InfoSec takes on PCI-DSS service

The Security Governance Risk and Compliance (GRC) Team has taken on the process of supporting the University’s compliance with the payment card industry’s data security standard (PCI-DSS). Until now work towards compliance has been managed as a project in Finance Division with support from the Security GRC team. Bringing PCI-DSS compliance under the umbrella of the Security GRC team enables best practice to be applied to compliance as part of the University’s wider information security management framework.

The standard requires that information technology processing payment card data, or linked to the processing of payment card data, must be protected through security controls in twelve key areas.

Current Status

At present the University is partially compliant. Face to face and e-commerce payment channels  are compliant but there are significant challenges in relation to the mail order and telephone order payment channels supported by DARS and Chorus.

Scope of the Service

The PCI-DSS service will include:

  • Yearly audits of compliance and co-ordinating attestation to the acquiring bank

  • Maintaining the University PCI DSS compliance processes
  • Consolidating CDE documentation
  • Maintaining the PCI training material
  • Assisting with PCI related queries – please email grc@infosec.ox.ac.uk

PCI compliance work for new projects and changes to current environments will be supported by the Security GRC team through the PSR and TPSA processes. Cashiers office will continue to manage the PED lists and similar PCI asset lists.

card payment

Photo by rawpixel on Unsplash