The Security Governance Risk and Compliance (GRC) Team has taken on the process of supporting the University’s compliance with the payment card industry’s data security standard (PCI-DSS). Until now work towards compliance has been managed as a project in Finance Division with support from the Security GRC team. Bringing PCI-DSS compliance under the umbrella of the Security GRC team enables best practice to be applied to compliance as part of the University’s wider information security management framework.
The standard requires that information technology processing payment card data, or linked to the processing of payment card data, must be protected through security controls in twelve key areas.
At present the University is partially compliant. Face to face and e-commerce payment channels are compliant but there are significant challenges in relation to the mail order and telephone order payment channels supported by DARS and Chorus.
Scope of the Service
The PCI-DSS service will include:
PCI compliance work for new projects and changes to current environments will be supported by the Security GRC team through the PSR and TPSA processes. Cashiers office will continue to manage the PED lists and similar PCI asset lists.