PCI Compliance PCI Compliance

Introduction

All organisations accepting card payments must meet the Payment Card Industry Data Security Standard (PCI DSS). The standard was first released by the Payment Card Industry Security Standards Council in 2006 whose members include Visa Inc, MasterCard, American Express, Discover Financial Services, and JCB International, with the intention of ensuring that merchants meet minimum data security standards required when they store, process or transmit cardholder data. The standard was introduced to reduce credit card fraud resulting from the loss of cardholder data.

While compliance with the standard is not required by law, non-compliance can carry heavy fines set by the payment brand and the size of the fine is determined by the number of card transactions we process. Fines may be charged monthly for as long as we remain non-compliant. Data losses will often include personal data, and therefore may also be a breach of the Data Protection Act 1998, and liable to attract additional fines of up to £500,000 imposed by the Information Commissioner's Office (ICO).

Compliance with the standard is an ongoing task requiring routine monitoring and checks, and regular assessment by external assessors. It applies to systems, networks, devices, software, databases, processes, staff and third parties - in fact, anything which handles or touches on cardholder data. As UEA is considered to be a Level 3 merchant (in that it handles between 20,000 and 1,000,000 card payment transactions per year), it is required to complete Self-Assessment Questionnaires (SAQs) each year to demonstrate its compliance with the standard.

In addition to PCI UEA staff must abide by financial legislation and UEA regulations in regards to handling money such as money laundering which require purchase and credit routes to be clearly defined and properly managed. Further information on Financial Legislation can be found on the Finance web pages.

Does PCI apply to you?

PCI DSS applies to any person, device or system which manages, handles, processes or disposes of cardholder data.

What does PCI cover?

PCI DSS is a set of 12 basic security requirements. It was put in place to ensure that businesses storing, transmitting or processing card data are not putting their customers or their businesses at risk of data theft and fraud.

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2.Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Definitions

  • Card verification code or value. The three-digit or four-digit card verification code or value printed on the front of the payment card or the signature panel (CVV2, CVC2, CID, CAV2 data).
  • CHD. Cardholder data. This includes the primary account number (PAN), cardholder name, expiration date, and service code.
  • DSS. Data Security Standard.
  • P2PE-HW. Point to point encryption hardware. This type of PED creates a secure communication channel direct from the device to the acquiring bank system through the host (University) data network in order to protect the information conveyed including the customer’s PAN.
  • PAN. Primary Account Number. The customer’s card number.
  • Payment card processing entities. All those bodies involved in the processing of a payment made by payment card. This includes the merchant (UEA in this case), processors, acquirers, issuers, and service providers.
  • PCI. Payment Card Industry.
  • PED. PIN entry device.
  • PIN. Personal identification number.
  • PTS. PIN transaction security.
  • SAQ. Self-Assessment Questionnaire.
  • Sensitive authentication data. This includes the full track data (magnetic stripe data or equivalent on a chip), card verification code or value, and PINs/PIN blocks.
  • Service provider. Any third party organisation which processes CHD on behalf of the University, e.g. a document retention company that stores paper documents that include CHD. PCI DSS Requirements also apply to the service provider to ensure continued protection of the data. Processing includes transmitting, retrieving, storing, and destroying.

Taking payments Face to Face or over the Telephone

Commonly card payments can be taken face to face or over the phone using physical devices called Pin-Entry Devices (PED). These can either be a handheld wireless/mobile device or a device attached to something like a cashiers till or included within a cash point.

For any department to operate a PED device, authorisation will be needed from the Finance department. If you are looking to accept card payments in person or over the phone, you must first contact Finance for advice (Cashiers@uea.ac.uk).

All card payments in person or over the phone using a PED must:

  • Be PCI P2PE-HW compliant if installed on the network or PCI PTS compliant if using a Mobile network such as GPRS or 3G.
  • Have additional security controls applied to all related means for installation of devices, processing, handling and disposing of cardholder data.
  • Be subjected to continual monitoring and frequent auditing by internal and external organisations assessing all processes and infrastructure for PCI compliance.
  • All staff who handle, process or dispose of cardholder data must attend PCI training before undertaking any work with cardholder data.
  • All staff who handle, process or dispose of cardholder date must follow the procedures for accepting, handling and disposing of cardholder data.
  • Any card payments taken over the phone will require the installation or use of an Analogue Phone line. The University VOIP telephone system must not be used.

Related Documents

Taking payments online

Systems that take online payments need to have security controls put in place to ensure they comply with PCI DSS standards. To avoid the complexity UEA is implementing a single online payment solution which provides event booking, online store and enable a variety of card payments. This single online payment solution must be the primary means for taking online payments at UEA as it is subjected to the stringent controls needed to be PCI compliant.

At this time online payments can only be accepted using the PCI compliant WPM service. It is not acceptable to add other payment providers to systems or use externally provided payment solutions.

If you would like to accept payments using e-commerce channels speak to finance (cashiers@uea.ac.uk) in the first instance to obtain advice on the systems and tool already available to use.

The use of any other payment channel which is not pre-approved will require a formal business case to be presented to CIS Board and ISSC for approval.

