PCI DSS Policy (ver 1.0)

The Imperial College PCI DSS Compliance policy is:

  • The College will undertake a PCI Compliance review on an annual basis.
  • If any member of staff identifies that this policy is compromised or is at risk of compromise then he/she must report the matter immediately to the PCI Compliance Officer. 
  • All staff who handle either “Customer present” or “customer not present” card[1] transactions in any form shall undertake PCI Compliance training on an annual basis.
  • All “customer present” card transactions must take place using a secure PCI compliant electronic point of sale system.
  • Where an electronic point of sale system is hired for an ad-hoc event, it must be both fully PCI Compliant and operate in PCI Compliant environment.
  • Wherever possible “customer not present” card transactions should be processed using the College’s approved payment gateways.
  • Where a personal computer or similar is used to access systems to process card transactions, the personal computer or similar must be an asset of the College. A personal computer owned by an individual must not be used.
  • Under no circumstances should card and/or cardholder details be stored or transmitted electronically (other than through the College’s online store or PCI approved gateway). This includes emailing, instant messaging, chat and scanning of paper copies.
  • If there is a valid requirement to scan paper copies containing card transaction details, the card details must be obliterated using an indelible marker pen before scanning.
  • Where paper copies containing card transaction details need to be retained for a valid reason, for example chargebacks, they must be retained in a secure, locked cabinet or room at all times.
  • The retention period for all paper copies containing card transaction details is:
    • File by date of transaction
    • Merchant copies should be kept for a minimum of 6 months (this is the time limit with which chargebacks can be registered).
    • Beyond this, copies should be kept for a further 12 months

  (i.e. TOTAL storage time equals 18 months from date of transaction)

  • All other paper copies containing card transaction details must be destroyed (cross shredded) immediately after use.
  • The College will carry out security penetration testing annually on the College network and the results will be notified to the PCI Compliance Officer.
  • The College will use and regularly update anti-virus software to protect the College network and its personal computers that are connected to the card payment process.
  • The College will contract an approved external supplier to carry out quarterly vulnerability scans of the relevant College IP addresses that are linked to the card payment processes and the results will be notified to the PCI Compliance Officer.

[1] Card refers to any form of card payment (e.g. Credit, Debit and Charge card)