Payment Card Industry Data Security Standard (PCI DSS) awareness
13 Sep 2018
The PCI DSS is a global framework set up by the major payment card brands, including Visa and Mastercard, designed with the aim of protecting the customer’s cardholder data when it is received, used, transmitted or stored within the merchant’s organisation
The University is PCI DSS compliant, as this is a mandatory requirement for organisations over a certain size to be able to process card payments.
We are currently being assessed as part of an annual process to ensure we are compliant for another year from the end of September.
Financial fraud involving payment cards totalled £615 million in 2016. Card fraud is still a major problem. It is reducing because organisations taking card payments are increasing security through their people, processes and technology.
Card data is packaged and sold to fraudsters – it is worth more if personal details are also available. Only this month, British Airways have been the victim of a card payment details theft.
Potential Impact of card fraud on the University
- Loss of reputation
- Fines and compensation claims
- Increase in charges to accept and process cards
- Impact on customer experience
- Being banned from taking future card payments
How do we tackle card fraud?
All parties involved in processing, storing or transmitting cardholder data need to protect data in accordance with PCI DSS standards.
- People – All staff taking and supporting card payments are required to undertake the training and must be aware of their role and responsibilities.
- Processes – All processes for taking and supporting card payments must be secure and approved by Finance.
- Technology – The University card payment networks must be physically separated from the wider network and be secure.
All University staff should be aware of PCI DSS and the implications of non-compliance.
Staff involved in taking card payments should receive appropriate training from members of the Income Office.