-junior
CARDHOLDER'S DETAILS
CARDHOLDER'S DETAILS
System Integration Engineer
System Integration Engineer
Mobile Payments Security and PCI implications
Mobile Payments Security and PCI implications
Cubilis by Stardekk
Cubilis by Stardekk
patient_info - Amarillo Family Physicians Clinic
patient_info - Amarillo Family Physicians Clinic
US Department of Defense and Intelligence Community Clients.
US Department of Defense and Intelligence Community Clients.
PCI DSS - National Bank of Dominica
PCI DSS - National Bank of Dominica
Credit Card PCI-DSS Policy
Credit Card PCI-DSS Policy
Attestation of Compliance – Merchants
Attestation of Compliance – Merchants
Glossary Terms for Credit Card Business 
Glossary Terms for Credit Card Business 
Download
advertisement