Payment Card Security Policy

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the pale grey navigation bar above.

Section 1 - Preamble

(1) This Policy was approved by Vice-Chancellor on 26 August 2013.

Section 2 - Purpose

(2) The Payment Card Industry Data Security Standards (PCI-DSS) are a set of industry standards to mitigate the risks associated with the handling of payment card data, including fraud and identity theft.

(3) The PCI-DSS applies to all entities (including merchants, processors, acquirers, issuers and service providers) that store, process or transmit data containing the primary account number of a holder of any of the above cards and requires them to comply with certain minimum standards and procedures whenever they do so.

(4) The Payment Card Security Procedure documents how to comply with this Policy. The requirements of the Payment Card Security Procedure are in addition to, and do not derogate from, the requirements of the Privacy Policy.

Section 3 - Scope

(5) This Policy applies to all University staff, contractors or other parties who, in the course of doing business on behalf of the University, are involved in processing, storing or transmitting payment card data.

Section 4 - Policy

(6) The University is committed to safeguarding all payment card data it receives, and complying with PCI-DSS requirements. To support this commitment, the University will use, store, transmit and destroy payment card data in a manner which protects such data from misuse and from unauthorised transactions.

Section 5 - Procedure

(7) Refer to the Payment Card Security Procedure.

Section 6 - Definitions

(8) For the purpose of this Policy:

  1. Merchant: Any person or entity (such as a school/unit) that accepts payment cards as payment for goods and/or services.
  2. Payment Card: Any credit or debit card accepted by the University.
  3. PCI-DSS: Payment Card Industry Data Security Standards, developed by the PCI Security Standards Council.