Precis | History | Print Friendly
Adding Bookmark..........
This procedure applies to all University staff, contractors or other parties who, in the course of doing business on behalf of the University, are involved in processing, storing or transmitting payment card data.

Responsible Officer: Chief Financial Officer
Implementation Officer: Director, Corporate Finance

First approved by:
Vice-Chancellor on 26 August 2013

Amendments approved by:
CFO on 17 April 2014
(proposed changes);

CFO on 18 June 2014
(largely procedural and administrative
changes - new clauses 15, 19 and 24a and b)




Payment Card Security Procedure


This procedure was approved by the Vice-Chancellor on 26 August 2013 and incorporates all amendments to 18 June 2014.
Pursuant to the Payment Card Security Policy and has as a Schedule A - Payment Card Security Agreement.
PURPOSE

This procedure prescribes the processes for the University to meet the PCI-DSS requirements in relation to the processing, storage and transmission of payment card information.

SCOPE

This procedure applies to all University staff, contractors or other parties who, in the course of doing business on behalf of the University, are involved in processing, storing or transmitting payment card data.

DEFINITIONS

Analogue Facsimile: Transmission of scanned printed material (both text and images) to a telephone number connected to a printer or other output device.

CVC2: Card Validation Code. This is the three digit security code on the back of a credit card issued by MasterCard.

CVV2: Card Verification Value . This is the three digit security code on the back of a credit card issued by Visa and Discover.

CDE: Cardholder Data Environment (In Deakins case, this refers to the EFTPOS devices only).

EFTPOS: Electronic Funds Transfer Point of Sale.

Payment card: Any credit or debit card accepted by the University.

VoIP: Voice over Internet Protocol.

VoIP Facsimile: Transmission of scanned printed material (both text and images) to (or from) a telephone number connected to a device as an email attachment through the Internet.

