PCI-DSS Cardholder Data Policy (ISP-19)

1. Introduction
2. Scope
   • 2.1 Definitions
3. Policy
   • 3.1. Compliance and Requirements
   • 3.2. General
   • 3.3. Credit/Debit Card Handling
   • 3.4. Third Parties
   • 3.5. Incident Response
   • 3.6. Monitoring and Compliance Responsibilities
4. Further Guidance

1. Introduction

This PCI-DSS Cardholder Data Policy is a sub-policy of the Information Security Policy (ISP-01) and outlines the University's requirement to comply with PCIS DSS to process card payments. It is designed to ensure we can meet the standards required by the Payment Card Industry’s Data Security Standard (PCI-DSS), which is a worldwide standard set up to help businesses (merchants) process card payments securely and reduce card fraud.

2. Scope

Everyone involved with handling credit and debit cards, credit and debit card data and the systems processing such data within the University of Bristol are subject to this policy.

This includes all members of the University (staff, students and associates), members of other institutions who have been granted federated access to use the University’s facilities, together with any others who may have been granted permission to use the University’s information and communication technology facilities by the Chief Digital and Information Officer.

2.1. Definitions

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. 

‘Credit/Debit card data’ or ‘cardholder data’ means most of the information on a credit card or debit card and includes the long 16-digit card number (Primary Account Number - PAN). It also includes the issue and expiry dates, the cardholder’s name and the three-digit security code on the back of the card known as the Card Verification Value (CVV).

3. Policy

3.1. Compliance and Requirements

Compliance with this policy is mandatory. Failure to follow this policy will be considered under the University's conduct procedure (Ordinance 10, section 4: https://www.bristol.ac.uk/media-library/sites/university/documents/governance/constitution/ordinance-10-employment.pdf) and may result in disciplinary action. A serious breach of the policy may constitute gross misconduct and lead to dismissal. Compliance with policies is primarily enforced through process and standard documents. Finance Services and IT Services will provide guidance and support but due to the diverse nature of some of our activities these processes and documents must be developed by each business area.

3.2. General

• Failure to protect card data can lead to large fines from the Information Commissioner’s Office (ICO) and banks, expensive investigations, litigation, loss of reputation and in the worst case scenario, withdrawal of the ability to take payment by credit card; which would greatly hinder the University of Bristol’s ability to conduct business.

• No staff member should handle cardholder data unless they have a business need and explicit authorisation to do so.

• Cardholder data should only be handled in such a manner as is explicitly authorised by job roles.

• Electronic credit card data shall not be transmitted by the University of Bristol via any private network that the University is responsible for unless in accordance with the handling requirements in this policy. This includes wired and wireless connections.

• University staff and students shall not store credit and debit cardholder data on local hard drives, shared storage (such as University departmental filestore), cloud storage solutions (for example SharePoint), or any removable media (memory stick, CD/DVD) under any circumstances.

• Cardholder data shall not be transmitted or requested to be transmitted via end-user messaging technologies such as email, instant messaging or SMS. If unsolicited cardholder data is received via such means, this must be notified to the Information Security Manager and the data securely deleted.

• Any card data stored on University of Bristol systems must be reported to dg-carddatabreach@bristol.ac.uk immediately upon discovery.

3.3. Credit/Debit Card Handling

It is the University’s policy not to store cardholder data electronically or process that data on the University network. There will be however some processing of cardholder data done by the University on behalf of its staff and students. All processing of cardholder data must be agreed and recorded by IT Services (the Information Security Manager) and by Finance Services. 

Any processing (including by third parties) must meet the following conditions: 

• All handlers of cardholder data must be adequately screened and trained before being allowed access. This training must be recorded and repeated/updated regularly. 

• Cardholder data must not be processed via digital connections provided by the University (wired or wireless). Where it is agreed that cardholder data can be directly processed by staff; public data networks (GPRS/3G/4G/5G) combined with strong encryption or properly-configured P2PE solutions implemented in accordance with their respective Implementation Guides must be used instead. Analogue (telephone) lines are acceptable. Analogue telephone infrastructure must be properly secured against interference by unauthorised personnel. 

