• Section 1 - Key Information
• Section 2 - Purpose
• Section 3 - Scope
• Section 4 - Key Decisions
• Section 5 - Policy Statement
• Section 6 - Procedures
• Part A - Staff Handling Payment Card Data
• Part B - Accepting Payment Cards
• Part C - Acceptable Payment Methods
• Part D - Processing or Transmitting Cardholder Data using La Trobe
• Part E - Storing Cardholder Data
• Part F - Cardholder Data Collected Through EFTPOS Machines
• Part G - Service Providers and Third-Party Vendors
• Part H - Incident Response
• Part I - Ongoing Compliance Requirements
• Part J - Breaches
• Part K - Exemptions
• Section 7 - Definitions
• Section 8 - Authority and Associated Information

Section 1 - Key Information

Section 2 - Purpose

(1) The Payment Card Industry Data Security Standards (PCI DSS) are a set of industry standards designed to mitigate the risks associated with handling payment card data, including fraud and identity theft.

(2) PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. It promotes consistent security standards to protect cardholder data from fraud and security breaches by defining requirements for ICT systems, networks, and manual processes that handle payment card information.

Section 3 - Scope

(3) This Policy applies to all University staff, contractors or other parties who, in the course of doing business on behalf of the University, are involved in processing, storing or transmitting payment card data.

Section 4 - Key Decisions

Section 5 - Policy Statement

(4) In accordance with its merchant agreements with credit card providers, the University is obligated to protect cardholder information during payment transactions. This obligation ensures the security and confidentiality of cardholder data throughout the entire payment process.

(5) The University is committed to safeguarding all payment card data it receives and ensuring compliance with PCI-DSS requirements. This includes securely using, storing, transmitting, and destroying payment card data to protect against unauthorised access and fraudulent activities.

(6) To maintain PCI DSS compliance, the University must implement and uphold a comprehensive set of controls covering the twelve requirements, organised under six main categories within the entire Cardholder Data Environment (CDE):

Section 6 - Procedures

(7) Staff and connected third-parties must handle all cardholder data in a manner consistent with PCI DSS and this Policy. This includes adhering to the guidelines for the entire Cardholder Data Environment (CDE), which
encompasses the people, processes, and technology involved in storing, processing, or transmitting cardholder
data or sensitive authentication data.

Part A - Staff Handling Payment Card Data

(8) Only authorised and properly trained staff may accept and/or access payment card information.

(9) Staff accepting credit and debit card payments on behalf of La Trobe University must complete the online PCI Merchant (or similar) training module annually, with training records also retained locally.

(10) The Senior Manager, Business Support Services is responsible for maintaining a list of authorised and trained staff which is reviewed on an annual basis.

(11) All staff who complete training must agree to comply with all University policies and procedures as part of this training.

(12) All requests to become an authorised and trained user must be made via a ASK Finance Request and will be assessed and approved on a case by case basis by the Senior Manager, Business Support Services.

Part B - Accepting Payment Cards

(13) The capability to accept and process payment card information can only be established through Finance Operations, after approval from the Senior Manager – Business Support Services. A listing of all such areas shall be maintained by Finance Operations - Business Support Services.

Part C - Acceptable Payment Methods

(14) Payment card data will only be accepted by the University via the following methods:

1. EFTPOS machine
2. Online (via an approved payment system)
3. In-person
4. Telephone

(15) Payments must not be accepted or processed if the cardholder provides payment card information via email. If such information is received:

1. Respond to the cardholder, deleting the payment data from the reply, and state: "La Trobe University does not accept payment card information via email as this transmission method is not secure. Please use one of the acceptable payment methods listed on our website."
2. Permanently delete the email (including from the Deleted Items folder).

(16) Cardholder data received via telephone must be processed whilst the customer is on the line. Writing down a customer's payment card information to process later is prohibited and any calls that are recorded must be
paused if a customer needs to provide their cardholder details. 

