PCI Data Security Policy
This policy provides essential information for everyone tasked with handling credit and debit cards, credit and debit card data and the systems processing such data within Imperial College London (“College”). It is designed to ensure we can meet the standards required by the Payment Card Industry’s Data Security Standard (PCI-DSS), which College is obliged to meet in order to be able to process credit card payments.
All environments within the Imperial College where credit and debit cards are handled. This environment is defined as the “Cardholder Environment” (“CDE).”
- Compliance Requirements
Compliance with this policy is mandatory. Failure to follow this policy can expose the College to financial penalties and operational risks.
‘Cardholder data’ refers to any information linked to a credit or debit card. This may include the name and address of the cardholder and/or any of the PAN, CVV, and issue or expiry date of the card.
‘CSC’ or Card Security Code. This is the four digit security card on the front of American Express cards.
‘CVV’ or Card Verification Value. This is the three digit security code on the back of most credit or debit cards.
‘PAN’ or Primary Account Number. This is the long 16 digit card number at the front of a debit or credit card.
- Key contacts and responsibilities
- Network and Security Services Manager – Matthew Williams (firstname.lastname@example.org)
- Head of Treasury Management – Anh Duong
- Compliance and Information Governance Manager – Tim Rodgers (email@example.com)
- PCI Committee – College PCI Committee whose members include the Network and Security Services Manager, Compliance and Information Governance Manager and Head of Treasury Management. (firstname.lastname@example.org)
- Data Protection Officer - Robert Scott
- 1. General
- System users shall not send cardholder data unencrypted, via end-user messaging technologies such as, e-mail, instant messaging or chat without using an approved encryption solution. Where a solution is not available the data shall not be sent via any of these methods.
- Users shall not store cardholder data on local hard drives, floppy disks, or other external or mobile media. If anyone must store confidential data on a hard disk that is not in a securely protected environment, they must report this to the Network Security Manager so that an appropriate security solution can be implemented.
- All employees, third parties or contractors are responsible for the College assets, particularly confidential data that they use to carry out their function. Any suspicious activity or suspect breach in security must be immediately report to the Network Security Manager.
- All documents containing cardholder data should be securely locked away after use.
- 2. Credit and Debit Card Handling
This section provides the minimum mandatory requirements that need to be applied to all employees who handle or come across cardholder data, in any format within the College environment. Furthermore any third party that uses or accesses any of the College’s cardholder data, either physically or logically, must also comply with this section. The College does not intend to electronically hold or store cardholder data, however, this section outlines what to do if such a situation arises.
2.2 Policy Statements
- Failure to protect card data could lead to significant ramifications for the College and could greatly hinder the College’s ability to conduct business. Failure to protect cardholder data can also be considered a breach of the Data Protection Act 2018 and any subsequent amendment or replacement to this legislation.
- No member of staff should handle cardholder data unless they have been trained and are authorized to do so.
2.2.2 Cardholder Data Requirements
- The PAN must always be encrypted when electronically stored and any other cardholder data, if stored with the PAN must be protected. The Network and Security Services Manager can advise on a suitable encryption solution.
- The CVV should be handled with great care and should never be written down or stored anywhere. This includes written records in notes, on a form, database, spreadsheet or any other electronic format, even if encrypted. The only exception to this is where the CVV needs to be stored temporarily pre-authorisation whilst you arrange to take a payment. After a transaction has been authorised the CVV must be destroyed immediately.
- If during the performance of your job you can see, by error or intention, a full PAN when it is not required for you to do your job, please report this to the PCI Committee. If however your job requires that you need access to the full PAN and you have not yet received training in PCI DSS then please report this to your line manager so that they can help arrange training.
2.2.3 Cardholder Data Handling Requirements
- Cardholder data should NOT be stored in College unless otherwise approved by the PCI Committee.
- If you intend to store cardholder data you must inform the PCI Committee.
- Do not store cardholder data on laptops, desktop computers, file shares, memory sticks, CDs or floppy disks unless these are on approved systems. If in doubt, do not store the data.
- Do not store cardholder data in spreadsheets and other office documents, unless:
- It is specifically required for your work;
- Storage has been approved in writing by the PCI Committee; and
- The document is encrypted to AES-256 bit standard.
- Any cardholder data found on College systems must be reported to the PCI Committee immediately upon discovery.
2.2.4 Printing of Documents Containing Cardholder Data
- At no point should cardholder data be printed without prior approval from Treasury. Printing may involve cardholder data being sent across College networks in a manner that fails to meet PCI DSS requirements.
2.2.5 Handling Documents Containing Cardholder Data
- There are numerous cases where cardholder data can be legitimately stored on paper e.g. a chargeback letter, fraud document, an exceptions report etc. This data needs to be retained only until data can be processed electronically.
