Document Feedback - Review and Comment
Step 1 of 4: Comment on Document
How to make a comment?
1. Use this to open a comment box for your chosen Section, Part, Heading or clause.
2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.
3. Do not open more than one comment box at the same time.
4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.
Important Information
During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:
-
DO NOT jump between web pages/applications while logging comments.
-
DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.
-
DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.
-
DO NOT exit from the interface until you have completed all three stages of the submission process.
(1) PCI DSS – Payment Card Industry Data Security Standards is the global data security standard to which all businesses must adhere in order to accept payment by cards, and to store, process, and/or transmit cardholder data. PCI DSS provides guidelines to assist merchants in preventing payment card fraud and to improve security around processing and storage of payment card details. La Trobe University as part of its merchant agreements is required to be compliant with the PCI-DSS. (2) Under PCI DSS requirements, La Trobe University is required to use, store and destroy CHD (cardholder data) in a manner which protects the CHD from misuse or unauthorised transactions. (3) To ensure staff follow the Payment Card Industry Data Security Standards (PCI DSS) Procedures which provide a set of guidelines in preventing payment card fraud and to improve security around processing and storing of customers’ payment card details. (5) The University has entered into merchant agreements with credit card providers and is obligated to protect cardholder information received with any payment transaction. (6) To ensure the University maintains compliance with the Payment Card Industry Data Security Standards (PCI DSS), which provide a set of requirements for processing, transmission, storage and disposal of cardholder data of payment card transactions, and preventing payment card fraud. (7) Controls that are required include: (8) CHD should be treated the same as cash, it must be locked in a safe/secure cabinet/lockable office. Scanning of documents containing CHD into TRIM or any other document management system is prohibited. CHD is not to be stored, processed, or transmitted on La Trobe University computers in any form. Access to any physical media (such as paper forms) containing CHD must be limited to only those staff who require it as a part of their job function. (9) Receipt or transmission of emails containing CHD is prohibited. If emails containing CHD are received, do not print or save the email and do not process the transaction. Instead, reply to the email with the CHD removed stating that the university does not accept payment by this method (specify alternative, allowable options). Delete the email and empty the trash folder as well. (10) Determine whether or not the CHD is actually required to be stored. It is permissible to retain the forms securely for up to 90 days. (11) If not required to be stored CHD must be destroyed after the payment has been authorised. Ensure documents containing CHD destined for destruction are secured at all times. Appropriate methods to destroy CHD are cross-cut shredding, incinerating, pulping. Shred service containers must be anchored to the wall or located in a secure room with limited access, the key should be controlled at all times. The staff of the contracted company handling the containers must be validated prior to being provided access. The company contracted to shred documents must be PCI-DSS compliant. (12) If CHD is required to be kept ensure documents are stored in a secure location, such as a locked filing cabinet or safe in a locked office. (13) Concealing CHD using a permanent marker does not meet minimum requirements for destroying CHD. All CHD must be secured at all times; if staff leave their desk, CHD must be secured. (14) All areas that have access to an EFTPOS machine, must adopt a procedure to verify that the EFTPOS has not been tampered with. This must be verified daily (check of serial number and condition of tamper proof seals). (15) If fax is provided as an option for receipt of CHD, use a specific/dedicated fax machine for the receipt of payments. This fax must be setup to ensure it does not print or display incoming faxes unless a code is entered. Provide the code to only those staff authorised for receipt of cardholder data. (16) Only PCI-DSS trained LTU staff should hand/carry forms to the cashiers for processing. Any form containing CHD should be treated the same as cash. Cash-handling procedures should reflect the secure transport of all monies, including CHD, Cash and Cheques. A locking bank bag should be used and all monies hand carried to and from destinations. Do not use internal mail for forwarding CHD forms to cashiers. (17) Typing of the full PAN into a spreadsheet or other type of document is prohibited. CHD must not be recorded in University receipt books. (18) Sensitive Authentication Data (magnetic stripe / track, card validation code or value (CCV2, CVC2), PIN data) cannot be stored or recorded under any circumstances once a transaction has been processed. (19) Staff handling CHD are required to complete training on an annual basis. New staff will complete the training upon commencement and annually thereafter. A record of training and the users’ acknowledgement of understanding and compliance with all policies and procedures will be recorded. (20) For the purpose of this Policy and Procedure:Payment Card Industry Data Security Standards (PCI DSS) Policy
Section 1 - Background and Purpose
Section 2 - Scope
Top of PageSection 3 - Policy Statement
Top of PageSection 4 - Procedures
Part A - Storage of Cardholder Data
Part B - Email
Part C - Paper Forms
Part D - EFT POS devices
Part E - Fax Machine
Part F - Forms With CHD Taken to Cashier
Part G - Recording CHD
Part H - Card Security Codes
Part I - Training
Section 5 - Definitions