All online payment solutions:

  • Must provide PCI certification annually.
  • Must provide a contract stating who would be responsible in the case of data breaches.
  • Have security controls put in place around the IT infrastructure which links to or transmits data to payment solutions.
  • Have additional security controls applied to all related means for processing, handling and disposing of cardholder data.
  • Be subjected to continual monitoring and frequent auditing by internal and external organisations assessing all processes and infrastructure for PCI compliance.
  • All staff who handle, process or dispose of cardholder data must attend PCI training before undertaking any work with cardholder data.
  • Payments must not be made online by a member of University staff on behalf of the customer.

Online payment solutions which have not be assessed or are not available at this time for use include:

  • PayPal
  • Shopify
  • Crowdfunding solutions such as Crowdfunder.co.uk and Crowdcube.com

Our primarily focus has been face to face, telephone and online payments via the approved payment solution WPM service. We will not be including PayPal as a valid payment route within PCI compliance.

As a merchant accepting card payments you are required to comply with PCI DSS. As a service provider, PayPal is also required to comply with PCI DSS. The majority of our products can form part of your PCI DSS compliance solution by easing the burden of PCI compliance for you, however, for some of our products you are responsible for ensuring you are compliant.https://www.paypal.com/uk/webapps/mpp/pci

In order to reduce the impact of PCI on systems we need to limit the systems which form the activity chain leading to a payment gateway. We will continually monitor this and add systems as appropriate.

From a cost perspective using a single provider does have additional benefits as we can take advantage of lower per/transaction costs as we have higher overall transaction values.

In addition to PCI issues we also need to take account of financial legislation and UEA regulations in regards to such things as money laundering – which require purchases and credit routes to be clearly defined and properly managed.

Related Documents

Receiving payments by fax or email

Fax machines and email services are considered to be insecure. Therefore at UEA you must not ask customers to email / fax their card details to you.

In your advertising for means of making payment, you should not offer these channels. If you do offer fax or email addresses for contact purposes, you should also make clear that we do not process payments received by fax or email.

If you do receive any card payment details via fax or email, then:

  • You should take a note of the sender’s details then destroy or delete the message. You can then contact the sender to advise them how to make a payment using PCI compliant methods
  • Do not reply to the original message as it will contain the card details
  • Do not forward the message to any other person as it will contain the card details
  • If you have a paper copy of the message then this must be kept secure until you are able to securely dispose of it using the approved processes. Disposal of the paper record must take place within 1 working day.

If you would like further advice on approved processes then contact Finance (cashiers@uea.ac.uk).

Receiving payments by post on a paper form

Customers may be asked to provide payment details on a paper document such as membership form, application form or purchase request form and to put the completed form in the post to an address at the University.

However, while this may be suitable for some payment methods (such as direct debit) you are strongly advised against collecting payment card details in this way. We do not have a direct means of securing the forms after they are received as post at the University nor during their delivery to the receiving department, and consequently this means of processing the card details will be non-compliant.

If you would like to accept payments using paper forms, contact Finance for advice (cashiers@uea.ac.uk).

3rd Parties taking payments on the UEA Network

3rd parties are defined as businesses which are not owned or part of the University of East Anglia. A service provider is any company that stores, processes, or transmits cardholder data on behalf of another entity.

Please note that UEA is unable to be a service provider to 3rd parties who are using its network. It is also unable to provide 3rd parties with PCI compliant network zones and supporting infrastructure to allow 3rd party systems to be meet PCI compliance.

3rd parties must:

  • Have a written contract with the University which includes a clear statement that the University is not liable in the event of data breaches.
  • Use one of the following PED devices so that cardholder data is not seen on the University Network:
    • A SIM device using a mobile phone network
    • Has a dedicated analogue phone line or internet connection provided by a service provider such as Virgin Media or BT
    • Be a certified P2PE compliant device
  • Any card payments taken via a telephone will need to be over a dedicated analogue phone line provided by a service provider such as Virgin Media or BT.
  • Any online payment systems should be hosted external to the University and not be dependent on any University infrastructure.
  • Any card payments (online or via a PED) that the 3rd Party is processing, transmitting or storing will be made to a Merchant ID not owned by the University of East Anglia.
  • The 3rd Party will be responsible for ensuring its own compliance with PCI and follow instructions provided by its acquiring bank to gain PCI compliance.

If 3rd parties wish to use the University network and take card payments they will need to gain authorisation from the Finance Department (cashiers@uea.ac.uk).

Related Documents

Reporting an incident

For UEA PED Devices if anything suspicious is noticed, then this should be reported to departmental supervisors in the first instance. Alternatively, if the managers are not immediately available, incidents should be reported or where necessary escalated to the IT Service Desk (it.servicedesk@uea.ac.uk or x2345).

For UEA online payment systems, incidents should be reported or where necessary escalated to the IT Service Desk (it.servicedesk@uea.ac.uk or x2345).

Further Advice

More information and advice on payment options that you can use can be obtained from the Finance Department by contacting Finance (email cashiers@uea.ac.uk).

Links to further guidance

See also

FAQs