Q. What is PCI?
PCI stands for the Payment Card Industry. This is an association of organisations which store, process and transmit cardholder data that is the sensitive information on credit and debit cards which allow you to make payments. The PCI Security Standard Council was founded by the five major payment brands (American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.) and they developed the Data Security Standard (DSS) which applies to the handling of cardholder data.
Q. What does PCI apply to at the University?
The PCI DSS applies to all payment streams that involve credit and debit card transactions. This includes all people, systems, devices, connections, procedures, and use of third parties – anyone and anything that handles cardholder data. Specifically, the two Self-Assessment Questionnaires that UEA will complete are SAQ P2PE-HW and A-EP. Further details on the requirements are available from the PCI DSS website.
Q. Are there regular checks to ensure that the University is meeting the PCI's security standard?
Yes, we need to be able to demonstrate that we are meeting the requirements of the standard. This could be via our own checks, those led by Finance or the ISD Compliance team, or by external assessors. There is an annual assessment of our compliance to ensure that not only are we meeting the standard, but that we are continuing to meet the standard.
Q. What are the consequences of not meeting the security standard required by PCI?
If we become non-compliant or fail to meet the standard, we can be fined or lose the ability to take payments by payment card. The level of fines can be significant, and may be applied monthly until a point where we achieve compliance.
Q. What options are there for taking payments for something the University is selling/levying a charge?
There are four ways for receiving payment: cash, bank transfer, sQuid, card via approved PIN Entry Device (meeting PCI DSS) or card via a web interface configured to use the University’s approved online payment processor (WPM). No other payment method can be used. Use of any other payment method could put the University’s PCI DSS compliance at risk and is strictly forbidden.
Q. Can I use PayPal to take online payments?
No, use of PayPal to take online payments is not permitted at this time. If you need to take payment via a web interface, you must use the UEA online store (http://store.uea.ac.uk).
Q. Can I collect payment card information on a paper application form and process them later?
The PCI DSS requires us to keep payment card data secure as it is confidential data. It is possible to collect details on paper, process them via a PIN Entry Device, and then after authorisation of the payment destroy the details on the application form. Any paper record should be destroyed securely within 1 working day of it being received. The cardholder data must either be blacked out (with a pen) or the page detached from the application form and shredded in a cross-cut shredder.
Q. Can I receive paper forms with payment card details in the post?
No, while, as described above, it is possible to put in mechanisms to keep cardholder data on paper forms secure, their receipt via the post is not secure, and you must not ask for completed forms to be posted to a University postal address. Contact Finance (email@example.com) for advice on use of paper forms for collecting payment details. It is possible for you to collect direct debit details in this way.
Q. Can I take payment details over the phone?
You may not take payment details over the University VOIP telephone system. This is because it has been agreed that VOIP is outside the scope of our PCI DSS compliance. You may take payment details over an analogue phone line.
Q. Can I receive payment details via fax?
No, the University does not receive payment details via fax. It has been agreed that our fax machines should be outside the scope of PCI DSS compliance. If you advertise fax numbers, add a note that you do not receive payment by fax. If someone sends you payment details via fax, destroy the fax in a cross-cut shredder, check that no copy is stored on the device, and contact the sender to advise them how they can make a payment.
Q. Can I receive payment details via email?
No, as for faxes, it has been agreed that our email system should remain outside the scope of PCI DSS compliance, and therefore we will not accept card payments via email (or any other electronic means of communication such as SMS, online chat, or messaging). If you advertise email addresses, add a note that you do not receive payments by email. If you receive payment details by email, delete the email, purge deleted items (and recover deleted items), and contact the enquirer to tell them how you will receive payment. Do not simply reply to their email as this will only create another copy of their cardholder data.