(17) The University does not condone receiving cardholder data on voicemail. In such instances:

1. Staff must enter the cardholder data directly into an EFTPOS pinpad, a virtual terminal, or any other
   PCI-compliant secure device immediately and then delete the message.
2. Inform the cardholder that La Trobe University will not process future payment card information left on voicemail and advise them of acceptable payment methods under this Policy.

(18) To ensure maximum security during transmission, staff should use devices and systems that employ Point-to- Point Encryption (P2PE) or End-to-End Encryption (E2EE).

Part D - Processing or Transmitting Cardholder Data using La Trobe

(19) Cardholder data, including the Primary Account Number (PAN), must not be entered via a laptop or computer keyboard, or stored, processed, or transmitted on La Trobe University computers, including any portable devices such as USB flash drives, compact disks, personal digital assistants, tablets, or phones.

Part E - Storing Cardholder Data

(20) Hardcopy cardholder data must not be collected or stored in any format, including the Primary Account Number (PAN), expiry date, and credit card security codes (CVV, including CVV2, CVC2, and CID). Any digital storage of cardholder data must use strong encryption or tokenization methods to protect the data. Storing a partial PAN, such as the last four digits, is permitted but must still be handled securely to prevent unauthorised access.

Part F - Cardholder Data Collected Through EFTPOS Machines

(21) EFTPOS machines and other devices used to collect cardholder data must be stored securely when not in use, either in a safe, locked filing cabinet, or with a PIN lock, and kept in a secure environment. Use tamper-evident stickers across the seams of the EFTPOS terminals if available.

(22) Any suspected or perceived tampering or substitution of EFTPOS devices must be immediately reported to the
Senior Manager – Business Support Services or other Finance Director.

Part G - Service Providers and Third-Party Vendors

(23) All service providers and third-party vendors that provide payment card services on behalf of the University must be PCI DSS compliant.

(24) Contracts with service providers and third-party vendors should include a statement requiring the vendor to maintain PCI DSS compliance, provide annual proof of compliance, and immediately notify the University in writing of any PCI DSS breach.

Part H - Incident Response

(25) All suspected breaches must immediately be reported to the IS Service Desk via ASK IS or on telephone number (03) 9479 1500. The IS Service Desk will report all actual or suspected incidents to Finance. Finance, in coordination with IS, will assess the incident, initiate an appropriate investigation, and determine any remedial or corrective actions required in accordance with applicable policies and procedures.

Part I - Ongoing Compliance Requirements

(26) The Chief Financial Officer (or their nominee) is responsible for:

1. maintaining a register of authorised third-party credit card processing vendors, service providers, and
   EFTPOS terminals;
2. ensuring that, in collaboration with IS and/or Data & Analytics, all system components involved in cardholder data storage, processing, or transmission are appropriately captured and secure;
3. ensuring all financial transactions and payment processing activities are compliant with PCI DSS
   requirements and University policies, in coordination with relevant business units and Information Services;
4. regularly reviewing financial processes to ensure PCI DSS compliance, identifying any gaps or
   vulnerabilities, and supporting the development and implementation of remediation plans as needed;
5. ensuring that all University staff involved in payment processing complete the required PCI DSS training and understand their responsibilities;
6. coordinating with the designated Finance and IS contacts to ensure that all financial implications of a security incident are fully assessed, appropriately addressed, and accurately documented in accordance with relevant policies and procedures; and
7. completing and submitting the annual Self-Assessment Questionnaire (SAQ) to demonstrate the University's compliance with PCI DSS, with support and assistance from the University’s PCI DSS compliance partner as required.

(27) The Chief Information Officer (or their nominee) is responsible for:

1. coordinating quarterly internal and external network vulnerability scanning as required;
2. performing an annual self-assessment to demonstrate the University's compliance with PCI DSS in consultation with Digital Service;
3. testing the incident response plan annually; 
4. providing annual awareness and training programmes to staff commensurate with their responsibilities; and
5. developing and implement remediation plans for vulnerabilities identified in quarterly scans or other areas of non-compliance, to be fully implemented within one month of identification or sooner based on risk assessment.

