Credit and Debit Card Transaction Procedures. University of Bath

Transcription

1 Credit and Debit Card Transaction Procedures University of Bath

2 Table of Contents Introduction Ethics and Acceptable Use Policies Credit and Debit Card Transactions Protection of Stored Data Protection of Data in Transit Restriction of Access to Data Physical Security Security Awareness and Procedures Third Parties holding Cardholder Data Security Management / Incident Response Plan - 1 -

3 Introduction The security of information related to credit and debit cards has become increasingly important in recent years. As an organisation which processes card-holder data, the University is now obliged to comply with the Payment Card Industry Data Security Standard (PCI/DSS) In the longer term, the University will be moving towards using web-based processing, where the card-holder information is held only by the payment service providers who have enhanced security in place. In the meantime, it is important that the University does not store this sort of data on electronic systems, which may be vulnerable to hacking and other unauthorised access. For this reason, while transaction processing may be carried out electronically, e.g. on credit card terminals, all procedures detailed below which relate to information storage will be paper-based. These procedures cover the security of credit and debit card-related information and must be distributed to all University employees who deal with credit and debit card transactions. Management will review and update the procedures at least once a year to incorporate relevant security needs that may develop. Each employee involved must read the procedures and verify that they have read and understood them. Ethics and Acceptable Use Policies These procedures are subject to the appropriate University Regulations and Policies. Of particular relevance are :- University Policy 12 Business Ethics and Fraud ( IT Security Policy ( An employee s failure to comply with the procedures set forth in this document may result in disciplinary action up to and including the termination of employment

4 Credit and Debit Card Transactions Credit Card Terminals Departments with access to credit card terminals must use them in accordance with the security measures specified with those terminals. Credit card slips should be retained for at least 6 months, to enable chargebacks. However, they must be held securely. They should in any case not be held for longer than 2 years. Departments without terminals Departments who do not have access to a credit card terminal must use the appropriate University pre-printed Credit and Debit Card Transaction Form. There is one form for sending out to customers for them to complete and return. This form can be obtained from the Downloadable Forms sections of the Finance Office web page ( There is also a pre-numbered form for internal departmental use only. This form is obtainable from the Cashier s Office. On occasion, a Department may wish to combine a course or conference enrolment form with the credit/debit card form. All such forms must be agreed in advance of use with the Cashier s Office. It is prohibited to use any other style of form for credit and debit card transactions. Transaction Form - Customer use This form will typically be used where customers are paying for conference or course fees, etc. When a customer expresses an interest, the department sends out a form for payment. The customer will complete cardholder details and card details. The department will complete the payment details, and send the form to the Cashier s Office for processing. It is prohibited to make a copy of completed forms at any time. Transaction Form - Internal use When a department takes cardholder details directly from a customer, either where the customer is present, or over the telephone, they should use this form. These forms are pre-numbered. It is prohibited to make a copy of this form at any time, either before or after completion

5 Where the credit card security code (the 3 to 4 digit code on the back of the card) has been taken to validate a transaction, it should be recorded on the tear-off strip of the Credit and Debit Card Transaction Form. The strip should be separated from the rest of the form and stored separately. Transaction Form - Combined booking form / credit/debit card details The format and use of all such combined forms must be agreed in advance with the Cashier s Office. A copy may be made of the booking section of the form, but never of the card details. Credit/Debit Card Paying-in Advice Account coding for the transactions should be entered on the paying-in advice, which should be sent to the Cashier s Office together with the Transaction Forms. The use of this advice is similar to that of the advices used for the paying in of cash or cheques Protection of Stored Data All sensitive information must be stored securely and disposed of in a secure manner when no longer required for business reasons. Only paper media should be used to store sensitive information, and it must be protected from unauthorised access. Media no longer needed must be destroyed in a manner to render sensitive data irrecoverable (e.g. shredding, etc). If in doubt, please refer to the guidance contained on the web-site :- Department All sensitive information must be stored securely in a locked cupboard or drawer, with access limited to those properly authorised (see below). Credit and debit card information should never be retained in the department for longer than 24 hours (unless over a weekend or Bank Holiday). The card security code and the rest of the cardholder information should be stored separately from each other. Cashier s Office The Cashier s Office will store cardholder information, in the Cashier s safe or in an alternative secure environment, for up to 2 years to enable refunds to be made. Card security code information must be destroyed as soon as it has been used for a particular transaction - 4 -

