Finance Office. Card Handling Policy

Transcription

1 Finance Office Card Handling Policy Prepared by: Lyndsay Brown Issued: November

2 Contents Page 1 Introduction 3 2 Responsibility 3 3 The PCI Data Security Standard 3 4 PCI DSS Requirements 4 5 Receiving/ obtaining card data 4 6 Processing card data 5 7 Storing card data 6 2

3 1. Introduction This policy deals with the acceptable use and the controls required over receiving, processing and storing information in respect of all card receipts accepted and refunds made by the University. We have three acceptance channels for card receipts accepted and refunds made by the University: 1. Online Payment systems, 2. Hand held chip and pin card terminals, PDQ s (customer present transactions), and 3. Telephone (customer not present transactions). As the University is a merchant that accepts payment cards, it is required to be compliant with the PCI Data Security Standards. PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card brands (i.e. MasterCard, Visa). The standards apply to all organisations that receive, process or store cardholder data. This policy should be read in conjunction with the Procedures as published on the University Finance website for: Financial Procedures Cash Handling and Banking Procedures Note: wherever a statement in this policy refers to Card, the statement applies to credit, debit, charge, and procurement/ purchasing cards, unless specifically stated otherwise. 2. Responsibility The management and control of information received in respect of cards at the University applies to all members of University staff in Schools and Learning, Teaching and Infrastructure Services handling credit card information. The following procedures must be adhered to: Restrict access to payment card transactions to only those staff that need access to it, Ensure that staff handling payment card data is aware of its importance and confidentiality, It is strictly prohibited to send card details by , store details via electronic methods over the University network (i.e. Excel spreadsheets, Word documents) or write down card details belonging to the payee. This includes occasions when the systems may be unavailable and in such instances the student/ customer should be contacted when the systems return to live mode, Be on the lookout for ways that payment card data could escape from your department without authority e.g. s, paper and minimise risk by following this Policy, The merchant copy of the payment receipt should be stored in a secure location and destroyed as confidential waste. The Treasury team within the Finance Office maintains a list of all members of staff with authorisation to use a hand held chip and pin terminals (PDQ s). It is the responsibility of each location to inform Treasury of changes in staff. 3

4 3. The PCI Data Security Standard PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices. 4. PCI DSS Requirements Requirements 1-2 Build and maintain a secure network These sections are not covered by this policy refer to Information Services policies. Requirements 3-4 Protect cardholder data These sections are covered by this policy and primarily state that the University should not store or transmit card and transaction data unnecessarily. Organisations accepting payment cards are expected to protect cardholder data and prevent their unauthorised use. Requirements 5-6 Maintain a vulnerability management programme As for requirements 1-2, these sections are not covered by this policy. Requirements 7-9 Implement robust control measures / Control access to card data These sections are covered by this policy and deal with access to card data, which should be limited to when there is a business requirement and restricted to relevant staff only. Requirements Regularly monitor and test your computer networks As for requirements 1-2, these sections are not covered by this policy refer to Information Services. Requirement 12 Make information security a priority This section is covered by this policy and requires all employees are aware of the importance of card data security. 5. Receiving/ obtaining card data Card data should be received by appropriate methods only: Preferably by directing the cardholder/ payee to the Online Payments Systems asking them to process their payment through the online system. If the student is using University PC s to process the payment they should be directed to use the dedicated virtual terminals at the Base. or if not applicable to the source of income being collected Using face-to-face chip & pin transactions, where the customer is present and able to enter their card details directly into the card terminal. Receiving card payments where the customer is not present, is discouraged, but if it is necessary, the preferred method is to receive the card details by phone and enter them immediately into the card terminal or the administration area of the Online Payment system (Finance only). If you are in a Department where there is no card terminal the payee must be asked to phone Finance on who will process the transaction. It is strictly prohibited to send card details by , store via electronic methods over the University network (i.e. Excel spreadsheets, Word documents) or write down card details 4

5 belonging to the payee. This includes occasions when the systems may be unavailable and in such instances the student/ customer should be contacted when the systems return to live mode. 6. Processing card data Card receipts are accepted and refunds are made by the University via three acceptance channels: 1. Online Payment systems, 2. Hand held chip and pin card terminals, PDQ s (customer present transactions), and 3. Telephone (customer not present transactions). Online Payment Systems The Online Payment system and Online Store is provided by WPM Education (WPM). WPM is classed as a level 1 service provider under the standard and, as such, has an annual independent audit carried out to certify this compliance. WPM has been certified as compliant since March WPM Education solutions prevent card payment data from entering the University s environment by processing the payment data on its own fully PCI DSS compliant servers, transferring only fully encrypted data back and forth to the university or college. This removes the risk from the University as no card payment data is present on the University servers. HOW IT WORKS 1. Payee visits University website and selects to pay a fee, set up recurring billing/ payment plan or add a product or service to the shopping basket. 2. Customer is seamlessly redirected to WPM Education's Secure Payment Pages. 3. The payee enters their payment details into the system. The PCI DSS risk is completely removed from the University as no card details are submitted or stored within the University's network. 4. WPM Education transfers the data to the credit card network and completes the transaction. 5. Result of payment is displayed to the customer. 5

6 As the Online Payment System and Online Store are covered by WPM Education's compliance the use of these systems by the payee is not covered by this policy. Hand held chip and pin terminals (PDQ s) All terminals are provided by FEXCO and are set up using analogue telephone lines. Cardholder data is not transmitted via the University servers. If a new terminal is required please contact Finance Office in the first instance who will liaise with Information Services and Facilities to ensure the correct set up of the terminal. Telephone Transactions taken over the telephone are customer not present transactions. The card details must be entered directly to the administration area of the Online Payment systems or directly to the terminal. Under no circumstance should card details be written down. 7. Storing card data The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data wherever it is received, processed or stored. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN the primary account number printed on the front of a payment card (16 digit number). The University must never electronically store sensitive authentication data after authorisation. Sensitive data includes data that is printed on a card, card verification codes (CVC s), data stored on a card s magnetic stripe or chip and personal identification numbers entered by the cardholder. The customer and merchant copy of the card terminal receipt rolls will include the partial and full PAN respectively. The customer copy must be returned direct to the customer. The merchant copy of the card terminal receipt roll must be stored securely in a locked location. It is important the merchant copy is placed in the locked location directly after processing of each transaction. Receipts can be stored for a maximum of 6 months before being destroyed as confidential waste. It is the responsibility of the location storing the merchant receipt for ensuring its safekeeping. 6