PCI Compliance PCI Compliance

Introduction

All organisations accepting card payments must meet the Payment Card Industry Data Security Standard (PCI DSS). The standard was first released by the Payment Card Industry Security Standards Council in 2006 whose members include Visa Inc, MasterCard, American Express, Discover Financial Services, and JCB International, with the intention of ensuring that merchants meet minimum data security standards required when they store, process or transmit cardholder data. The standard was introduced to reduce credit card fraud resulting from the loss of cardholder data.

While compliance with the standard is not required by law, non-compliance can carry heavy fines set by the payment brand and the size of the fine is determined by the number of card transactions we process. Fines may be charged monthly for as long as we remain non-compliant. Data losses will often include personal data, and therefore may also be a breach of the Data Protection Act 1998, and liable to attract additional fines of up to £500,000 imposed by the Information Commissioner's Office (ICO).

Compliance with the standard is an ongoing task requiring routine monitoring and checks, and regular assessment by external assessors. It applies to systems, networks, devices, software, databases, processes, staff and third parties - in fact, anything which handles or touches on cardholder data. As UEA is considered to be a Level 3 merchant (in that it handles between 20,000 and 1,000,000 card payment transactions per year), it is required to complete Self-Assessment Questionnaires (SAQs) each year to demonstrate its compliance with the standard.

In addition to PCI UEA staff must abide by financial legislation and UEA regulations in regards to handling money such as money laundering which require purchase and credit routes to be clearly defined and properly managed. Further information on Financial Legislation can be found on the Finance web pages.

Does PCI apply to you?

PCI DSS applies to any person, device or system which manages, handles, processes or disposes of cardholder data.

What does PCI cover?

PCI DSS is a set of 12 basic security requirements. It was put in place to ensure that businesses storing, transmitting or processing card data are not putting their customers or their businesses at risk of data theft and fraud.

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2.Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Definitions

  • Card verification code or value. The three-digit or four-digit card verification code or value printed on the front of the payment card or the signature panel (CVV2, CVC2, CID, CAV2 data).
  • CHD. Cardholder data. This includes the primary account number (PAN), cardholder name, expiration date, and service code.
  • DSS. Data Security Standard.
  • P2PE-HW. Point to point encryption hardware. This type of PED creates a secure communication channel direct from the device to the acquiring bank system through the host (University) data network in order to protect the information conveyed including the customer’s PAN.
  • PAN. Primary Account Number. The customer’s card number.
  • Payment card processing entities. All those bodies involved in the processing of a payment made by payment card. This includes the merchant (UEA in this case), processors, acquirers, issuers, and service providers.
  • PCI. Payment Card Industry.
  • PED. PIN entry device.
  • PIN. Personal identification number.
  • PTS. PIN transaction security.
  • SAQ. Self-Assessment Questionnaire.
  • Sensitive authentication data. This includes the full track data (magnetic stripe data or equivalent on a chip), card verification code or value, and PINs/PIN blocks.
  • Service provider. Any third party organisation which processes CHD on behalf of the University, e.g. a document retention company that stores paper documents that include CHD. PCI DSS Requirements also apply to the service provider to ensure continued protection of the data. Processing includes transmitting, retrieving, storing, and destroying.

Taking payments Face to Face or over the Telephone

Commonly card payments can be taken face to face or over the phone using physical devices called Pin-Entry Devices (PED). These can either be a handheld wireless/mobile device or a device attached to something like a cashiers till or included within a cash point.

For any department to operate a PED device, authorisation will be needed from the Finance department. If you are looking to accept card payments in person or over the phone, you must first contact Finance for advice (Cashiers@uea.ac.uk).

All card payments in person or over the phone using a PED must:

  • Be PCI P2PE-HW compliant if installed on the network or PCI PTS compliant if using a Mobile network such as GPRS or 3G.
  • Have additional security controls applied to all related means for installation of devices, processing, handling and disposing of cardholder data.
  • Be subjected to continual monitoring and frequent auditing by internal and external organisations assessing all processes and infrastructure for PCI compliance.
  • All staff who handle, process or dispose of cardholder data must attend PCI training before undertaking any work with cardholder data.
  • All staff who handle, process or dispose of cardholder date must follow the procedures for accepting, handling and disposing of cardholder data.
  • Any card payments taken over the phone will require the installation or use of an Analogue Phone line. The University VOIP telephone system must not be used.

