PCI-DSS Cardholder Data Policy (ISP-19)
On this page
1. Introduction
This PCI-DSS Cardholder Data Policy is a sub-policy of the Information Security Policy (ISP-01) and outlines the University's requirement to comply with PCIS DSS to process card payments. It is designed to ensure we can meet the standards required by the Payment Card Industry’s Data Security Standard (PCI-DSS), which is a worldwide standard set up to help businesses (merchants) process card payments securely and reduce card fraud.
2. Scope
This policy applies to all members of the University (staff, students and associates), members of other institutions who have been granted federated access to use the University’s facilities, together with any others who may have been granted permission to use the University’s information and communication technology facilities by the Chief Digital Information Officer.
Particular attention should be paid to this policy by individuals involved with handling credit and debit cards, credit and debit card data and the systems processing such data within the University of Bristol.
Use of Corporate Credit Cards is governed by the University’s Corporate Credit Card Policy and is out of scope for the PCI-DSS Card Holder Data Policy (ISP-19).
2.1. Definitions
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Compliance with PCI DSS is a contractual obligation between the University of Bristol and the Acquirer (Acquiring Bank).
‘Credit/Debit card data’ or ‘cardholder data’ means most of the information on a credit card or debit card and includes the long 16-digit card number (Primary Account Number - PAN). It also includes the issue and expiry dates, the cardholder’s name and the three-digit security code on the back of the card known as the Card Verification Value (CVV). This data is considered as Personally Identifiable Information (PII) by the Information Commissioner’s Office (ICO).
3. Policy
3.1. Compliance and Requirements
Compliance with this policy is mandatory. Failure to follow this policy will be considered under the University's conduct procedure (Ordinance 10, section 4) and may result in disciplinary action. A serious breach of this policy may constitute gross misconduct and lead to dismissal. Compliance with this policy is primarily enforced through process and standard documents. Finance Services and IT Services will provide guidance and support but due to the diverse nature of the University's activities these processes and documents must be developed by each business area.
3.2. General
- Failure to protect card data can lead to large fines from the Information Commissioner’s Office (ICO) and banks, expensive investigations, litigation, loss of reputation and in the worst case scenario, withdrawal of the ability to take payment by credit card; which would greatly hinder the University of Bristol’s ability to conduct business.
- Any new activity involving the processing of payment card data must be authorised by Finance and IT Services Finance Services - Collecting income.
- Electronic credit card data must not be transmitted by the University of Bristol via any private network that the University is responsible for unless in accordance with the handling requirements in this policy. This includes wired and wireless connections.
- Credit and debit cardholder data must not be stored on University provided local hard drives, shared storage (such as University departmental filestore), cloud storage solutions (for example SharePoint), or removable media (memory stick, CD/DVD) under any circumstances. This includes personal card details.
- Cardholder data must not be transmitted or requested to be transmitted via end-user messaging technologies such as email, instant messaging or SMS. If unsolicited cardholder data is received via such means, this must be notified to the Information Security Manager and the data securely deleted.
- Any card data stored on University of Bristol systems must be reported to IT Services immediately upon discovery by calling or raising a ticket.
3.3. Credit/Debit Card Handling
It is the University’s policy not to store cardholder data electronically or process that data on the University network. However some processing of cardholder data will be carried out by the University on behalf of its staff and students. All processing of cardholder data must be agreed and recorded by IT Services and by Finance Services.
Any processing (including by third parties) must meet the following conditions:
- All handlers of cardholder data must be trained before being allowed access. This training must be recorded and repeated/updated upon hire and at least once every 12 months.
- Cardholder data must not be processed via digital connections provided by the University (wired or wireless), unless via a current PCI-SSC validated Point-to-Point Encryption (P2PE) solution, implemented in accordance to the relevant P2PE Instruction Manual (PIM). Public data networks (GPRS/3G/4G/5G) may also be used in conjunction with properly-configured P2PE solutions.
- Cardholder data must not be stored in any voice recordings. Where cardholder data may be taken over the telephone, any call recording solution must be disabled whilst cardholder data is being given.
- Any device used to process cardholder data on behalf of the University must be first agreed by Finance Services (the Head of Transactional Services).
- Where the device is a Point-of-Sale (POS) terminal it must be of a type approved by Finance Services. The details (model, serial number, security features and location) of all examples in use must be recorded and supplied to Finance Services for inclusion in the asset list that they maintain. Such devices must be configured and used in accordance with Finance procedures.
- All devices must be stored securely when not in use and checked regularly for tampering or substitution. Any suspicion of tampering must be reported in line with the Incident response procedure.
- University staff and students must not store cardholder data on paper unless specifically agreed by the Information Security Manager and the Head of Transactional Services. Any cardholder data may only be stored on paper prior to authorisation of payment (not after). It must be securely stored when not in use and destroyed in line with the University’s Confidential Waste Disposal procedure.
3.4. Third Parties
Any third party commissioned to handle cardholder information on behalf of the University of Bristol must be approved by Finance and IT based on proper due diligence prior to engagement. Their compliance status must be assessed by the Information Security Manager. If they are a PCI DSS compliant Service Provider for the contracted services they provide to the University, they will be required to provide the University with an up-to-date version of their Attestation of Compliance for Service Providers before engagement and each year thereafter.
Any contracts or written agreements with third party providers must make clear their responsibility for maintaining/protecting the University’s compliance. A full list of Third Party Payment Service Providers will be maintained by Finance Services, and the service providers PCI DSS compliance will be checked by Finance Services at least annually.
3.5. Incident Response
An Incident/Breach Response Plan must be in place, reviewed and tested at least annually. Any breach or suspected breach must be reported immediately to IT Services by calling or raising a ticket. This will be acknowledged shortly after receipt and escalated to the PCI Incident Response group for further response.
3.6. Monitoring and Compliance Responsibilities
Overall responsibility for the University’s PCI DSS compliance is held by the Chief Finance Officer (CFO), as they are responsible for management of income, as well as the signatory of any contract with our acquirer/s. As the storage, transmission and processing of cardholder data and the associated risks are largely an Information Technology challenge, the Chief Digital and Information Officer (CDIO) also has a significant responsibility for ensuring adherence to this policy and associated procedures.
IT Services (the Information Security Manager) and Finance Services (Group Finance Director) shall ensure this policy is available and promoted to those that need to see it.
It is the responsibility of the Information Security Manager to maintain this policy and ensure it is reviewed at least annually or if the environment changes. An assessment of the risks relating to the processing of cardholder data will be conducted annually by the Information Security Manager with the support of IT Services and Finance Services.
The PCI DSS Internal Security Assessor, Information Security Manager, Group Finance Director, or any of their representatives, are authorised to inspect any systems, databases, or physical areas of the University where cardholder data might be processed or stored.
Many areas of the University process credit/debit cards as payment for the services they provide. Separate Merchant IDs (MIDs), set up by our Acquiring Bank have been authorised for use by the University. Finance Services are responsible for ensuring that only University-approved devices and suppliers are used to receive payments, and that each MID has an identified and responsible manager. Finance Services are responsible for maintaining a full register of all MIDs, the manager responsible, and all assets in use relating to each MID (e.g. point-of-sale / PDQ terminals).
4. Further Guidance
| Title | PCI-DSS Cardholder Data |
| Reference | ISP-19 |
| Status | Approved |
| Version | 4.0 |
| Date Created | March 2017 |
| Last Reviewed | May 2025 |
| Next Review | May 2026 |
| Classification | Public |
| PDF Policy Link | PCI-DSS Cardholder Data Policy - ISP-19 (PDF, 319kB) |