2.2.6 Vigilance and Awareness
- Each employee or contractor is responsible for the protection of the College’s assets which include all forms of data. It is therefore important that, should you see any cardholder data or other confidential data in a place that is insecure, inappropriate or where you do not expect to see it, you must:
- secure the data, e.g. lock it in your desk;
- report it to your manager; and
- report the incident to email@example.com.
- 3. PCI-DSS Cardholder Data Management
This section provides the minimum mandatory requirements that need to be applied to all data created, transmitted, stored or managed by College within the CDE; be that data in hard (e.g. paper) or electronic (e.g. hard disk) formats. Furthermore any third party that uses or accesses any of College’s data within the CDE, either physically or logically, must also comply with this policy.
3.2.1 Data Protection Policy
(see www.imperial.ac.uk/admin-services/legal-services-office/data-protection/our-policy/ )
The College Data Protection Policy sets out how the College collects, stores and processes personal data including the security and management of that data. All College staff, students and other authorised third parties, who have access to any personal data held by or on behalf of the College, must adhere to the College’s Data Protection Policy and associated Codes of Practice.
The College's Data Protection Officer handles day-to-day issues relating to notification, advice on compliance and responding to requests from data subjects. Each department or division has appointed a Data Protection Coordinator, [http://www.imperial.ac.uk/admin-services/legal-services-office/data-protection/data-protection-co-ordinators/].
- Breaches of the data protection legislation may lead to severe financial or reputational damage to the College.
- Cardholder data shall not be copied or transmitted in any format without the prior permission of the cardholder. All cardholder data in the CDE should be encrypted when stored electronically. The PCI Committee should be contacted for any queries regarding encryption.
- All confidential data in the CDE must be handled in accordance with the data protection legislation, the College Data Protection Policy and associated Codes of Practice.
3.2.2 PCI-DSS Data Retention
- Cardholder data must not be retained on any College system.
- Other data referring to the cardholder data environment will be treated as outlined below:
- Payment Card Data
Payment card data will not be stored within College.
- Revenue Protection Correspondence
This refers to all correspondence relating to charge-backs, revenue protection and fraud prevention. These will typically be paper copies and must be destroyed by cross-cut shredding or approved shredding services once they have met their retention period.
- Information Systems and Physical Location Documentation
All documentation relating to Information Systems within the PCI-DSS CDE, including network diagrams, firewall access, system configuration, system passwords and backup documentation must be held securely with privileged access.
3.2.3 Cardholder Data Security
Within the CDE:
- Cardholder data must not be sent to any external party without authorisation from the Division head and the cardholder, e.g. 2 separate people.
- All data physically sent to an external source must be sent via secure courier or other secure delivery method, as approved in advance by the data owner to ensure it is accurately tracked.
- All data must be stored in accordance with its classification regardless of the media it is held on.
- All physical backup media must be sent via secure transit.
- All data sent externally must be logged and those records retained for a period of 12 months.
- All physical (paper) and electronic confidential data, especially if it contains cardholder data, must have physical security controls applied at all times.
- All confidential data must be stored securely and all access to be secure and controlled based on a user’s “need to know”.
- Confidential data, especially cardholder data, stored on any form of media, e.g. CD’s, backups, hard drives, paper etc. must be inventoried to ensure the secure storage is managed and recorded.
- Periodic media inventories must be performed on a minimum of an annual basis. Evidence of media inventories will be retained.
- All confidential data, such as cardholder data, access passwords must be encrypted when stored. Stored data includes all logical locations, e.g. databases, servers, log files, debugging files, backups, reports etc.
- All system and application passwords are classified as confidential and need to be encrypted in all forms of transmission as well as in storage.
3.2.4 Cardholder Data Storage Locations
- The College does not electronically store cardholder data on its systems.
3.2.5 Cardholder Data Disposal
- The College should not hold any cardholder data.
- Should cardholder data exist on any system, the following conditions apply:
- All data must be securely disposed of when no longer required regardless of the media or application type on which it is stored.
- All hard copies of cardholder data must be manually destroyed as soon as it has reached the end of its retention period. A quarterly process must be in place to confirm that all non- electronic cardholder data has been appropriately disposed of in a timely manner.
- All hardcopy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.
3.2.6 Mobile Data
- Cardholder data is not permitted to be stored on mobile devices.
- 4. Responsibilities
All users within the CDE include all permanent (direct hire), temporary and contract staff who use College computer systems. All users must use the IT systems, information and equipment in accordance with College security policies and procedures. Users are responsible for:
- Familiarising themselves with and adhering to the policies and procedures applicable to their area of responsibility;
- Clearing desks of all sensitive material and logging off or locking workstations at the end of the day and when leaving their desk;
- Not removing equipment, information or any other College property from the College premises without authorisation;
- Not connecting personal equipment to College networks within the CDE;
- Not installing, copying or modifying any software on College equipment without authorisation;
- Immediately reporting security incidents to the Information Network and Security Services Manager
22 Sep 2017
First draft of new policy
27 Sep 2017
Review and amendments to draft