PCI DSS Compliance

The PCI Security Standards Council was founded by the major credit card brands (including MasterCard, VISA and American Express ) in response to the rising levels of card fraud. The result was the introduction of the PCI DSS – a set of requirements around how cardholder data is transmitted, processed and stored. The University is PCI DSS compliant and an external accreditation audit is carried out annually. All University departments that accept card payment are required to comply with PCI DSS standards and should be prepared to provide evidence of their adherence to these standards.

The University approved supplier for all online payments is WPM. If staff need advice about setting up online payments, or if, in rare cases, an alternative supplier is needed, they should contact Head of Financial Operations to discuss their requirements. In this instance a copy of the suppliers up to date Attestation of PCI Compliance must be provided to the Head of Financial Operations in advance of implementation.

Training

Training must be undertaken by all staff accepting card payments – please contact cashiers@exeter.ac.uk (please state 'PCI Query' in subject field) for further guidance, support and access to the PCI training.

Quick Reference Guide

          
        PCI DSS basics
        
          Created in 2006 by the Payment Card Industry (PCI)
It combined security policies into a Data Security Standard (DSS)
It is intended to help protect against fraud
To comply you must protect cardholder data
Only allow access to data on a need-to-know basis
When no longer needed, data must be securely destroyed

          
        Summary objectives
        
          Build and maintain a secure network and systems
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy