Payment Card Industry - Data Security Standard (PCI-DSS) Finance Procedures - Processing of Credit and Debit Card Payments November 2014

© University of Leeds 2014 The intellectual property contained within this publication is the property of the University of Leeds. This publication (including its text and illustrations) is protected by copyright. Any unauthorised projection, editing, copying, reselling, rental or distribution of the whole or part of this publication in whatever form (including electronic and magnetic forms) is prohibited. [Any breach of this prohibition may render you liable to both civil proceedings and criminal penalties].

PCI-DSS Finance Procedures

Document Ownership and Management Standard Authors – Kevin Darley and Dave Neild (PCI-DSS Internal Security Assessors [ISA]) Standard Owner – Nicola Price, Financial Controller The audience of this document should be aware that a physical copy may not be the latest version. Those to whom this Procedures apply are responsible for familiarising themselves periodically with the latest version and for complying with these requirements at all times. Version Number

Date

Version 0-1-0

November 2014

Circulation http://it.leeds.ac.uk/info/116/policies/638/pci-dss_security_policy

Changes None

Comments First formal issue

For information in alternative formats (for example, in Braille, large print or an electronic format), please email [email protected]. You can also contact us by fax 0113 343 5411 or by telephone 0113 343 1118.

PCI-DSS Finance Procedures

Version 1-0-0

Page 2 of 6

PCI-DSS Finance Procedures

1. Introduction This document is one of a number of documents which support the University’s Payment Card Industry – Data Security Standard (PCI-DSS) Security Policy. It delivers the mandatory Finance Procedures for those University staff who process card payments. It will be reviewed annually as a minimum in accordance with the Standard.

2. Definition Throughout this document there is reference to: 1. payment card systems – any IT system, till, PIN Entry Device (PED) or Virtual Terminal (VT) associated with the storage, processing or transmission of payment card data; and 2. payment card data – credit and debit card primary account numbers (PAN) expiry date and security code (CVV) number. This data is classified as Highly Confidential in accordance with the University’s Information Protection Policy

3. Finance Procedures – Processing of Credit and Debit Card Payments 3.1

General Principles 1. Staff who process card payments must adhere to:  the University’s PCI-DSS Security Policy; and,  the University’s Information Security Policies. 2. The University must comply with the PCI-DSS to secure and protect customer payment card data whatever the method of storage, processing or transmission, and irrespective of the nature of the transaction. 3. Failure to keep payment card data secure could result in fraud being perpetrated, legal action, fines, reputational damage and withdrawal of payment card processing capabilities. 4. Customer payment card details must not be entered or processed on any system or device other than those specifically provided by the University for this purpose. 5. Staff must not capture, record, transmit, process or retain any payment card details on any other University IT system or privately-owned device. 6. Payment card data must not be:  transferred to an alternative location for processing;

PCI-DSS Finance Procedures

Version 1-0-0

Page 3 of 6

PCI-DSS Finance Procedures  sent via email or instant messaging;  saved in any file, such as documents, spreadsheets and databases;  recorded in a sound file or captured via a mobile telephone or camera;  saved to any external media, such as a memory stick, DVD or external drive. 7. Payment card data must not be used for any other purpose than completing the payment transaction. 8. Access to payment card systems and data must be restricted to staff who are authorised to process card payments. 9. Payment card data must not be disclosed to anyone who is not associated with the transaction. 10. Appropriate security controls must be implemented to stop unauthorised access to payment card systems and payment card data. 11. Payment card details must not be requested by email. Any unsolicited emails that are received containing payment card data may be processed and securely deleted. The customer must be informed not to send payment card details via email again. To securely delete an email:  click on the email to highlight it;  hold down the shift key whilst pressing the delete key; and  click yes in the permanent delete window that pops up. 12. Customer payment card details must not be requested on paper without the authorisation of the University’s Treasury Team. The University’s Treasury Team can advise on more suitable methods of processing card payments, such as the on-line store. 13. Any unsolicited faxes or letters received containing payment card information may be processed, before being cross-cut shredded and the customer informed not to do this again. 14. All personnel who undertake the processing of payment card data must complete induction and annual refresher training.

