(back to index)

eCash

Proposal Sponsor: 
Liz Welch

Overview

Background

The University has a number of online payment methods which offer a secure method to take payments online. We have a gap in security in payments that are taken over the phone or at the counter. The PCI Security Standard, effective from Autumn 2015, stipulates we are not allowed to store the three-digit or four-digit card code printed on the card cannot be retained after authorisation, and full primary account numbers (PANs) cannot be kept without further protection measures, such as encryption.

www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

 

Once the payments have been collected securely it is important to ensure that the payment information is transmitted securely. Secure electronic forms can be used to transmit the payee details linking the payment to the coding in the financial ledger ensuring the data is appropriately encrypted.

 

Without a more secure payment as such, there is a risk that organizations taking customer payment card details over the telephone may be recording the full cardholder details to comply with various regulatory bodies, thereby causing them to be in contravention of PCI DSS requirements and potentially exposing cardholder data to unnecessary risk. We only have to look back a couple of weeks to see the most recent problems caused sensitive information being stolen. Recent problems of data being stolen (Talk Talk Oct 2015, M&S Oct2015)

 

The University’s own information security week has highlighted the need to ensure that key items of information are managed securely. This project aims to reduce the risks of taking card payments that are not received online, thereby increasing the security of our data.

Other contributors: 
Helen Adam, Karen Fisher, Finance colleagues
What would happen if the project did not take place?: 

There is a gap in payment security for payments taken over the counter or by phone. This project will ensure we are compliant with payment standards. We may be liable for fines if we are non-compliant with our acquirer and ultimately our acquirer may be forced to terminate our relationship, which will prevent us from accepting payments by card.

 

In addition there are considerable Card Scheme fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of pounds. Many non-compliant merchants have ceased trading because the fines could not be accommodated. The fines are passed from the Card Scheme to the acquirer and then onto the merchant.

Who does it affect?: 

All university areas that takes payment via face-to-face or over the phone.

Why is it needed/What are the benefits?: 

 As noted above

BI/MI requirement?: 

 N/A

Compliance justification (if relevant): 
  • Meet external legislative requirement
  • Maintain critical University business system AND no practical workarounds available

The increasing sophistication of credit card fraud in the modern business environment require that increasingly more sophisticated payment controls are put in place to ensure the data security. There are external drivers for this requirements as well as the University

Planning Status: 
Approved
Portfolio: 
CSG
Project Owner: 
CSG
Procurement > £50K: 
Yes
Funding Source: 
Core Grant
IS Admin Tab
Estimation Type: 
IT Infrastructure
Estimated Business Partner Days: 
Large
Estimated Service Management Days: 
Small

(back to index)