(1) This Policy is effective from 2 July 2020. (2) The Payment Card Industry Data Security Standards (PCI DSS) are a set of industry standards to mitigate the risks associated with the handling of payment card data, including fraud and identity theft. (3) The PCI DSS applies to all entities (including merchants, processors, acquirers, issuers and service providers). It focuses on the promotion of consistent security standards to protect cardholder data from fraud and security breaches by defining requirements for ICT systems, networks and manual processes which handle payment card details. (4) This Policy applies to all University staff, contractors or other parties who, in the course of doing business on behalf of the University, are involved in processing, storing or transmitting payment card data. (5) The University is committed to safeguarding all payment card data it receives, and complying with PCI-DSS requirements. To support this commitment, the University will use, store, transmit and destroy payment card data in a manner which protects such data from misuse and from unauthorised transactions. (6) Only authorised and properly trained staff may accept and/or access payment card information. (7) Staff accepting credit and debit card payments on behalf of Deakin University must on an annual basis complete the on-line PCI Merchant training module. (8) All relevant staff must complete the on-line PCI Merchant training module upon commencement at Deakin University. (9) All staff who complete training will agree to comply with all University’s policies and procedures as a part of this training. These records will be retained in the University’s Learning Management System (LMS). (10) Capabilities to accept and process payment card information can only be established through Corporate Finance, after approval from the Director, Corporate Finance. A listing of all such areas shall be maintained by Corporate Finance. (11) Payment card data will only be accepted by the University via these payment methods: (12) Payments must not be accepted and processed if the cardholder provides payment card information via email. If such information is received from a cardholder: (13) Cardholder data received via telephone must be processed while the customer is on the line. Writing down a customer's payment card information to process at a later time is prohibited. (14) The University does not condone receiving cardholder data on voicemail. In such instances: (15) Cardholder data received via mail must be transferred securely. No cardholder data is to be emailed internally or externally between staff or customers. No cardholder data is to be despatched via internal mail. (16) Cardholder data is not to be entered on a keyboard or stored, processed or transmitted on Deakin University computers including onto any portable devices as USB flash drives, compact disks, personal digital assistants, tablets or phones, in any form unless an exemption has been approved in writing by the Director, Corporate Finance (informed by the Manager Information Systems - Security and Risk) and the appropriate security measures are taken in accordance with PCI DSS. (17) Hardcopy cardholder data must be stored in a highly secure and protected manner, in a safe or locked filing cabinet that is located in a locked office, and securely destroyed as soon as is practicable for business purposes, using a cross-cut shredder. (18) Credit card security codes (CVV2, CVC2 and CID) are not to be stored or recorded under any circumstances once a transaction has been processed. (19) Where (hard copy) cardholder data is required to be retained for business purposes, the data is not to be retained for longer than six months after the date of transaction processing. (20) Each area that retains cardholder data, must institute a process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements. (21) Cardholder data is not to be stored for chargeback purposes. Storing the first four and last four digits of a cardholder number, along with time, date, transaction identification and amount is sufficient for chargeback. (22) All hardcopy shred bins must remain locked at all times (until shredding). Staff should make every effort to immediately destroy any printed material containing cardholder data using a cross-cut shredder where available. (23) EFTPOS machines and other such devices used to collect cardholder data if not on a tamper proof stand must be stored in a safe or locked filing cabinet overnight or when unattended, or locked with a PIN, and kept in a secure environment. Tamper evident stickers across the seams of the EFTPOS terminals should also be used if available. (24) Any suspected or perceived tampering or substitution of EFTPOS devices must be immediately reported to the Director, Corporate Finance. (25) All service providers and third party vendors that provide payment card services on behalf of the University, including processing, storage or transmission of payment card information, must be PCI DSS compliant. (26) General Counsel will ensure contracts with service providers and third party vendors (who provide payment card services on behalf of the University) contain a statement that the vendor will maintain their PCI DSS compliance and provide proof of compliance annually and advise the University immediately in writing if they become aware of a PCI DSS breach. (27) Local area contacts with service providers will ensure proof of compliance documents are forwarded to the Director, Corporate Finance annually and retained on the Deakin records management system. (28) The Director, Corporate Finance must maintain security incident response procedures. (29) The Director, Corporate Finance is responsible for ensuring the University's compliance with the PCI DSS and will: (30) Any suspected or perceived breach that payment card information has been disclosed, stolen, or misused must be immediately reported to the Director, Corporate Finance. Based on the investigative findings the Director, Corporate Finance will decide if other entities are required to be notified of the breach (e.g. card associations, merchant bank, cardholders). (31) Any request for an exemption from this Policy should be referred to the Director, Corporate Finance for review and recommendation to the Chief Financial Officer for approval. Any such exemptions are to be fully documented and retained on Deakin's record management system. (32) For the purpose of this Policy and Procedure:Payment Card Security policy
Section 1 - Preamble
Section 2 - Purpose
Section 3 - Scope
Section 4 - Policy
Section 5 - Procedure
Staff that can handle payment card data
Accepting payment cards
Acceptable payment methods
Processing or transmitting cardholder data on Deakin University computers
Storing cardholder data
Disposing cardholder data
Cardholder data collected through EFTPOS machines
Service providers and third party vendors
Incident response
On-going compliance requirements
Breaches
Exemptions
Section 6 - Definitions
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.