University of Oxford Finance Division
FINANCIAL POLICY
2.1.2 CARDHOLDER DATA SECURITY
Date: 21 March 2013
Version: 2.1.2 Status: Approved Author: Simon Blee Bridget Midwinter
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ... 3
PURPOSE ... 3
BACKGROUND ... 4
PCI SECURITY STANDARDS COUNCIL (PCI SSC) ... 4
PCI DATA SECURITY STANDARD (PCI DSS) ... 4
OVERVIEW OF PCI DSS REQUIREMENTS ... 4
SCOPE ... 5
RESPONSIBILITIES ... 6
BREACHES OR COMPROMISES OF CARDHOLDER DATA ... 7
EXECUTIVE SUMMARY PURPOSE
The University is committed to protecting confidential cardholder information through compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The purpose of this policy is to set out the requirements of the PCI DSS in respect of the transmission, processing and storage of cardholder data, and the key responsibilities in connection with the achievement and maintenance of compliance with the PCI DSS.
This financial policy should be compatible and read in conjunction with, the University’s Information Security Policy, the card data security departmental guidance and the processes and associated financial control framework as published on the University Finance Division website for:
Cash and Banking Card transactions
Note: wherever a statement in this policy refers to ‘Card’, the statement applies to credit, debit, charge, and procurement cards, unless specifically stated otherwise.
BACKGROUND
PCI SECURITY STANDARDS COUNCIL (PCI SSC)
The PCI Security Standards Council was founded by American Express, MasterCard Worldwide, and Visa Inc (amongst others). Participating organisations include merchants, payment card issuing banks, processors, developers and other vendors. It is a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. The Council maintains, evolves, and promotes the PCI security standards. See PCI Security Standards Council web site for more detail https://www.pcisecuritystandards.org
PCI DATA SECURITY STANDARD (PCI DSS)
PCI Security Standards are technical and operational requirements set by the PCI SSC to protect cardholder data. The standards apply to all organisations that store, process or transmit cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI DSS is enforced by the founding members of the Council. All Merchants who accept or process payment cards must comply with the PCI DSS.
Substantial penalties can be imposed for non-compliance with the PCI DSS regulations, with further penalties for any actual data compromise. As a final resort, the Merchant can be refused permission to process card data.
OVERVIEW OF PCI DSS REQUIREMENTS The 12 requirements of PCI DSS in summary are:
Requirements 1-2 Build and maintain a secure network Requirements 3-4 Protect cardholder data
Requirements 5-6 Maintain a vulnerability management programme
Requirements 7-9 Implement robust control measures / Control access to card data
SCOPE
The main areas covered by this ‘cardholder data security’ policy are:
Receiving and/or transmitting cardholder data Processing cardholder data
Storing cardholder data
Receiving and/or transmitting cardholder data
Cardholder data must never be accepted or sent by email or any other electronic method.
Cardholder data received on hard copy must only be transmitted to the processing location by hand delivery or secure courier, and must not be scanned or sent by internal post.
Processing cardholder data
Cardholder data should be processed by appropriate methods only, preferably using Chip &
PIN terminals, where the customer is present and able to enter their card details directly into the card terminal or via the University’s approved online payment system.
The University does not process online card payments, but uses an approved third party secure host or payment service provider to do so on its behalf. In all cases, such suppliers must be PCI compliant. Sanction must be obtained from the Finance Division prior to using any alternative payment system. Further information can be obtained from the Chief Cashier.
Storing cardholder data
Sensitive cardholder data must never be retained after being used for processing. Such data must be permanently destroyed immediately after processing. This includes:
The Card Verification Code (CVC or 3 digit security code).
Track data (card electronic/stripe data)
RESPONSIBILITIES
The key responsibilities in connection with the policy for cardholder data security are given below.
Head of Treasury
The Head of Treasury must ensure that:
This policy is maintained, reviewed, and communicated effectively
The cashiers office is adequately resourced and trained in the requirements of the PCI DSS
The controls over cardholder data are effective, and regularly reviewed.
The Head of Financial Assurance Services is advised if an incident of non-compliance is identified. The Head of Financial Assurance Services may then notify the Internal Auditors and/or the Director of Finance.
Chief Cashier
The Chief Cashier has overall responsibility for ensuring that:
This policy is communicated to all relevant parties
This policy is regularly reviewed and updated in accordance with any to the regulations
Processes and procedures are updated in accordance with any changes to this policy Departments are monitored in respect of compliance with this policy
Heads of Departments and Units
Heads of Departments and Units are responsible for ensuring that all aspects of this policy are adhered to.
Department Administrators Department administrators must:
Staff responsible for handling cardholder data
All staff handling cardholder data must:
Handle cardholder data in accordance with this policy and the ‘Handling cardholder data – departmental guidance’.
IT Services
IT Services are responsible for:
Providing technical advice in relation to the PCI DSS requirements
Advising on network weaknesses or issues identified as a result of internal or external vulnerability scans
Maintaining the University’s Information Security Policy as appropriate and to reflect changes in PCI DSS requirements
BREACHES OR COMPROMISES OF CARDHOLDER DATA Reporting breaches or compromises
Any breaches or compromises must be reported immediately to the Chief Cashier who will report to:
Head of Treasury
Head of Financial Assurance Services The University’s acquiring bank
The University’s payment service provider(s)
The University’s third party secure host as appropriate The Police