Related Documents

Taking payments online

Systems that take online payments need to have security controls put in place to ensure they comply with PCI DSS standards. To avoid the complexity UEA is implementing a single online payment solution which provides event booking, online store and enable a variety of card payments. This single online payment solution must be the primary means for taking online payments at UEA as it is subjected to the stringent controls needed to be PCI compliant.

At this time online payments can only be accepted using the PCI compliant WPM service. It is not acceptable to add other payment providers to systems or use externally provided payment solutions.

If you would like to accept payments using e-commerce channels speak to finance (cashiers@uea.ac.uk) in the first instance to obtain advice on the systems and tool already available to use.

The use of any other payment channel which is not pre-approved will require a formal business case to be presented to CIS Board and ISSC for approval.

All online payment solutions:

  • Must provide PCI certification annually.
  • Must provide a contract stating who would be responsible in the case of data breaches.
  • Have security controls put in place around the IT infrastructure which links to or transmits data to payment solutions.
  • Have additional security controls applied to all related means for processing, handling and disposing of cardholder data.
  • Be subjected to continual monitoring and frequent auditing by internal and external organisations assessing all processes and infrastructure for PCI compliance.
  • All staff who handle, process or dispose of cardholder data must attend PCI training before undertaking any work with cardholder data.
  • Payments must not be made online by a member of University staff on behalf of the customer.

Online payment solutions which have not be assessed or are not available at this time for use include:

  • PayPal
  • Shopify
  • Crowdfunding solutions such as Crowdfunder.co.uk and Crowdcube.com

Our primarily focus has been face to face, telephone and online payments via the approved payment solution WPM service. We will not be including PayPal as a valid payment route within PCI compliance.

As a merchant accepting card payments you are required to comply with PCI DSS. As a service provider, PayPal is also required to comply with PCI DSS. The majority of our products can form part of your PCI DSS compliance solution by easing the burden of PCI compliance for you, however, for some of our products you are responsible for ensuring you are compliant.https://www.paypal.com/uk/webapps/mpp/pci

In order to reduce the impact of PCI on systems we need to limit the systems which form the activity chain leading to a payment gateway. We will continually monitor this and add systems as appropriate.

From a cost perspective using a single provider does have additional benefits as we can take advantage of lower per/transaction costs as we have higher overall transaction values.

In addition to PCI issues we also need to take account of financial legislation and UEA regulations in regards to such things as money laundering – which require purchases and credit routes to be clearly defined and properly managed.

Related Documents

Receiving payments by fax or email

Fax machines and email services are considered to be insecure. Therefore at UEA you must not ask customers to email / fax their card details to you.

In your advertising for means of making payment, you should not offer these channels. If you do offer fax or email addresses for contact purposes, you should also make clear that we do not process payments received by fax or email.

If you do receive any card payment details via fax or email, then:

  • You should take a note of the sender’s details then destroy or delete the message. You can then contact the sender to advise them how to make a payment using PCI compliant methods
  • Do not reply to the original message as it will contain the card details
  • Do not forward the message to any other person as it will contain the card details
  • If you have a paper copy of the message then this must be kept secure until you are able to securely dispose of it using the approved processes. Disposal of the paper record must take place within 1 working day.

If you would like further advice on approved processes then contact Finance (cashiers@uea.ac.uk).

Receiving payments by post on a paper form

Customers may be asked to provide payment details on a paper document such as membership form, application form or purchase request form and to put the completed form in the post to an address at the University.

However, while this may be suitable for some payment methods (such as direct debit) you are strongly advised against collecting payment card details in this way. We do not have a direct means of securing the forms after they are received as post at the University nor during their delivery to the receiving department, and consequently this means of processing the card details will be non-compliant.

If you would like to accept payments using paper forms, contact Finance for advice (cashiers@uea.ac.uk).

3rd Parties taking payments on the UEA Network

3rd parties are defined as businesses which are not owned or part of the University of East Anglia. A service provider is any company that stores, processes, or transmits cardholder data on behalf of another entity.

Please note that UEA is unable to be a service provider to 3rd parties who are using its network. It is also unable to provide 3rd parties with PCI compliant network zones and supporting infrastructure to allow 3rd party systems to be meet PCI compliance.

3rd parties must:

  • Have a written contract with the University which includes a clear statement that the University is not liable in the event of data breaches.
  • Use one of the following PED devices so that cardholder data is not seen on the University Network:
    • A SIM device using a mobile phone network
    • Has a dedicated analogue phone line or internet connection provided by a service provider such as Virgin Media or BT
    • Be a certified P2PE compliant device
  • Any card payments taken via a telephone will need to be over a dedicated analogue phone line provided by a service provider such as Virgin Media or BT.
  • Any online payment systems should be hosted external to the University and not be dependent on any University infrastructure.
  • Any card payments (online or via a PED) that the 3rd Party is processing, transmitting or storing will be made to a Merchant ID not owned by the University of East Anglia.
  • The 3rd Party will be responsible for ensuring its own compliance with PCI and follow instructions provided by its acquiring bank to gain PCI compliance.

