CUSTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS

CUSTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

PCI-DSS anyone handling payment card details at UoY must adhere to: Payment Card Industry Data Security Standards treat payment card details as you would cash keep details secure!

PCI-DSS Why must we do this? University must comply with the PCI DSS rules in order to be approved and continue to accept online card payments Non compliance with these standards puts the University at risk for: Large monetary fines charged to your department and/or University Loss of merchant status for department Loss of merchant status for the University of York Reputational damage Failure to do so will place the University at risk of having its license to take card payment revoked and will also be regarded as a disciplinary offence Non-compliance is not an option!

PCI-DSS Where is the information on PCI - DSS? on the Finance website at https://www.york.ac.uk/staff/finance/online-payments/ within the Online Store section look for our Customer Credit and Debit Card Data Management Policy (PDF)

PCI-DSS Compliance requirements It is the University’s Policy not to store credit card numbers on any computer, server, or database. This includes Excel spreadsheets or Word documents etc. Treat payment card receipts like you would cash Keep payment card data secure and confidential Restrict access to card data to “those who need to know"

PCI-DSS Documents containing cardholder data should be kept in a secure environment (i.e. safe, locked file cabinet, etc.) Credit card numbers and security numbers must not be requested by email or other messaging technologies e.g. Facebook, chat, sms Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment e.g. the Cash Office

PCI-DSS Credit card receipts and supporting documentation containing card numbers should have the first 12 digits obliterated immediately after use to confirm payment, can be kept for up to 2 years, but no longer Paper receipts and documents should be destroyed so that account information and security numbers are unreadable and cannot be reconstructed Technology changes that affect payment card systems are required to be approved by the Finance Department prior to being implemented

PCI-DSS Do NOT develop any new systems/software to process card payments Computers or other electronic systems that process payment cards (including entering card details directly on on-line payment systems (e.g. WPM) must be signed off by Finance as meeting PCI-DSS standards. Report all suspected or known security breaches to the Financial Accounting and IT Security.

PCI-DSS Scope of the policy All machines used to handle credit card payments (e.g. by connecting to the WPM online store as an administrator) must comply with this policy. Failure to comply will place the University at risk of having its license to take card payment revoked and will also be regarded as a disciplinary offence.

PCI-DSS Device (PCs, Laptops, Mobiles, etc.) Settings All devices MUST: Have automatic updates enabled for operating system updates Run a virus checker which is automatically updated Be kept fully up-to-date with all software updates for all software installed on the machine (note that this will be more than just the operating system updates) Be University owned and not personally owned by a member of staff Log anti-virus messages centrally and keep those logs for at least one year Chip and Pin devices must ONLY be used on the correct secure FM network

PCI-DSS Devices (PCs, Laptops, Mobiles, etc.): Must NOT enter card details into a website Must NOT run any peer to peer software Must NOT be used for browsing websites commonly associated with malware, especially pornographic sites or sites that provide illegal software/movies etc.

PCI-DSS Card terminals, used for taking manual payments, must be connected to the secure FM Network on campus. If you’re uncertain about this, please see guidance from IT Services.

PCI-DSS Any problems, any questions? Contact: Ian Smallwood Email: [email protected] Tel: 322123 Jamie Heggarty Email: [email protected] Tel: 322194 Richard Fuller Email via [email protected] Tel: 323838 Compliance details on the Finance website at https://www.york.ac.uk/staff/finance/online-payments/