PROCEDURE
Staff that can handle payment data
1Only authorised and properly trained staff may accept and/or access payment card information.
2Staff accepting credit and debit card payments on behalf of Deakin University must on an annual basis:
a)Complete the on-line training module specifically tailored to Customer Service/Cashiering staff;
b)Sign the Payment Card Security Agreement to a confirm his/her understanding of and to agree to comply with all university payment card policies, directives and procedures as well as the PCI-DSS, and to confirm that they have undertaken the on-line training module in the last 12 months. These agreements are to be forwarded to the Director, Corporate Finance by 31 January each year, and retained on the Deakin records management system.
3All staff must complete the on-line awareness training module upon commencement at Deakin.
Accepting payment cards
4Capabilities to accept and process payment card information can only be established through the Corporate Finance, after approval from the Director, Corporate Finance. A listing of all such areas shall be maintained by the Corporate Finance.
Acceptable payment methods
5Payment card data will only be accepted by the University via these payment methods:
a)EFTPOS machine
b)online (via One Stop or an approved alternate payment system)
c)in-person
d)telephone
e)mail-in
f)dedicated analogue fax.
6Payments must not be accepted and processed if the cardholder provides payment card information via email or VoIP fax. If such information is received from a cardholder:
a)a reply must be sent to the cardholder with the payment data deleted from the reply, stating that ‘Deakin University does not accept payment card information via email or VoIP facsimile as these transmission methods are not secure. The customer must also be advised of the acceptable methods of payment, per this procedure;’
b)the email must be permanently deleted (that is, deleted from the Deleted Items folder) or the fax securely destroyed using a cross-cut shredder.
7Cardholder data received via telephone must be processed while the customer is on the line. Writing down a customer’s payment card information to process at a later time is prohibited.
8Cardholder data may be received via analogue fax only, authorised by Corporate Finance and only if the fax machine is specifically designated for this purpose and is kept in an environment secure from all but the responsible staff, or has PIN access for the responsible staff only.
9The University does not condone receiving cardholder data on voicemail. In such instances,
a)staff must enter the cardholder data directly into the (EFTPOS) pinpad and then immediately delete the message. If the number is written down, the paper on which the card number has been written should be securely destroyed using a cross-cut shredder immediately after processing the payment; and
b)the cardholder should then be contacted and informed that Deakin University will not process future payment card information left on voicemail. The customer must also be advised of the acceptable methods of payment under this procedure.
10Cardholder data received via mail or analogue fax must be transferred securely. No cardholder data is to be emailed internally or externally between staff or customers. No cardholder data is to be despatched via internal mail. No cardholder data should be faxed from or to a fax that is not PCI-DSS compliant i.e. analogue fax, designated in a secure area with access only by staff authorised in handling the data.
Processing or transmitting cardholder data on Deakin University computers
11Cardholder data is NOT to be entered on a keyboard or stored, processed or transmitted on Deakin University computers including onto any portable devices as USB flash drives, compact disks, personal digital assistants, tablets or phones, in any form unless an exemption has been approved in writing by the Director, Corporate Finance , (informed by the IT Security Manager) and the appropriate security measures are taken in accordance with PCI-DSS.
Storing cardholder data
12Hardcopy cardholder data must be stored in a highly secure and protected manner, in a safe or locked filing cabinet that is located in a locked office, and securely destroyed as soon as is practicable for business purposes, using a cross-cut shredder.
13Credit card security codes (CVV, CVC) are not to be stored or recorded under any circumstances once a transaction has been processed.
14Where (hard copy) cardholder data is required to be retained for business purposes, the data is not to be retained for longer than six months after the date of transaction processing.
15Each area that retain cardholder data, must institute a process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements.
16Cardholder data is not to be stored for chargeback purposes. Storing the first four and last four digits of a cardholder number, along with time, date, transaction identification and amount is sufficient for chargeback.
Disposing cardholder data
17All hardcopy shred bins must remain locked at all times (until shredding). Staff should make every effort to immediately destroy any printed material containing cardholder data using a cross-cut shredder where available.
Cardholder data collected through EFTPOS machines
18EFTPOS machines and other such devices used to collect cardholder data IF NOT on a tamper proof stand must be stored in a safe or locked filing cabinet overnight or when unattended, or locked with a PIN, and kept in a secure environment. Tamper evident stickers across the seams of the EFTPOS terminals should also be used if available.
19Any suspected or perceived tampering or substitution of EFTPOS devices must be immediately reported to the Director, Corporate Finance.
Service providers and third party vendors
20All service providers and third party vendors that provide payment card services on behalf of the University, including processing, storage or transmission of payment card information , must be PCI-DSS compliant.
21The University Solicitor will ensure contracts with service providers and third party vendors (who provide payment card services on behalf of the University) must contain a statement that the vendor will maintain their PCI-DSS compliance and provide proof of compliance annually and advise the University immediately in writing if they become aware of a PCI-DSS breach.
22The Contract Manager will ensure proof of compliance documents are forwarded to the Director, Corporate Finance by 31 January each year, and retained on the Deakin records management system.
Incident response
23The Director, Corporate Finance and the Executive Director of eSolutions must establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
On-going compliance requirements
24The Director, Corporate Finance , is responsible for ensuring the University’s compliance with the PCI- DSS and will:
a)Maintain a list of authorised third-party credit card processing vendors and service providers with key business and technical contacts
b)Maintain a current list of EFTPOS machines and computer systems (e.g., workstations, kiosks, web servers, database servers) involved in the storage, processing, and/or transmission of cardholder data as required by PCI DSS or other applicable policies and standards
c)Coordinate quarterly internal network vulnerability scanning of the CDE by eSolutions.
d)Coordinate quarterly external vulnerability scanning by a PCI approved scanning vendor;
e)Perform an annual self-assessment to demonstrate the University’s compliance with the PCI-DSS in consultation with eSolutions (to the merchant banks);
f)Test the incident response plan, annually;
g)Provide annual awareness and training program to staff commensurate with staff’s responsibilities; and
h)In consultation with other relevant organisational areas of the University, develop and implement remediation plans for vulnerabilities found in the quarterly scans and for any other areas where the business unit is not PCI-DSS compliant or compliant with this policy. Remediation plans should be fully implemented within one month of identification or earlier based on risk assessment.
Breaches
25Any suspected or perceived breach that payment card information has been disclosed, stolen, or misused must be immediately reported to the Director, Corporate Finance and to the University Privacy Officer
Based on the investigative findings the University Solicitor will decide if other entities are required to be notified of the breach (e.g. card associations, merchant bank, cardholders, the Victorian Privacy Commissioner).
Exemptions
26Any request for an exemption from this procedure should be referred to the Director, Corporate Finance for review and recommendation to the Chief Financial Officer for approval. Any such exemptions are to be fully documented and retained on Deakin’s record management system.
ASSOCIATED INFORMATION

Contracts Policy
Credit Card Use Policy
Information and Communications Technology Security Policy
Information and Communications Technology Use Policy
Information and Records Management Policy
Payment Card Industry - Data Security Standards (PCI-DSS)
Privacy Policy
Procurement Policy
Procurement Procedure



Printed copies of this document may not be current. Please refer to The Guide for the most recent version.
Deakin University 2015