ISP-19 PCI-DSS cardholder data policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy seeks to ensure that the University of Bristol complies with global security standards to protect credit and debit card information. It outlines the requirement to avoid storing cardholder data on local hard drives, shared storage, cloud storage solutions, or any removable media under any circumstances and rules for handling and transmitting card data to prevent fraud and breaches of cardholder data. Violations of this policy can result in financial penalties and loss of card payment capabilities, significantly impacting the University's operations, as well as leading to disciplinary actions for individuals. Compliance is mandatory for all members of the University and third party service providers involved in card transactions.
| Control information | Control detail |
|---|---|
| Owner | Chief Digital Information Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Digital Information Officer, IT Services |
| Consulted | Head of Transactional Services, Payment Acceptance and Compliance Manager, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 4 |
| Approval date | 27 June 2025 |
| Effective date | 27 June 2025 |
| Interim review effective date | 30 July 2025 |
| Full review period | 1 year |
| Date of next full review | 31 May 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements |
|
| Applicable statutory, legal or best practice requirements |
|
| Keywords | PCI-DSS, cardholder data, data security, compliance, payment card industry, information security, data breach, encryption, incident response, third party providers, payment processing, confidentiality, legal requirements, data protection, risk assessment, information security manager, disciplinary action, card fraud prevention, data storage, data transmission |
On this page
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
1.2. Following an interim review in July 2025, the following updates were made:
- Scope (section 3): Scope clarified to indicate that this policy is relevant to all members of the University with special attention to those who are directly involved in handling credit card data.
- Definitions (sections 4.2 and 4.3): Definitions expanded.
- General (section 7): Addition and removal of general points.
- Credit/Debit Card Handling (section 8.2.b): Process updated to reflect current set up and remove reference to analogue telephone lines.
- Card/debit card handling (section 8): Updated to include exceptions.
- Minor context clarifications and updates.
2. Introduction
2.1. This policy is a sub-policy of the ISP-01 Information security policy and outlines the University’s requirement to comply with the Payment Card Industry Data Security Standard (PCI-DSS) to ensure secure handling of credit and debit card information. The PCI-DSS is a worldwide standard set up to help businesses (merchants) process card payments securely and reduce card fraud. The policy is designed to protect cardholder data, minimise the risk of fraud, and prevent breaches, thereby safeguarding the University's financial operations and reputation.
3. Scope
3.1. This policy applies to all members of the University (staff, students and associates), members of other institutions who have been granted federated access to use the University’s facilities, together with any others who may have been granted permission to use the University’s information and communication technology facilities by the Chief Digital Information Officer.
3.2. Particular attention should be paid to this policy by individuals involved with handling credit and debit cards, credit and debit card data and the systems processing such data within the University of Bristol.
3.3. Use of Corporate Credit Cards is governed by the University’s corporate credit card policy (staff access only) and is out of scope for the ISP-19 PCI-DSS Card holder data policy.
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. ‘Credit/Debit card data’ or ‘cardholder data’: Most of the information on a credit card or debit card and includes the long 16-digit card number (Primary Account Number - PAN). It also includes the issue and expiry dates, the cardholder’s name and the three-digit security code on the back of the card known as the Card Verification Value (CVV). This data is considered as Personally Identifiable Information (PII) by the Information Commissioner’s Office (ICO).
4.3. Payment Card Industry Data Security Standard (PCI DSS): A proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Compliance with PCI DSS is a contractual obligation between the University of Bristol and the Acquirer (Acquiring Bank).
4.4. Attestation of Compliance (AoC): A formal statement from a third party service provider confirming that they meet PCI DSS requirements.
4.5. Incident response plan: A documented procedure for responding to data breaches or security incidents involving cardholder data.
4.6. Merchant ID’s (MIDs): Unique identifiers assigned to each business division processing card payments.
4.7. Point-to-Point Encryption (P2PE): A security measure used to encrypt card data at the point of entry, ensuring its protection during transmission.
4.8. Point-of-Sale (POS): A device used to process card payments, such as a card reader or terminal, which must meet specific security standards.
5. Responsibilities
5.1. University Members: Must handle cardholder data only when authorised and trained to do so, ensuring cardholder data is not stored on local hard drives, shared storage, cloud storage solutions, or any removable media under any circumstances, and report any incidents or breaches immediately to IT Services.
5.2. IT Services: Must conduct risk assessments and ensure systems handling cardholder data are appropriately configured and secure. They must manage compliance checks and ensure the technology infrastructure meets PCI-DSS requirements. IT Services are also responsible for logging incidents and coordinating with the relevant Professional Services departments for investigation.
5.3. Finance Services: Ensure compliance with data security standards by overseeing the secure processing of all cardholder transactions, oversee records of third-party service providers, managing payment system approvals, and supporting staff training on card data handling.
5.4. Supervisors and Line Management: Ensure approved payment devices and managing Merchant IDs (MIDs) are used within their teams. Ensure team members that are authorised to process card payments comply with cardholder data protection protocols and report any issues to IT Services.
5.5. Chief Finance Officer (CFO): Ensure proper management of financial transactions and ensure contracts with acquirers meet compliance standards. Ensure that compliance responsibilities are assigned appropriately across the University.
5.6. Chief Digital and Information Officer (CDIO): Shares responsibility for PCI-DSS compliance with the Chief Finance Officer (CFO), focusing on the technical aspects of cardholder data storage, transmission, and processing. They also ensure that the policy is adhered to across the University's digital infrastructure.
5.7. Third party providers: Must comply with PCI-DSS requirements and provide Attestation of Compliance (AoC). They must protect cardholder data in accordance with contractual obligations and maintain security standards.
