Skip to content | Change text size

Payment Card Industry Data Security Standards (PCI-DSS) Procedures (Australia only)

Parent Policy

Electronic Information Security Classification Policy

The Payment Card Industry Data Security Standards (PCI-DSS) are a set of guidelines developed by MasterCard, Visa, American Express, Discover and JCB International to assist merchants in preventing credit card fraud and to improve security around processing and storing credit card details.  Any company processing, storing or transmitting credit card numbers must be PCI-DSS compliant or they risk losing the ability to process these payments.

As a Westpac Merchant, Monash University is required to be compliant with (PCI-DSS).  Non-compliance can result in fees to merchants of at least $10,000 per month and $500,000 per card brand (i.e. Visa, MasterCard) if there is a breach which results in theft of cardholder details.

Definition of terms

PCI-DSS: Payment Card Industry Data Security Standards
EFTPOS: Electronic Funds Transfer Point of Sale. Faculties and portfolios have machines that accept Visa, MasterCard, Amex and Diners Club payments
Cardholder: PAN plus any of the following: Cardholder name, Expiration date, Service code
Cardholder Data Environment: Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage or transmission
CDE: Cardholder Data Environment
CVV: Card Verification (Visa)
CVC: Card Verification Code (MasterCard)
CID: Card Identification number (American Express and Discover)
CAV: Card Authentication Value (JCB)
Firewall: Hardware, software, or both that protect resources of one network from intruders from other networks
VoIP Fax: A fax received via the Monash Universdity VoIP server to a fax machine or email address
VoIP: Voice over Internet Protocol
Analogue Fax: A fax received via an analogue line directly to a fax machine
Credit Card Data: Visa and MasterCard debit card data

PCI-DSS Compliance

PCI Compliance is required from December 2010.

This procedure is designed to deal with situations where a company or individual provides their cardholder data to the University for the purposes of paying an account (of any type).

Under PCI-DSS requirements, Monash University is required to use, store and destroy cardholder data in a manner which protects the cardholder data from misuse or unauthorised transactions.

Responsibility

All Staff

  1. Companies and individuals must be prevented from providing any cardholder data via an email or VoIP facsimile.

    If such a request is received:

    • The email or VoIP fax should be replied to immediately with the credit card number deleted - stating that "Monash University does not accept credit card holder information via fax or email as it is not a secure method of transmitting cardholder data".
    • The email or fax is to be securely destroyed.

    Responsibility

    All Staff

  2. Minimal cardholder data is to be stored in hard copy format; any cardholder detail that is stored in hard copy must be stored in a highly secure and protected manner within a locked filing cabinet or safe within a locked office.

    Responsibility

    All Staff

  3. Credit cardholder data is not to be stored on Monash University computers in any form unless an exemption has been approved by the IT Security Manager (Office of the CIO).  If credit card data is stored as electronic data, appropriate security measures must be utilised in accordance with PCI-DSS.  This includes:

    • Reducing the scope of PCI-DSS compliance by segmenting the CDE network.
    • Segmenting credit card processing from the normal business use of workstations and using separate physical devices or vitual machines on a secure host.
    • Restricting access to the hosts that store cardholder data to systems that have a legitimate business need to access the data.
    • Separating duties of servers such that a web server in the CDE is not also running a database server.
    • Installing a stateful packet inspection firewall in the CDE and ensuring that the firewall has both ingress and egress rules.
    • Collecting logs from all device in the CDE and shipping them to a centralised, backed up logging server.
    • Performing internal and external vulnerability scanning at least quarterly or when configurations change, and performing an internal and external penetration test at least annually.  External scans will need to be performed by a PCI approved scanning vendor.
    • Ensuring that physical access to systems in the CDE is restricted to those individuals with a legitimate business need and all server consoles are locked or logged off.

    Responsibility

    All Staff and Office of CIO

  4. All EFTPOS machines and other such devices used to collect cardholder data must be stored securely (particularly when not in use i.e. overnight).  Tamper evident stickers across the seams of the EFTPOS terminals should also be used if available.

    Responsibility

    All Staff

  5. Only appropriate staff are to have access to cardholder data, and appropriate training for such staff is to be conducted on an annual basis.  All staff will be required to sign an acknowledgement of understanding and compliance with this policy.

    Responsibility

    All Staff who handle cardholder data

  6. Credit card information is to be transferred securely.  Therefore, no credit card details are to be emailed or VoIP faxed either internally or externally between staff or customers (the only exception being if a direct line/analogue facsimile has been specifically installed for this purpose).

    Responsibility

    All Staff

  7. All service providers and third party vendors providing credit card related services for Monash University must be PCI-DSS compliant.

    Responsibility

    All Staff

  8. Cardholder data is not be stored simply for chargeback purposes.  Storing the first six and last four digits of a cardholder number, along with time, date, transaction identification and amount is adequate.  Cardholder data is not to be retained for longer than six months after the date of processing the transaction.

    Responsibility

    Corporate Finance, Student Service Centre

  9. All hard copy formsd containing cardholder data are to be shredded on a cross cut shredder after processung credit card payments.  It is not acceptable for the credit card number to be blacked or liquid papered out.

    Responsibility

    All Staff

  10. Credit care security codes (CVV, CVC, CID etc.) are not to be stored or recorded under any circumstances once a transaction has been processed.

    Responsibility

    All Staff

Content Enquiries: Policy Role