Finance & Ecommerce Systems

Transcription

1 Finance & Ecommerce Systems Prepared by: Colette Elson Issued: November 2013 November 2013 Page 1

2 Contents Page 1 Introduction 2 Responsibility 3 The PCI Data Security Standard 4 PCI DSS Requirements 5 Receiving cardholder data 6 Processing cardholder data 7 Storing cardholder data Note: wherever a statement in this policy refers to Card the statement applies to credit, debit, charge and procurement/purchasing cards, unless specifically stated otherwise November 2013 Page 2

3 1. Introduction This policy outlines acceptable use and controls set by the University of Reading with regard to receiving, processing and storing information in respect of all card payments and refunds. We have three available channels for accepting card payments 1. Online payments 2. Hand held chip and pin card terminals, PDQ s (customer present) 3. Telephone (customer not present) As a Merchant that accepts card payments the University must meet Payment Card Industry Data Security Standards. These requirements are in place to protect cardholder data and are reinforced by payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. 2. Responsibility It is the responsibility of all University staff to ensure the safety of card holder data. The following procedures must be adhered to: Restrict card payment transactions to those staff that need access to it Ensure that members of staff handling card holder data are aware of its importance, confidentiality and the potential risk of it leaving the secure environment. It is strictly prohibited to send card details by , store details via electronic methods over the University network (i.e. Excel spread sheets, Word documents) or write down on paper. This includes occasions when the systems may be unavailable. In this scenario the user should be informed when the systems are up and running again and asked to go back and make payment The merchant copy of the payment receipt should be stored in a secure location and destroyed after 18 months as confidential waste. The Finance team maintain a list of all members of staff who have access or authority to use hand held chip and pin terminals or PDQ s. It is up to the individual departments to update Finance with details of new starters however there will also be annual checks put in place. 3. The PCI Data Security Standard Introduced in 2006 after a number of high profile fraud cases, the PCI Security Standards Council was set up to act as an open global forum "responsible for the development, management, education, and awareness of the PCI Security Standards. The following standards were put in place to ensure that all businesses storing, transmitting or processing card data are not putting their customers at risk of data theft and fraud. November 2013 Page 3

4 4. PCI DSS Requirements Requirements 1-2 Build and maintain a secure network These sections are not covered by this policy refer to ITS policies Requirements 3-4 Protect cardholder data These sections are covered by this policy where our main focus is to ensure the University does not store or transmit card and transaction data unnecessarily. ALL organisations accepting card payments are required to protect this data to prevent fraudulent access. Requirements 5-6 Maintain a vulnerability management programme As for requirements 1-2, these sections are not covered by this policy refer to ITS policies Requirements 7-9 Implement strong access control measures These sections are covered by this policy and deal specifically with access to cardholder data, restricting on a business need to know basis including physical access. Requirements Regularly monitor and test networks As for requirements 1-2, these sections are not covered by this policy refer to ITS policies Requirement 12 Maintain an information security policy This section is covered by this policy and requires all University employees to be aware of the importance of card data security and their role in preventing unauthorised access. 5. Receiving cardholder data Cardholder data should be received by the below methods only: By directing the cardholder/payee to an Online Payments System Using face to face chip & pin where the customer is present and able to enter their card details directly into the terminal. Although receiving customer not present card payments are discouraged the preferred method is to receive details via the telephone to be entered directly into the system using the administration area of an online payment systems (Receipts Office Only) PLEASE DO NOT WRITE CARD DETAILS DOWN or SEND VIA END-USER MESSAGING TECHNOLOGIES (such as or text message) instead please ask your customer to call the Receipts Office on +44 (0) to process the payment immediately. It is strictly prohibited to send card details by , store via electronic methods over the University Network (i.e. Excel spread sheets, Word documents) or write down 6. Processing card holder data Card payments are accepted and refunded to the original card by the University via these two channels: Online Payment Systems admin areas Hand held chip and pin card terminals November 2013 Page 4

5 Online Payment Systems We use many different systems across the University because they are not only convenient but a safe and secure way to take payment due to the fact they process the cardholder data offsite. Using PCI Compliant 3 rd party websites removes the risk from the University as no card payment data is stored on the University servers. We are working to make sure ALL our systems are managed like this. EXAMPLE OF HOW IT WORKS WPM Online Store 1. Payee visits institution's website and selects to pay a fee. 2. Customer is seamlessly redirected to WPM Education's Secure Payment Pages. 3. The payee enters their payment details into the system. The PCI DSS risk is completely removed from the institution as no card details are submitted or stored within the institution's network. 4. WPM Education transfers the data to the credit card network and completes the transaction. 5. Result of payment is displayed to the customer. Hand held Chip and Pin terminals (PDQ s/ped s) Our terminals are from a range of providers connected via either Wifi, the network or telephone line. If a new terminal is required please contact Finance Office Simon Mealor Telephone Transactions taken over the telephone are considered Customer not present transactions and should be avoided. Card details must be entered directly into the administration area by approved staff only* and in no circumstances written down. *Receipts Office November 2013 Page 5

6 7. Storing card holder data The goal of the PCI Data Security Standard (PCI DSS) is to ensure the highest level of protection of card holder data this includes receiving, storing and processing. When it comes to storing card details the general rule is if you don t need it, don t store it! If the data doesn t serve a valuable business purpose, consider eliminating it. Ask yourself Is the storage of this data and the business processes it supports worth the following? i. The risk of having the data compromised ii. The additional PCI DSS efforts that must be applied to protect that data iii. The on-going maintenance efforts to remain PCI DSS compliant over time. Processing payments on a PDQ terminal generates 2 till receipts. The customer copy must be returned direct to the customer. The merchant copy must be stored securely in a locked location. It is important the merchant copy is stored in the locked location directly after processing of each transaction. Receipts can be stored for a maximum of 18 months before being destroyed as confidential waste. It is the responsibility of the location storing the merchant receipt for ensuring its safekeeping. The University must never electronically store sensitive authentication data after authorisation. Sensitive data includes: full track contents of the magnetic strip or chip (which holds information about the card and cardholder) card verification codes and values CVC or CVV (the 3 digits on the back of card) PINs and PIN blocks (personal identification number) November 2013 Page 6