If 3rd parties wish to use the University network and take card payments they will need to gain authorisation from the Finance Department (cashiers@uea.ac.uk).

Related Documents

Reporting an incident

For UEA PED Devices if anything suspicious is noticed, then this should be reported to departmental supervisors in the first instance. Alternatively, if the managers are not immediately available, incidents should be reported or where necessary escalated to the IT Service Desk (it.servicedesk@uea.ac.uk or x2345).

For UEA online payment systems, incidents should be reported or where necessary escalated to the IT Service Desk (it.servicedesk@uea.ac.uk or x2345).

Further Advice

More information and advice on payment options that you can use can be obtained from the Finance Department by contacting Finance (email cashiers@uea.ac.uk).

Links to further guidance

FAQS for PCI Compliance FAQS for PCI Compliance

Q. What is PCI?

PCI stands for the Payment Card Industry. This is an association of organisations which store, process and transmit cardholder data that is the sensitive information on credit and debit cards which allow you to make payments. The PCI Security Standard Council was founded by the five major payment brands (American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.) and they developed the Data Security Standard (DSS) which applies to the handling of cardholder data.

Q. What does PCI apply to at the University?

The PCI DSS applies to all payment streams that involve credit and debit card transactions. This includes all people, systems, devices, connections, procedures, and use of third parties – anyone and anything that handles cardholder data. Specifically, the two Self-Assessment Questionnaires that UEA will complete are SAQ P2PE-HW and A-EP. Further details on the requirements are available from the PCI DSS website.

https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

Q. Are there regular checks to ensure that the University is meeting the PCI's security standard?

Yes, we need to be able to demonstrate that we are meeting the requirements of the standard. This could be via our own checks, those led by Finance or the ISD Compliance team, or by external assessors. There is an annual assessment of our compliance to ensure that not only are we meeting the standard, but that we are continuing to meet the standard.

Q. What are the consequences of not meeting the security standard required by PCI?

If we become non-compliant or fail to meet the standard, we can be fined or lose the ability to take payments by payment card. The level of fines can be significant, and may be applied monthly until a point where we achieve compliance.

Q. What options are there for taking payments for something the University is selling/levying a charge?

There are four ways for receiving payment: cash, bank transfer, sQuid, card via approved PIN Entry Device (meeting PCI DSS) or card via a web interface configured to use the University’s approved online payment processor (WPM). No other payment method can be used. Use of any other payment method could put the University’s PCI DSS compliance at risk and is strictly forbidden.

Q. Can I use PayPal to take online payments?

No, use of PayPal to take online payments is not permitted at this time. If you need to take payment via a web interface, you must use the UEA online store (http://store.uea.ac.uk).

Q. Can I collect payment card information on a paper application form and process them later?

The PCI DSS requires us to keep payment card data secure as it is confidential data. It is possible to collect details on paper, process them via a PIN Entry Device, and then after authorisation of the payment destroy the details on the application form. Any paper record should be destroyed securely within 1 working day of it being received. The cardholder data must either be blacked out (with a pen) or the page detached from the application form and shredded in a cross-cut shredder.

Q. Can I receive paper forms with payment card details in the post?

No, while, as described above, it is possible to put in mechanisms to keep cardholder data on paper forms secure, their receipt via the post is not secure, and you must not ask for completed forms to be posted to a University postal address. Contact Finance (cashiers@uea.ac.uk) for advice on use of paper forms for collecting payment details. It is possible for you to collect direct debit details in this way.

Q. Can I take payment details over the phone?

You may not take payment details over the University VOIP telephone system. This is because it has been agreed that VOIP is outside the scope of our PCI DSS compliance. You may take payment details over an analogue phone line.

Q. Can I receive payment details via fax?

No, the University does not receive payment details via fax. It has been agreed that our fax machines should be outside the scope of PCI DSS compliance. If you advertise fax numbers, add a note that you do not receive payment by fax. If someone sends you payment details via fax, destroy the fax in a cross-cut shredder, check that no copy is stored on the device, and contact the sender to advise them how they can make a payment.

