PCI-DSS cardholder data policy (ISP-19)

Introduction

This policy provides essential information for everyone involved with handling credit and debit cards, credit and debit card data and the systems processing such data within the University of Bristol. It is designed to ensure we can meet the standards required by the Payment Card Industry’s Data Security Standard (PCI-DSS), which is a worldwide standard set up to help businesses (merchants) process card payments securely and reduce card fraud. The University of Bristol must comply with PCI DSS to process card payments.

Compliance requirements

Compliance with this policy is mandatory. Failure to follow this policy will be considered under the University's conduct procedure (Ordinance 10, formerly Ordinance 28) and may result in disciplinary action. A serious breach of the policy may constitute gross misconduct and lead to dismissal. Compliance with policies is primarily enforced through process and standard documents.

Finance Services and IT Services will provide guidance and support but due to the diverse nature of some of our activities these processes and documents must be developed by each business area.

University of Bristol Information Security policies

University of Bristol policies affecting the entire University, not just cardholder data, can be found on the Information Security policies pages. Where any contradictions arise within the handling of cardholder data, this policy takes precedent.

Definitions

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

‘Credit/Debit card’ or ‘cardholder’ data means most of the information on a credit card or debit card and includes the long 16 digit card number (Primary Account Number - PAN). It also includes the issue and expiry dates and the cardholder’s name. The three digit security code on the back of the card is known as the Card Verification Value (CVV).

Policy

General

Credit or debit card handling

It is the University’s policy not to store cardholder data electronically or process that data on the University network. There will be however some processing of cardholder data done by the University on behalf of its staff and students. All processing of cardholder data must be agreed and recorded by IT Services (the Information Security Manager) and by Finance Services.

Any processing (including by third parties) must meet the following conditions:

Third parties

Any third party commissioned to handle cardholder information on behalf of the University of Bristol must be approved by Finance and IT based on proper due diligence prior to engagement. Their compliance status must be assessed by the Information Security Manager. If they are a PCI DSS compliant Service Provider for the contracted services they provide to the University, they will be required to provide the University with an up-to-date version of their Attestation of Compliance before engagement and each year thereafter.

Any contracts or written agreements with third party providers must make clear their responsibility for maintaining/protecting the University’s compliance. A full list of Third Party Payment Service Providers will be maintained by Finance Services, and the service providers PCI DSS compliance will be checked by Finance Services at least annually.

Incident response

An incident or reach response plan must be in place, reviewed and tested at least annually. Any breach or suspected breach must be reported immediately to the PCI incident response email address: dg-carddatabreach@bristol.ac.uk. This will be acknowledged shortly after receipt.

Monitoring and compliance responsibilities

Overall responsibility for the University’s PCI DSS compliance is held by the Chief Financial Officer (CFO), as they are responsible for the management of income, as well as the signatory of any contract with our acquirer(s). As the storage, transmission and processing of cardholder data and the associated risks are largely an Information Technology challenge, the Chief Information Officer (CIO) also has significant responsibility for ensuring adherence to this policy and associated procedures.

Any staff or students including all permanent (direct hire), temporary and contract staff are responsible for ensuring our adherence to this policy. IT Services (the Information Security Manager) and the Director of Finance Operations shall ensure it is available and promoted to those that need to see it.

It is the responsibility of the Information Security Manager to maintain this policy and ensure it is reviewed at least annually or if the environment changes. An assessment of the risks relating to the processing of cardholders will be conducted annually by the Information Security Manager with the support of IT Services and Finance Services.

The PCI DSS Internal Security Assessor, Information Security Manager, Director of Finance Operations, or any of their representatives, are authorised to inspect any systems, databases, or physical areas of the University where cardholder data might be processed or stored.

Many areas of the University process credit and debit cards as payment for the services they provide. Separate Merchant IDs (MIDs), set up by our acquiring bank have been authorised for use by a number of Divisions. All relevant Heads of Division are responsible for ensuring this policy is adhered to and that each MID has an identified responsible manager. The Income and Credit Control Manager is responsible for maintaining a full register of all MIDs, the manager responsible, and all assets in use relating to each MID (for example point-of-sale or PDQ terminals).

PCI-DSS Cardholder Data policy (ISP-19), version 1.2

Last reviewed: June 2022. Next review: June 2023.
This policy is also available as a PDF: PCI-DSS Cardholder Data Policy - ISP-19 (PDF, 77kB)