The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard, created to help organisations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

It applies to all organisations which receive, process, store and pass cardholder information. The University is liable to fines from its merchant bank should it fail to comply with PCI DSS. This policy is required to ensure compliance with the Standard.

This policy is mandatory to all staff.

Failure to comply with this procedure may result in disciplinary action. Heads of Schools and Departments are responsible for ensuring that their staff are aware of the policy and that it is adhered to.

In the event of there being a security breach of data, Staff must contact the appropriate member of Finance Staff.

The Finance member of Staff must then contact parties listed below and ensure that card processing is discontinued immediately.

WPM - Telephone: 01444 250985

Barclays (PDQ’s) – Telephone: 01604 256939

In the first instance customers should make payment for goods and services online using the Online Shop and Online Payment Pathway facilities provided by the University. This is the preferred method and best practice for taking payments. 

On completion of a successful payment the online system being used will automatically generate an email payment confirmation to the customer.

This is the only Finance confirmation document that will be received by the customer for the payment. If a customer’s payment has been unsuccessful or declined, the customer in the first instance should contact their card provider.

The most common reason for a declined transaction is the card provider suspecting the transaction may be fraudulent.

If a customer faces difficulty in making a payment then staff assistance can be provided. The customer should be assisted at the time of the enquiry, whether this is in person or via the telephone.

If the payment problem cannot be resolved, then the customer should provide a number to be called back on at a suitable time.

Card details must never be written down by any member of staff for a future payment attempt.

For all card details which are processed through an online system, no card details are retained by the University. There is no University access to full card details.

Obtaining a PDQ Machine

To request a PDQ machine for your Unit, please contact the nominated person at Point 8 to discuss your requirements.

Use of PDQ Machine

PDQ payments should be processed for customer present transactions only. If the customer is not present then the Online Shop should be used for the payment.

Customer Present With Card

When the customer is present the card should be processed through the PDQ machine according to the machine instructions.

If the transaction is successfully processed, the merchant copy should be stored securely (see Section 5) and the customer copy given to the customer.

If the transaction is declined, the customer should be advised immediately. The option of paying with a different card should be offered. The customer copy stating that the payment was declined should be given to the customer and the merchant copy should be stored securely.

By Telephone

Where card details are provided during a telephone call, these must be processed directly into the PDQ at that time if they are written down they must be destroyed securely as soon as the transaction has been processed. When card details are being provided in a telephone call these must not be repeated back to the customer in such a way as to be audible to third parties.

If it is not possible to submit the card details immediately then a call back must be requested or offered.

Card Details Received In Writing

Some customers may provide their card payment information in writing for processing i.e. by fax, in a letter, email or by booking form. Customers should be deterred from providing the information in this manner as it is not secure and there is no guarantee that these details have not been intercepted prior to being received by the University.

When details have been received by this method they must be processed immediately upon receipt.

Once the payment has been successfully authorised, the original document showing the full card details must be cross cut shredded. If the details have been received by email then the email must be deleted from the Inbox and the Deleted mail folder. If the email requires a response, the card information provided should not be contained within the reply.

In a situation where it is not possible to process the transaction immediately then the details must be stored in a secure environment such as a locked drawer or cabinet. This is only to be actioned in exceptional circumstances.

PDQ Records

If the transaction is successfully processed, the merchant copy should be stored within the till drawer or cash box for the duration of the working day. The customer copy must be sent to the customer.

If the transaction is declined, the customer should be advised immediately. The option of paying with a different card should be offered. The customer copy stating that the payment was declined should be sent to the customer and the merchant copy should be stored within the till drawer or cash box for the duration of the working day. When storing merchant copy receipts these must be treated as a confidential document and should be marked accordingly.

The PDQ machine transaction slips are to be sorted into card type and must be reconciled to the PDQ Z report at the end of business each day. The Z report should then be sent to the Cashiers Section within Finance in a sealed envelope clearly marked Private and Confidential along with the items for banking.

Merchant copies of PDQ receipts must be kept for a rolling year of 12 months, for audit purposes. Merchant copies that have been held for 13 months or more can therefore be destroyed by confidential shredding.

Storage of card details on PC’s in any format (email, access databases, excel spreadsheets, pen drives, etc.) breaches the Security Standard Regulations and effectively makes the University non-compliant and could result in hefty fines from Visa and MasterCard. The most common method of fraudsters obtaining card details is by hacking into computers which stores cardholder information.

Safe and secure storage is defined as:

Within a safe or

Within a locked Cash Box or

Within a locked drawer

All of these should be stored in a locked room, where access is restricted.

Merchant copies of PDQ receipts must be retained by the University within each relevant Unit for a rolling year of 12 months, for audit purposes. Merchant copies that have been held for 13 months or more can therefore be destroyed by confidential shredding. The merchant copy receipts are to be filed chronologically and stored in a secure environment.

The refund must be approved by an authorised signatory for the cost centre and then passed to the Cashiers Section, Finance Department. The appropriate system is accessed and the refund is processed back to the source card from which the original transaction was authorised.

If a transaction is older than 90 days, a refund can not be processed on to the source card for the original transaction. This is due to security measures implemented by the Payment Service Provider (PSP). In this instance the customer should be contacted for alternative details for the refund to be processed by BACS

PDQ refunds require to be authorised on the PDQ machine using a “Supervisor Card”. This card must be kept securely by an authorised signatory.

The refund must be approved by an authorised signatory for the cost centre. The refund should then be processed through the PDQ machine back onto the source card from which the original transaction was authorised.

If the source card is unavailable for the refund to be processed then the customer should be contacted for alternative details for the refund to be processed by BACS. A refund must never be processed onto a card that is not the source transaction card.

All card processing activities of the University must comply with the PCI DSS. No activity or technology may obstruct compliance with the PCI DSS.

All Units must adhere to this Policy to minimise the risk to both Customers and the University. Failure to comply will render the University liable for fines and may also result in Visa and/or MasterCard preventing transactions from being processed by the University.

A third party company is under contract to monitor University compliance with PCI DSS through annual Self-Assessment Questionnaire (SAQ) reviews.

The Finance Department will undertake periodic reviews of PCI DSS compliance across the University and may conduct inspections of Schools/Departments responsible for processing card transactions to identify threats and vulnerabilities.

The University may screen potential employees to minimize the risk of attacks from internal sources.

The University will contractually require all third parties with access to cardholder data to adhere to PCI DSS requirements. These contracts will clearly define information security responsibilities for contractors.

If you have difficulties implementing or complying with any aspect of this policy, you should contact the appropriate member of University staff.

In the event of a breach contact – Martin Taylor Assistant Head of Finance ext 1209 Martin.Taylor@wlv.ac.uk

PCI DSS Payment Card Industry Data Security Standards PSP Payment Service Provider SAQ Self-Assessment Questionnaire PDQ Process Data Quickly CVV Card Verification Value (3 digit code on back of card) CVC Card Verification Code (3 digit code on back of card)

Cards Not Accepted

• American Express
• Diners
• SOLO