6 Credit and Debit Card Information Handling Specifics It is prohibited to store the contents of the card magnetic stripe (track data) on any media whatsoever It is prohibited to store the card security code (last 3 or 4 digit value printed on the signature of the card) on any media whatsoever except the tear-off strip from the pre-numbered Credit and Debit Card Transaction Form It is prohibited to store cardholder information on PCs or any other electronic media. Cardholder information is defined as :- o Card account number o Expiry date o Cardholder name (in conjunction with the above) The card security code must never be stored with the cardholder information Destroy cardholder information by a secure method when no longer needed. Media containing card information must be destroyed by shredding or other means of physical destruction that would render the data irrecoverable Protection of Data in Transit Sensitive information should never be transported electronically. Physical transport should always be via a trusted and secure method. Department Cardholder information and card security code should be taken or sent for processing within 24 hours (or immediately after a weekend or Bank Holiday). Separate envelopes should be used for the two types of information - cardholder data to the Cashier s Office, and the card security code to the Cashier s Office Manager in the Finance Office. Cashier s Office Once the card security code information has been matched with appropriate cardholder information and the transaction has been processed, the card security code must be destroyed. Credit and Debit Card Information Handling Specifics Card account numbers must never be ed Media containing card account numbers must only be given to trusted persons for transport within the University

7 Restriction of Access to Data Access to sensitive information should be restricted to those who have a need to know. No employees should have access to card account numbers unless they have a specific job function that requires such access. Access for each such employee must be authorised by their Head of Department and the Director of Finance or her deputy. A list of these employees will be held centrally in the Finance Office. Before authorising an employee to handle credit and debit card transactions, the Head of Department must be satisfied that the employee has read and understood the procedures, and understands how it affects their job. Physical Security Restrict physical access to sensitive information to protect it from those who do not have a need to access that information. Media containing sensitive information must be securely handled and distributed Media containing stored sensitive information should be properly inventoried and disposed of when no longer needed for business reasons, by shredding, etc In areas that may contain sensitive information, be aware of the need to hold such information securely, especially in relation to visitors and others who should not have access to it Cardholder information will be retained by the Cashier s Office in order to enable later refunds. It should not be retained for longer than necessary for business reasons, and in any case never for longer than 2 years. At the end of the period of retention, it must be physically destroyed by shredding, etc. Security Awareness and Procedures Keeping sensitive information secure requires periodic training of employees and contractors to keep security awareness levels high

8 Third Parties holding Cardholder Data The Treasury Accountant will maintain a central list of service providers who hold cardholder data. All third parties with access to card account numbers are contractually obliged to comply with card association security standards (PCI/DSS) Security Management / Incident Response Plan These procedures are subject to the Financial Regulation G14 Irregularities ( In the event of a compromise of sensitive information, the Internal Auditor will oversee the execution of the incident response plan. Incident Response Plan 1. If a compromise is suspected, alert the Internal Auditor ( [email protected] ) 2. The Internal Auditor will conduct an initial investigation of the suspected compromise. 3. If a compromise of information is confirmed, the Internal Auditor will alert management and begin informing parties that may be affected by the compromise. If the compromise involves card account numbers, the Internal Auditor will perform the following :- Contain and limit the extent of the exposure by shutting down any systems or processes involved in the compromise Alert necessary parties (Merchant Bank, Visa Fraud Control, the police, etc) Provide compromised or potentially compromised card numbers to Visa Fraud Control within 24 hours More information - sp_if_compromised.html - 7 -