3.2

PIN1 Entry Devices (PED) 15. PEDs must be protected against tampering and substitution:

1

Also referred to as chip and PIN, POS and PDQ machines

PCI-DSS Finance Procedures

Version 1-0-0

Page 4 of 6

PCI-DSS Finance Procedures  an up to date list of PEDs is to be maintained by the University’s Treasury Team. The list of PEDs is to include the make, model, location and serial number. The list of PEDs must be updated when they are added, relocated, or decommissioned;  staff operating PEDs are to remain vigilant of suspicious behavior and report tampering or suspected PED substitution;  if a PED is to be maintained or replaced, advanced notification will be provided by the University’s Treasury Team;  in the event of a third party requesting maintenance access to a PED the authenticity of the engineer must be verified. If the Treasury Team have not provided advanced notification of this work, the engineer’s attendance must be checked with the Treasury Team before access to the PED is granted;  staff are to familiarise themselves with the following daily procedures for inspecting PEDs; check:  the serial number or other characteristics to verify it has not been swapped with a fraudulent PED; and,  for tampering such as the addition of a card skimmer or other components. 16. For cardholder not present payment transactions a Personal Identification Number (PIN) is not required and must never be requested. 17. For cardholder present transactions the PIN must never be requested and only be input by the card holder. 18. PEDs are only to be connected to tills or the University’s analogue or digital telephone network and must not be connected to the University campus wired or wireless networks. PEDs must not be moved without prior authorization of the University’s Treasury Team. 19. By default a PED receipt must be masked (only showing the last 4 digits of the PAN). Only where it has been specifically authorised by the University’s Treasury Team, for refund purposes, can the full PAN be present on the retained copy of the card transaction receipt. 20. Receipts displaying the full PAN must not to be retained for longer than 12 months. They must be kept in locked storage with appropriate key management in place, and premises must be locked when unattended. After this period they must be cross-cut shredded.

3.3

Alumni Office, International Medieval Congress and Campaign Centre Procedures 21. All card payments received on paper must be processed as soon as is practically possible and cross-cut shred immediately after processing. Where payments cannot be processed until the next working day forms must be kept in locked storage with appropriate key management in place, and premises must be locked when unattended. The payments are then to be processed at the first opportunity.

PCI-DSS Finance Procedures

Version 1-0-0

Page 5 of 6

PCI-DSS Finance Procedures 22. Students participating in Alumni telephone-based fund-raising campaigns are to sign a confidentiality undertaking before being permitted to take payment card details. Signed forms are to be retained by the Alumni Annual Fund Manager. 23. Personnel handling telephone sales must adhere to an agreed script. Where payment card details are provided during a telephone call, these may be written down, processed and cross-cut shredded immediately after the call has ended. 24. The Alumni Campaign Centre VTs must only be used for Alumni fund-raising and the processing of card payments.

3.4

Student Education Services (SES) 25. Where payment card details are provided during a telephone call, these may be written down, processed and cross-cut shredded immediately after the call has ended. 26. The SES VTs must only be used for the processing of card payments. SES office PCs must not be used for the processing of card payments.

3.5

Governance 27. The authority of the University’s Treasury Team must be obtained prior to any new service being commissioned which will involve the storage, processing or transmission of card payments. 28. The agreement of the IT Design Authority must be obtained prior to any new or replacement IT system which will involve the storage, processing or transmission of card payments being implemented. Where applicable, components must be certified as being approved by the PCI Security Standards Council (PCI SSC). 29. The University out-sources the processing of electronic card payments to PCI-DSS Compliant third parties (Service Providers) who process the transactions on our behalf. These can only be engaged on the authority of the University’s Treasury Team and they must be certified as being PCI-DSS compliant. 30. A contract is to be maintained with each Service Provider which includes clauses that:  they are to remain compliant to PCI-DSS throughout the term of the contract with the University;  they are responsible for the security of cardholder data that they process on behalf of the University; and,  the contract becomes null and void should they fail to meet these criterion. 31. It will be verified that each Service Provider remains compliant to PCI-DSS at the anniversary of their contract. 32. Departmental Finance Managers must complete an annual department certificate to confirm full compliance with these procedures.

33. Any questions relating to these Procedures should be directed to the University’s Treasury Team. PCI-DSS Finance Procedures Version 1-0-0

Page 6 of 6