PCI-DSS Cardholder Data Policy (ISP-19)

  1. Introduction
  2. Scope
  3. Policy
  4. Further Guidance

1. Introduction

This PCI-DSS Cardholder Data Policy is a sub-policy of the Information Security Policy (ISP-01) and outlines the University's requirement to comply with PCIS DSS to process card payments. It is designed to ensure we can meet the standards required by the Payment Card Industry’s Data Security Standard (PCI-DSS), which is a worldwide standard set up to help businesses (merchants) process card payments securely and reduce card fraud.

2. Scope

Everyone involved with handling credit and debit cards, credit and debit card data and the systems processing such data within the University of Bristol are subject to this policy.

This includes all members of the University (staff, students and associates), members of other institutions who have been granted federated access to use the University’s facilities, together with any others who may have been granted permission to use the University’s information and communication technology facilities by the Chief Digital and Information Officer.

2.1. Definitions

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. 

‘Credit/Debit card data’ or ‘cardholder data’ means most of the information on a credit card or debit card and includes the long 16-digit card number (Primary Account Number - PAN). It also includes the issue and expiry dates, the cardholder’s name and the three-digit security code on the back of the card known as the Card Verification Value (CVV).

3. Policy

3.1. Compliance and Requirements

Compliance with this policy is mandatory. Failure to follow this policy will be considered under the University's conduct procedure (Ordinance 10, section 4: https://www.bristol.ac.uk/media-library/sites/university/documents/governance/constitution/ordinance-10-employment.pdf) and may result in disciplinary action. A serious breach of the policy may constitute gross misconduct and lead to dismissal. Compliance with policies is primarily enforced through process and standard documents. Finance Services and IT Services will provide guidance and support but due to the diverse nature of some of our activities these processes and documents must be developed by each business area.

3.2. General

3.3. Credit/Debit Card Handling

It is the University’s policy not to store cardholder data electronically or process that data on the University network. There will be however some processing of cardholder data done by the University on behalf of its staff and students. All processing of cardholder data must be agreed and recorded by IT Services (the Information Security Manager) and by Finance Services. 

Any processing (including by third parties) must meet the following conditions: 

3.4. Third Parties

Any third party commissioned to handle cardholder information on behalf of the University of Bristol must be approved by Finance and IT based on proper due diligence prior to engagement. Their compliance status must be assessed by the Information Security Manager. If they are a PCI DSS compliant Service Provider for the contracted services they provide to the University, they will be required to provide the University with an up-to-date version of their Attestation of Compliance before engagement and each year thereafter.  

Any contracts or written agreements with third party providers must make clear their responsibility for maintaining/protecting the University’s compliance. A full list of Third Party Payment Service Providers will be maintained by Finance Services, and the service providers PCI DSS compliance will be checked by Finance Services at least annually.

3.5. Incident Response

An Incident/Breach Response Plan must be in place, reviewed and tested at least annually. Any breach or suspected breach must be reported immediately to the PCI incident response email address: dg-carddatabreach@bristol.ac.uk. This will be acknowledged shortly after receipt.

3.6. Monitoring and Compliance Responsibilities

Overall responsibility for the University’s PCI DSS compliance is held by the Chief Finance Officer (CFO), as they are responsible for management of income, as well as the signatory of any contract with our acquirer/s. As the storage, transmission and processing of cardholder data and the associated risks are largely an Information Technology challenge, the Chief Digital and Information Officer (CDIO) also has a significant responsibility for ensuring adherence to this policy and associated procedures. 

Any staff or students including all permanent (direct hire), temporary and contract staff are responsible for ensuring our adherence with this policy. IT Services (the Information Security Manager) and the Director of Finance Operations shall ensure it is available and promoted to those that need to see it. 

It is the responsibility of the Information Security Manager to maintain this policy and ensure it is reviewed at least annually or if the environment changes. An assessment of the risks relating to the processing of cardholder data will be conducted annually by the Information Security Manager with the support of IT Services and Finance Services.   

The PCI DSS Internal Security Assessor, Information Security Manager, Director of Finance Operations, or any of their representatives, are authorised to inspect any systems, databases, or physical areas of the University where cardholder data might be processed or stored.  

Many areas of the University process credit/debit cards as payment for the services they provide. Separate Merchant IDs (MIDs), set up by our acquiring bank have been authorised for use by a number of Divisions. All relevant Heads of Division are responsible for ensuring that this policy is adhered to, that only University-approved devices and suppliers are used to receive payments, and that each MID has an identified and responsible manager. The Income and Credit Control Manager is responsible for maintaining a full register of all MIDs, the manager responsible, and all assets in use relating to each MID (e.g. point-of-sale / PDQ terminals). 

4. Further Guidance

PCI-DSS Cardholder Data Policy (ISP-19), version 2.0

Last reviewed: July 2023. Next review: July 2024.

This policy is also available as a PDF: PCI-DSS Cardholder Data Policy - ISP-19 (PDF, 163kB)