Q. Can I receive payment details via email?

No, as for faxes, it has been agreed that our email system should remain outside the scope of PCI DSS compliance, and therefore we will not accept card payments via email (or any other electronic means of communication such as SMS, online chat, or messaging). If you advertise email addresses, add a note that you do not receive payments by email. If you receive payment details by email, delete the email, purge deleted items (and recover deleted items), and contact the enquirer to tell them how you will receive payment. Do not simply reply to their email as this will only create another copy of their cardholder data.

Q. Is sQuid PCI compliant?

sQuid is a means of adding credit to an account associated with your campus card via a web interface (http://squidcard.com/uea) much like you might do in London with an Oyster card to pay for trips on public transport. You can use sQuid to pay for items at UEA Catering outlets and other places. sQuid manages its own PCI DSS compliance, and is outside the scope of UEA’s.

Q. Does the data security standard apply to bank account data?

PCI DSS applies to the protection of credit and debit cardholder data (PAN, cardholder name, service code and expiration date) and sensitive authentication data (full track data from the magnetic stripe or equivalent data on the chip, CAV2/CVC2/CVV2/CID, and PIN/PIN block), from a payment card representing one of the founding PCI payment brands (American Express, Discover, JCB, MasterCard, or Visa).

Bank account data, such as branch identification numbers, bank account numbers, sort codes, routing numbers, etc., are not considered payment card data, and PCI DSS does not apply to this information. However, if a bank account number is also a PAN or contains the PAN, then PCI DSS applies.

Q. What is the difference between 'card present' transactions and 'card-not-present'?

When receiving payment with card present, you would expect also the cardholder to be present. You may then take payment from the card by use of a PIN Entry Device (PED). The cardholder enters the PIN into the PED.

When the card is not present (CNP), the cardholder does not physically present the card. Typically this is how telephone or web purchases are handled. There is an increased risk of fraud with CNP transactions.

Q. I'd like to take payments face-to-face with the card present. What do I need to do to acquire and set up a PIN entry device (PED)?

If you are planning on attaching the PED to the University data network, you must get a PCI certified P2PE compliant device. Alternatively, you can use a PTS certified PCI compliant device to make a mobile network connection via a SIM, or use an analogue phone line. Contact Finance (cashiers@uea.ac.uk).

Q. My department is looking at investing a new information system which includes options to take payments. What do I need to be concerned about?

The system will need to be configured to make use of the University’s approved online payment processor WPM. Contact Finance (cashiers@uea.ac.uk) in the first instance to review existing payment options available to you. Before any new payment channel is used a formal business case must be made to the CIS Board and ISSC for approval. You must not use a new payment channel without first gaining approval from CIS Board and ISSC. Part of this approval process will assess PCI compliance.

Q. Can I make use of an online system which is hosted off site for handling my business including taking payments by card?

Contact Finance (cashiers@uea.ac.uk) in the first instance to review existing payment options available to you. Before any new payment channel is used a formal business case must be made to the CIS Board and ISSC for approval. You must not use a new payment channel without first gaining approval from CIS Board and ISSC. Part of this approval process will assess PCI compliance.

Q. I'm an independent business setting up a service on campus which will take payments. Can the University advise me on obtaining PCI compliance?

No, you will need to take responsibility for your own PCI compliance. For further advice, you must contact your acquiring bank. UEA is not able to act as a service provider for businesses. You may use a PED if it is: certified P2PE compliant and attached to the UEA data network; a SIM device connected via a mobile network; or connected via an analogue phone line or some other service provider. You should note that it will not be possible for you to be compliant if you run your online payment (e-commerce) systems through the University data network. Before you start to use PEDs on the University Network, you must contact Finance (cashiers@uea.ac.uk). Finance will need to authorise any business which wants to accept debit and credit card payments.

Q. I'm making arrangements for a third party to be hosted at UEA. They intend to take card payments for themselves. What do I need to do?

You should advise them that UEA is not able to act as a service provider in support of their PCI DSS compliance. Their systems must be configured to use their own merchant IDs. They must not use a University merchant ID. In your contract with the third party, you must include clauses protecting the University from any liabilities associated with processing card payments including those resulting from non-compliance with PCI DSS. Refer to the 3rd party PCI guidance for further information.

Q. Who should I talk with to get advice on taking payments?

Contact the Finance department Rhoda Wolf (t: 01603 593780, e: R.Wolf@uea.ac.uk)

Q. Is there any more information about the PCI DSS available?

Have a look at the FAQ on the PCI DSS website to see if your question is answered there. https://www.pcisecuritystandards.org/faq/