HandlingCardholderData - DepartmentalGuidance
Introduction
Card fraud resulting from the compromise of data associated with a cardholder account is a significant criminal activity. As a result, when handling payments by card, the University is required to ensure ongoing compliance with the Payment Card Industry Data Standards (PCIDSS).
In the event of the breach of cardholder data due to the non-compliance of these standards the University could be subject to significant penalties,fines and reputational damage.
In order to ensure that our obligations under PCIDSS aremet, the following guidance in relation to the obtaining, transmission and storage of customer card data must be observed by all departments who handle card payments.
Please note that Departments will be required to sign a declaration of compliance with these guidelines on an annual basis.
Obtaining cardholder data
Face to facewith aChip and PIN device – customer present
This is a preferred method of obtaining cardholder data as the customer enters their card details directly into the device. This method will be used in shops and other retail sites where the customer is present.
Please note that the Cashiers Office have a fully portable terminal that can be used externally e.g. if you are running an event and want to be able to take card payments on site. Contact if you would like to use this facility at any time.
Face to face without a Chip and PIN device – customer present
As mentioned above, the Cashiers Office has a portable terminal, therefore ifyou are running an event please contact us.If you do not have a device, we recommend that departments ask customersto use the relevant area of the University’s Online Store, which includes the facility to pay Invoices and make miscellaneous payments. Contact for details. If there is no other alternative, complete a Card Authorisation Form, including the customer’s signature. This is available on the Forms section of the Finance web site, under ‘Sales’.See also ‘Transmission of cardholder data’, and ensure that completed forms are kept securely at all times..
Online payments
The University’s Online Store is the preferred option forcollecting online card payments securely.The Online Store can be used to sell goods and services, including courses and conferences. Departments wishing to use an alternative ecommerce solution must obtain sanction from the Finance Division beforehand, in order that due diligence can be carried out on the proposed supplier. This also applies to EPOS systems.
When cardholder details are sent to the University by mail, the following must be observed:
- Appropriate arrangements must be in place for post opening,including the transfer of any details to the individual for processing without delay. Absence cover must be arranged.
- The payment should be processed immediately via a Chip and PIN device, as a ‘cardholder not present’ transaction. The section of the document containing the card details should then be cut off and shredded. The last 4 digits of the card number can be retained in case of a query at a later date.
Telephone
When cardholderdetails are taken by telephone, please ensure to observe the following:
- Ask the cardholder to clearly state the 16 digit card number, the 3 digit authorisation code and the card expiry date, and key this data into a Chip & PIN device whilst on the phone to the customer, using a ‘cardholder not present’ transaction. Do not write down any of this information.
- If you do not have access to a Chip & PIN device, you should not take card details over the phone. Advise the customer to use the University Online Store whenever possible – if applicable, there is a section of the Online Store enabling customers to pay an Invoice or make a miscellaneous payment.
- Computers should not be used by University staff to access out-sourced e-commerce solutions, such as WPM, on behalf of customers.
- Be careful if repeating any of the card information back to the cardholder in case you are overheard.
Cardholder data must never be accepted by email. If unsolicited card data is sent in by email, the email should be deleted from the recipient’s inbox and then from the recipient’s deleted items. Do not reply to the email as this will create a further copy of the email in sent items. Reply on a separate email stating that we do not accept card details by email, and that the email has been deleted. Advise the customer of alternative ways of completing the transaction. In addition, you must not send details of a University credit card via email.
Transmission of cardholder data
The transmission of cardholder data should be kept to an absolute minimum. Where necessary, observe the following:
- Completed card authorisation forms should be sent to the Cashiers Office by fax, hand delivery or securecash carrier. Internal post and scanned email copies should not be used.
- A log should be kept of all items sent, and it is the responsibility of the relevant department to track the forms and ensure they have reached their destination and been processed. The original must then be destroyed.
- This guidance also applies to other forms containing cardholder data that may be transmitted and processed within a department.
Storing cardholder data
Chip and PIN devices
The card terminals should be protected from physical access by those not authorised to use the equipment. When not in use, they are physically locked away or locked down in the till environments. The devices should be inspected each day for signs of tampering.
Receipt rolls from Chip and PIN devices
The transaction receipts produced by the card terminals contain the 16 digit card number and therefore must be stored securely i.e. locked away with access restricted to relevant staff only. They should be kept for as long as there is a business need, it is however recommended that they be destroyed after 13 months.
Cardholder data forms
Never store the 3 digit authorisation code, this should be cut off and destroyed. It is recommended that only the last 4 digits of the 16 digit card number be retained, and then only for as long as there is a business need (see above). If you keep a log of transactions do not include the full card number.
University Credit Cards
If you have a departmental Credit Card, this must be stored securely, with access restricted to the card holder or their authorised representative only. As stated above, never send card details via email.