Search the University of Manchester siteSearch Menu StaffNet
Search type

Payment Card Industry Data Security Standard (PCI DSS) awareness

13 Sep 2018

The PCI DSS is a global framework set up by the major payment card brands, including Visa and Mastercard, designed with the aim of protecting the customer’s cardholder data when it is received, used, transmitted or stored within the merchant’s organisation

Chip and pin card reader

The University is PCI DSS compliant, as this is a mandatory requirement for organisations over a certain size to be able to process card payments.

We are currently being assessed as part of an annual process to ensure we are compliant for another year from the end of September.

Why bother?

Financial fraud involving payment cards totalled £615 million in 2016. Card fraud is still a major problem. It is reducing because organisations taking card payments are increasing security through their people, processes and technology.

Card data is packaged and sold to fraudsters – it is worth more if personal details are also available. Only this month, British Airways have been the victim of a card payment details theft.

Potential Impact of card fraud on the University

  • Loss of reputation
  • Fines and compensation claims
  • Increase in charges to accept and process cards
  • Impact on customer experience
  • Being banned from taking future card payments

How do we tackle card fraud?

All parties involved in processing, storing or transmitting cardholder data need to protect data in accordance with PCI DSS standards.

  • People – All staff taking and supporting card payments are required to undertake the training and must be aware of their role and responsibilities.
  • Processes – All processes for taking and supporting card payments must be secure and approved by Finance.
  • Technology – The University card payment networks must be physically separated from the wider network and be secure.

All University staff should be aware of PCI DSS and the implications of non-compliance.

Staff involved in taking card payments should receive appropriate training from members of the Income Office.

Further details:

Specific enquiries:

  • Michelle Bailey (Head of Transactional Services, Directorate of Finance)
  • Mike Vale, PCI DSS Internal Security Assessor, IT Services