All University departments that accept card payments are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). By demonstrating compliance to the standard, the University indicates to the public that payments are processed securely, and that they can trust us with their cardholder information due to having efficient and effective processes in place.
The standard comprises of 12 major requirements and 221 sub-requirements that all concerned parties shall take into account when dealing with customers’ card information. These represent the minimum set of measures for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks of potential security breaches.
High level requirements:
The Security Governance, Risk and Compliance Team took on the process of supporting the University’s PCI DSS compliance activity in October 2018 (see the previous news item ). We aim to submit the attestation of compliance (the core document for stating that the University is compliant) for ‘’face to face’’ and ‘’e-commerce’’ channels to the acquiring bank by the end of April 2019. This means that there are only few months left to confirm that the information collected as part of the previous project is current and to complete and submit necessary documentation. During the upcoming months we will visit departments processing payments to clarify the PCI DSS situation and provide necessary support.
Once, the attestation of compliance is submitted to the acquiring bank we will start the auditing phase - as required by the standard. The selection of the audit scope will be done on the basis of sampling, which means that only a number of departments will be a subject to an audit each year. Selected departments will be informed about the upcoming audit in advance so that time can be planned for preparation.
REMEMBER:
Being selected for an audit, can seem nerve-wracking but it’s important to remember that audits are not performed to find faults. Audits are performed to look for evidence of compliance and identify areas for improvement. They ensure that existing weaknesses come to a surface and can be addressed appropriately.
PCI DSS compliance is a continuous process, during which systematic identification of non-conformities and their root causes, planning and implementing adequate corrective actions and monitoring their efficiency and effectiveness is paramount for complying with the standard.
We are here to support you!
If you have any questions or suggestions, please contact us via: grc@infosec.ox.ac.uk