Q. Is sQuid PCI compliant?
sQuid is a means of adding credit to an account associated with your campus card via a web interface (http://squidcard.com/uea) much like you might do in London with an Oyster card to pay for trips on public transport. You can use sQuid to pay for items at UEA Catering outlets and other places. sQuid manages its own PCI DSS compliance, and is outside the scope of UEA’s.
Q. Does the data security standard apply to bank account data?
PCI DSS applies to the protection of credit and debit cardholder data (PAN, cardholder name, service code and expiration date) and sensitive authentication data (full track data from the magnetic stripe or equivalent data on the chip, CAV2/CVC2/CVV2/CID, and PIN/PIN block), from a payment card representing one of the founding PCI payment brands (American Express, Discover, JCB, MasterCard, or Visa).
Bank account data, such as branch identification numbers, bank account numbers, sort codes, routing numbers, etc., are not considered payment card data, and PCI DSS does not apply to this information. However, if a bank account number is also a PAN or contains the PAN, then PCI DSS applies.
Q. What is the difference between 'card present' transactions and 'card-not-present'?
When receiving payment with card present, you would expect also the cardholder to be present. You may then take payment from the card by use of a PIN Entry Device (PED). The cardholder enters the PIN into the PED.
When the card is not present (CNP), the cardholder does not physically present the card. Typically this is how telephone or web purchases are handled. There is an increased risk of fraud with CNP transactions.
Q. I'd like to take payments face-to-face with the card present. What do I need to do to acquire and set up a PIN entry device (PED)?
If you are planning on attaching the PED to the University data network, you must get a PCI certified P2PE compliant device. Alternatively, you can use a PTS certified PCI compliant device to make a mobile network connection via a SIM, or use an analogue phone line. Contact Finance (firstname.lastname@example.org).
Q. My department is looking at investing a new information system which includes options to take payments. What do I need to be concerned about?
The system will need to be configured to make use of the University’s approved online payment processor WPM. Contact Finance (email@example.com) in the first instance to review existing payment options available to you. Before any new payment channel is used a formal business case must be made to the CIS Board and ISSC for approval. You must not use a new payment channel without first gaining approval from CIS Board and ISSC. Part of this approval process will assess PCI compliance.
Q. Can I make use of an online system which is hosted off site for handling my business including taking payments by card?
Contact Finance (firstname.lastname@example.org) in the first instance to review existing payment options available to you. Before any new payment channel is used a formal business case must be made to the CIS Board and ISSC for approval. You must not use a new payment channel without first gaining approval from CIS Board and ISSC. Part of this approval process will assess PCI compliance.
Q. I'm an independent business setting up a service on campus which will take payments. Can the University advise me on obtaining PCI compliance?
No, you will need to take responsibility for your own PCI compliance. For further advice, you must contact your acquiring bank. UEA is not able to act as a service provider for businesses. You may use a PED if it is: certified P2PE compliant and attached to the UEA data network; a SIM device connected via a mobile network; or connected via an analogue phone line or some other service provider. You should note that it will not be possible for you to be compliant if you run your online payment (e-commerce) systems through the University data network. Before you start to use PEDs on the University Network, you must contact Finance (email@example.com). Finance will need to authorise any business which wants to accept debit and credit card payments.
Q. I'm making arrangements for a third party to be hosted at UEA. They intend to take card payments for themselves. What do I need to do?
You should advise them that UEA is not able to act as a service provider in support of their PCI DSS compliance. Their systems must be configured to use their own merchant IDs. They must not use a University merchant ID. In your contract with the third party, you must include clauses protecting the University from any liabilities associated with processing card payments including those resulting from non-compliance with PCI DSS. Refer to the 3rd party PCI guidance for further information.
Q. Who should I talk with to get advice on taking payments?
Contact the Finance department Rhoda Wolf (t: 01603 593780, e: R.Wolf@uea.ac.uk)
Q. Is there any more information about the PCI DSS available?
Have a look at the FAQ on the PCI DSS website to see if your question is answered there. https://www.pcisecuritystandards.org/faq/