• Section 1 - Preamble
• Section 2 - Purpose
• Section 3 - Scope
• Section 4 - Policy
• Section 5 - Procedure
• Staff that can handle payment card data
• Accepting payment cards
• Acceptable payment methods
• Processing or transmitting cardholder data on Deakin University computers
• Storing cardholder data
• Cardholder data collected through EFTPOS machines
• Service providers and third party vendors
• Incident response
• On-going compliance requirements
• Breaches
• Exemptions
• Section 6 - Definitions

Section 1 - Preamble

(1) This Policy is effective from 23 May 2022.

Section 2 - Purpose

(2) The Payment Card Industry Data Security Standards (PCI DSS) are a set of industry standards to mitigate the risks associated with the handling of payment card data, including fraud and identity theft.

(3) The PCI DSS applies to all entities (including merchants, processors, acquirers, issuers and service providers). It focuses on the promotion of consistent security standards to protect cardholder data from fraud and security breaches by defining requirements for ICT systems, networks and manual processes which handle payment card details.

Section 3 - Scope

(4) This Policy applies to all University staff, contractors or other parties who, in the course of doing business on behalf of the University, are involved in processing, storing or transmitting payment card data.

Section 4 - Policy

(5) The University is committed to safeguarding all payment card data it receives, and complying with PCI-DSS requirements. To support this commitment, the University will use, store, transmit and destroy payment card data in a manner which protects such data from misuse and from unauthorised transactions.

Section 5 - Procedure

Staff that can handle payment card data

(6) Only authorised and properly trained staff may accept and/or access payment card information.

(7) Staff accepting credit and debit card payments on behalf of Deakin University must complete the on-line PCI Merchant training module on an annual basis.

(8) All staff who complete training will agree to comply with all University’s policies and procedures as a part of this training. These records will be retained in the University’s Learning Management System (LMS).

Accepting payment cards

(9) Capabilities to accept and process payment card information can only be established through Finance and Procurement, after approval from the Director, University Financials. A listing of all such areas shall be maintained by Finance Services and Support.

Acceptable payment methods

(10) Payment card data will only be accepted by the University via these payment methods:

1. EFTPOS machine
2. online (via an approved payment system)
3. in-person
4. telephone.

(11) Payments must not be accepted and processed if the cardholder provides payment card information via email. If such information is received from a cardholder:

1. a reply must be sent to the cardholder with the payment data deleted from the reply, stating that 'Deakin University does not accept payment card information via email as this transmission method is not secure. The customer must also be advised of the acceptable methods of payment, per this Policy.'
2. the email must be permanently deleted (that is, deleted from the Deleted Items folder).

(12) Cardholder data received via telephone must be processed while the customer is on the line. Writing down a customer's payment card information to process at a later time is prohibited.

(13) The University does not condone receiving cardholder data on voicemail. In such instances:

1. staff must enter the cardholder data directly into the (EFTPOS) pinpad and then immediately delete the message, and
2. the cardholder should then be contacted and informed that Deakin University will not process future payment card information left on voicemail. The customer must also be advised of the acceptable methods of payment under this Policy.

Processing or transmitting cardholder data on Deakin University computers

(14) Cardholder data is not to be entered via a keyboard or stored, processed or transmitted on Deakin University computers including onto any portable devices as USB flash drives, compact disks, personal digital assistants, tablets or phones, in any form. 

Storing cardholder data

(15) Hardcopy cardholder data must not be collected or stored in any format. This includes the card number, expiry date/and or credit card security codes (CVV2, CVC2 and CID).

Cardholder data collected through EFTPOS machines

(16) EFTPOS machines and other such devices used to collect cardholder data if not on a tamper proof stand must be stored in a safe or locked filing cabinet overnight or when unattended, or locked with a PIN, and kept in a secure environment. Tamper evident stickers across the seams of the EFTPOS terminals should also be used if available.

(17) Any suspected or perceived tampering or substitution of EFTPOS devices must be immediately reported to the Director, Financial Services and Support.

Service providers and third party vendors

(18) All service providers and third party vendors that provide payment card services on behalf of the University, including processing, storage or transmission of payment card information, must be PCI DSS compliant.

(19) General Counsel will ensure contracts with service providers and third party vendors (who provide payment card services on behalf of the University) contain a statement that the vendor will maintain their PCI DSS compliance and provide proof of compliance annually and advise the University immediately in writing if they become aware of a PCI DSS breach.

(20) Local area contacts with service providers will ensure proof of compliance documents are forwarded to the Director, Financial Services and Support annually and retained on the Deakin records management system.

Incident response

(21) The Director, Financial Services and Support must maintain security incident response procedures.

On-going compliance requirements

(22) The Director, Financial Services and Support is responsible for ensuring the University's compliance with the PCI DSS and will:

1. Maintain a list of authorised third-party credit card processing vendors and service providers with key business and technical contacts.
2. Maintain a current list of EFTPOS machines and computer systems (e.g., workstations, kiosks, web servers, database servers) involved in the storage, processing, and/or transmission of cardholder data as required by PCI DSS or other applicable policies and standards.
3. If required, coordinate quarterly internal network vulnerability scanning of the CDE by Digital Services.
4. If required, coordinate quarterly external vulnerability scanning by a PCI approved scanning vendor.
5. Perform an annual self-assessment to demonstrate the University's compliance with the PCI DSS in consultation with Digital Services.
6. Test the incident response plan, annually.
7. Provide annual awareness and training program to staff commensurate with staff's responsibilities.
8. In consultation with other relevant organisational units of the University, develop and implement remediation plans for vulnerabilities found in the quarterly scans and for any other areas where the business unit is not PCI DSS compliant or compliant with this Policy. Remediation plans should be fully implemented within one month of identification or earlier based on risk assessment.

Breaches

(23) Any suspected or perceived breach that payment card information has been disclosed, stolen, or misused must be immediately reported to the Director, University Financials. Based on the investigative findings the Director, University Financials will decide if other entities are required to be notified of the breach (e.g. card associations, merchant bank, cardholders).

Exemptions

(24) Any request for an exemption from this Policy should be referred to the Director, University Financials for review and recommendation to the Chief Financial Officer for approval. Any such exemptions are to be fully documented and retained on Deakin's record management system.

Section 6 - Definitions

(25) For the purpose of this Policy and Procedure:

1. CVC2: Card Validation Code. This is the three digit security code on the back of a credit card issued by MasterCard.
2. CVV2: Card Verification Value. This is the three digit security code on the back of a credit card issued by Visa and Discover.
3. CDE: Cardholder Data Environment.
4. CID: The Amex Card Identification number is the 4 digit, non-embossed number printed above the account number of the face of the card.
5. EFTPOS: Electronic Funds Transfer Point of Sale.
6. Payment card: Any credit or debit card accepted by the University.
7. PCI DSS: is a proprietary information security standard for organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM and POS cards defined by the Payment Card Industry Security Standards Council.
8. Merchant: Any person or entity (such as a school/unit) that accepts payment cards as payment for goods and/or services.
9. Payment card: Any credit or debit card accepted by the University.
10. PCI DSS: Payment Card Industry Data Security Standards, developed by the PCI Security Standards Council.