1. 1.       Introduction:

New card payment solutions through a third party payment service provider must satisfy the necessary Payment Card Industry – Data Security Standard.

  1. 2.       Policy

To assess suitable solutions for a new card payment solution, the following documents must be submitted to PCI DSS Committee (pcidsscom@imperial.ac.uk):

  • An Attestation of Compliance (AOC) must be supplied (PCI Security Standards Council (SSC) official form)
  • Form Requirement:
    • The AOC must be valid within 12 months.
    • If the AOC is not signed by a PCI SSC certified QSA or ISA, the vendor must be required to supply addition information such as the current quarter's Approved Scanning Vendor (ASV) report and/or current year's penetration test report for external network.
  1. 3.       Follow up

If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.

  1. 4.       Responsibility for Policy Maintenance

PCI Committee – College PCI Committee whose members include the Network and Security Services Manager, Compliance and Information Governance Manager and Head of Treasury Management. (pcidsscom@imperial.ac.uk) are responsible for maintaining the Policy.

Changelog:

22 Sep 2017

Anh Duong

First draft of new policy