6. Compliance and requirements
6.1. Compliance with this policy is mandatory. Failure to follow this policy will be considered under the University's conduct procedure (Ordinance 10: Employment (PDF, 298kB), section 4) and may result in disciplinary action. A serious breach of this policy may constitute gross misconduct and lead to dismissal. Compliance with this policy is primarily enforced through process and standard documents. Finance Services and IT Services will provide guidance and support but due to the diverse nature of some of our activities these processes and documents must be developed by each business area.
7. General
7.1. Failure to protect card data can lead to large fines from the Information Commissioner’s Office (ICO) and banks, expensive investigations, litigation, loss of reputation and in the worst case scenario, withdrawal of the ability to take payment by credit card; which would greatly hinder the University of Bristol’s ability to conduct business.
7.2. Any new activity involving the processing of payment card data must be authorised by Finance and IT Services Finance Services - collecting income (staff access only).
7.3. Electronic credit card data must not be transmitted by the University of Bristol via any private network that the University is responsible for unless in accordance with the handling requirements in this policy. This includes wired and wireless connections.
7.4. Credit and debit cardholder data must not be stored on University provided local hard drives, shared storage (such as University departmental filestore), cloud storage solutions (for example SharePoint), or any removable media (memory stick, CD/DVD) under any circumstances. This includes personal card details.
7.5. Cardholder data must not be transmitted or requested to be transmitted via end-user messaging technologies such as email, instant messaging or SMS. If unsolicited cardholder data is received via such means, this must be notified to the Information Security Manager and the data securely deleted.
7.6. Any card data stored on University of Bristol systems must be reported to IT Services immediately upon discovery by calling or raising a ticket.
8. Credit / debit card handling
8.1. It is the University’s policy not to store cardholder data electronically or process that data on the University network. All processing of cardholder data must be agreed and recorded by IT Services and by Finance Services.
8.2. Any processing (including by third parties) must meet the following conditions:
- All handlers of cardholder data must be trained before being allowed access. This training must be recorded and repeated/updated upon hire and at least once every 12 months.
- Cardholder data must not be processed via digital connections provided by the University (wired or wireless), unless via a current PCI-SSC validated Point-to-Point Encryption (P2PE) solution, implemented in accordance to the relevant P2PE Instruction Manual (PIM). Public data networks (GPRS/3G/4G/5G) may also be used in conjunction with properly-configured P2PE solutions.
- Cardholder data must not be stored in any voice recordings. Where cardholder data may be taken over the telephone, any call recording solution must be disabled whilst cardholder data is being given.
- Any device used to process cardholder data on behalf of the University must be first agreed by Finance Services (the Head of Transactional Services).
- Where the device is a Point-of-Sale (POS) terminal it must be of a type approved by Finance Services. The details (model, serial number, security features and location) of all examples in use must be recorded and supplied to Finance Services for inclusion in the asset list that they maintain. Such devices must be configured and used in accordance with Finance procedures.
- All devices must be stored securely when not in use and checked regularly for tampering or substitution. Any suspicion of tampering must be reported in line with the Incident response procedure.
- University staff and students must not store cardholder data on paper unless specifically agreed by the Information Security Manager and the Head of Transactional Services. Any cardholder data may only be stored on paper prior to authorisation of payment (not after). It must be securely stored when not in use and destroyed in line with the University's Confidential waste disposal procedure (staff access only).
9. Third parties
9.1. Any third party commissioned to handle cardholder information on behalf of the University of Bristol must be approved by Finance and IT based on proper due diligence prior to engagement. Their compliance status must be assessed by the Information Security Manager. If they are a PCI DSS compliant Service Provider for the contracted services they provide to the University, they will be required to provide the University with an up-to-date version of their Attestation of Compliance for Service Providers before engagement and each year thereafter.
9.2. Any contracts or written agreements with third party providers must make clear their responsibility for maintaining/protecting the University’s compliance. A full list of Third Party Payment Service Providers will be maintained by Finance Services, and the service providers PCI DSS compliance will be checked by Finance Services at least annually.
10. Incident response
10.1. An Incident/Breach Response Plan must be in place, reviewed and tested at least annually. Any breach or suspected breach must be reported immediately to the IT Service Desk. This will be acknowledged shortly after receipt and escalated to the PCI Incident Response group for further response.
11. Monitoring and compliance responsibilities
11.1. Overall responsibility for the University’s PCI DSS compliance is held by the Chief Finance Officer (CFO), as they are responsible for management of income, as well as the signatory of any contract with our acquirer/s. As the storage, transmission and processing of cardholder data and the associated risks are largely an Information Technology challenge, the Chief Digital and Information Officer (CDIO) also has a significant responsibility for ensuring adherence to this policy and associated procedures.
11.2. IT Services (the Information Security Manager) and Finance Services (the Group Finance Director) shall ensure this policy is available and promoted to those that need to see it.
11.3. It is the responsibility of the Information Security Manager to maintain this policy and ensure it is reviewed at least annually or if the environment changes. An assessment of the risks relating to the processing of cardholder data will be conducted annually by the Information Security Manager with the support of IT Services and Finance Services.
11.4. The PCI DSS Internal Security Assessor, Information Security Manager, Group Finance Director, or any of their representatives, are authorised to inspect any systems, databases, or physical areas of the University where cardholder data might be processed or stored.
11.5. Many areas of the University process credit/debit cards as payment for the services they provide. Separate Merchant IDs (MIDs), set up by our acquiring bank have been authorised for use by the University. Finance Services are responsible for ensuring that only University-approved devices and suppliers are used to receive payments, and that each MID has an identified and responsible manager. Finance Services are responsible for maintaining a full register of all MIDs, the manager responsible, and all assets in use relating to each MID (e.g. point-of-sale / PDQ terminals).
12. Further guidance
- ISP-01 Information security policy
- IT service desk contact
- Confidential waste (staff access only)
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.