• Cardholder data shall not be stored in any voice recordings. Where cardholder data may be taken over the telephone, any call recording solution shall be disabled whilst cardholder data is being given. 

• Any device used to process cardholder data on behalf of the University must be first agreed by Finance Services (the Head of Transactional Services). 

• Where the device may be a laptop or PC, they will be ‘standalone’ and entirely separate from the configuration of devices used on the University network. The device must be approved by the Information Security Manager to an agreed secure configuration. This includes but is not exclusive to up to date anti-virus, encrypted storage, strong access controls and security updates being applied at least every month. 

• Where the device is a Point-of-Sale (POS) terminal it must be of a type approved by Finance Services. The details (model, serial number, security features and location) of all examples in use must be recorded and supplied to Finance Services for inclusion in the asset list that they maintain. Such devices must be configured and used in accordance with Finance procedures. 

• All devices must be stored securely when not in use and checked regularly for tampering or substitution. Any suspicion of tampering must be reported in line with the Incident response procedure. 

• University staff and students must not store cardholder data on paper unless specifically agreed by the Information Security Manager and the Head of Transactional Services. Any cardholder data may only be stored on paper prior to authorisation of payment (not after). It must be securely stored when not in use and destroyed in line with the University’s Confidential Waste Disposal procedure (requires authentication to access).

3.4. Third Parties

Any third party commissioned to handle cardholder information on behalf of the University of Bristol must be approved by Finance and IT based on proper due diligence prior to engagement. Their compliance status must be assessed by the Information Security Manager. If they are a PCI DSS compliant Service Provider for the contracted services they provide to the University, they will be required to provide the University with an up-to-date version of their Attestation of Compliance before engagement and each year thereafter.  

Any contracts or written agreements with third party providers must make clear their responsibility for maintaining/protecting the University’s compliance. A full list of Third Party Payment Service Providers will be maintained by Finance Services, and the service providers PCI DSS compliance will be checked by Finance Services at least annually.

3.5. Incident Response

An Incident/Breach Response Plan must be in place, reviewed and tested at least annually. Any breach or suspected breach must be reported immediately to the PCI incident response email address: dg-carddatabreach@bristol.ac.uk. This will be acknowledged shortly after receipt.

3.6. Monitoring and Compliance Responsibilities

Overall responsibility for the University’s PCI DSS compliance is held by the Chief Finance Officer (CFO), as they are responsible for management of income, as well as the signatory of any contract with our acquirer/s. As the storage, transmission and processing of cardholder data and the associated risks are largely an Information Technology challenge, the Chief Digital and Information Officer (CDIO) also has a significant responsibility for ensuring adherence to this policy and associated procedures. 

Any staff or students including all permanent (direct hire), temporary and contract staff are responsible for ensuring our adherence with this policy. IT Services (the Information Security Manager) and the Director of Finance Operations shall ensure it is available and promoted to those that need to see it. 

It is the responsibility of the Information Security Manager to maintain this policy and ensure it is reviewed at least annually or if the environment changes. An assessment of the risks relating to the processing of cardholder data will be conducted annually by the Information Security Manager with the support of IT Services and Finance Services.   

The PCI DSS Internal Security Assessor, Information Security Manager, Director of Finance Operations, or any of their representatives, are authorised to inspect any systems, databases, or physical areas of the University where cardholder data might be processed or stored.  

Many areas of the University process credit/debit cards as payment for the services they provide. Separate Merchant IDs (MIDs), set up by our acquiring bank have been authorised for use by a number of Divisions. All relevant Heads of Division are responsible for ensuring that this policy is adhered to, that only University-approved devices and suppliers are used to receive payments, and that each MID has an identified and responsible manager. The Income and Credit Control Manager is responsible for maintaining a full register of all MIDs, the manager responsible, and all assets in use relating to each MID (e.g. point-of-sale / PDQ terminals). 

4. Further Guidance

• Information Security Policy (ISP-01) 
• University Confidential Waste Disposal Procedure 

PCI-DSS Cardholder Data Policy (ISP-19), version 2.0

Last reviewed: July 2023. Next review: July 2024.

This policy is also available as a PDF: PCI-DSS Cardholder Data Policy - ISP-19 (PDF, 163kB)