Part J - Breaches

(28) Any suspected or perceived breach involving the disclosure, theft, or misuse of payment card information must be immediately reported to the Senior Manager – Business Support Services or other Finance Director. Based on investigative findings, the CFO will decide if other entities need to be notified of the breach (e.g., card associations, merchant bank, cardholders).

(29) Any incidents also need to be reported to the University’s Compliance Manager via compliance@latrobe.edu.

Part K - Exemptions

(30) Any request for an exemption from this Policy should be referred to the Senior Manager – Business Support Services or other Finance Director for review and recommendation to the Chief Financial Officer for approval. Any such exemptions are to be fully documented and retained in La Trobe's record management system.

Section 7 - Definitions

(31) For the purpose of this Policy and Procedure:

1. Access Control Measures: Security protocols that restrict access to cardholder data to authorised personnel only.
2. Acquirer: A financial institution that processes credit or debit card payments on behalf of a merchant.
3. Anti-virus Software: Programs designed to detect and remove viruses and other kinds of malicious software from computers and networks.
4. ASK IS: La Trobe University’s Information Services help desk for reporting incidents and requesting IT
   support.
5. Cardholder Data Information: Information associated with a payment card, typically including the primary account number (PAN), cardholder name, expiration date, and service code.
6. Cardholder Data Environment (CDE): The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.
7. CID (Card Identification Number): The Amex Card Identification number is the four-digit, non-embossed number printed above the account number on the face of the card.
8. Critical Incident Management Strategic Framework: A set of procedures and protocols for managing critical incidents at the University.
9. CVC2 (Card Validation Code): The three-digit security code on the back of a credit card issued by MasterCard.
10. CVV (Card Verification Value): A security feature for credit and debit card transactions, providing an additional layer of verification, typically a three- or four-digit number.
11. CVV2 (Card Verification Value): The three-digit security code on the back of a credit card issued by Visa and Discover.
12. Encryption: The process of converting information or data into a code, especially to prevent unauthorised access.
13. EFTPOS (Electronic Funds Transfer Point of Sale): A payment system that allows the transfer of funds from a cardholder’s account to a merchant’s account at the point of sale.
14. Firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
15. Incident Response Team: A group responsible for investigating and responding to security incidents involving cardholder data.
16. Issuer: A financial institution that issues payment cards to consumers.
17. Merchant: Any person or entity (such as a school/unit) that accepts payment cards as payment for goods and/or services.
18. PAN (Primary Account Number): The 14- or 16-digit number on a credit or debit card that identifies the issuer and the specific cardholder account.
19. P2PE (Point-to-Point Encryption): A secure payment technology that encrypts cardholder data from the point of entry to the payment processor, preventing unauthorised access during transmission.
20. Payment Card: Any credit or debit card accepted by the University.
21. PCI DSS (Payment Card Industry Data Security Standards): The Payment Card Industry Data Security Standards are a set of industry standards designed to mitigate the risks associated with handling payment card data, including fraud and identity theft.
22. Payment Card Incident Log: A log used to document actions taken in response to a suspected or actual security incident involving payment card data.
23. Processor: An entity that processes payment card transactions on behalf of a merchant.
24. Self Assessment Questionaire: A validation tool for merchants and service providers to demonstrate compliance with PCI DSS requirements.
25. Senior Manager, Business Support Services: The person responsible for overseeing the business support services at the University, including compliance with payment card processing standards.
26. Service Provider: A business entity that provides services related to processing, storing, or transmitting cardholder data on behalf of another entity.
27. Tamper-evident stickers: Stickers used to indicate whether a device has been tampered with.
28. Tokenization: The process of replacing sensitive card information with a unique identifier or token that cannot be reverse-engineered.
29. Virtual Terminal: A web-based application that allows merchants to process card-not-present transactions securely.
30. Primary Account Number (PAN): Unique payment card number (typically for credit or debit cards also called account number) that identifies the issuer and the particular cardholder account.

Section 8 - Authority and Associated Information

(32) This Policy is made under the La Trobe University Act 2009.

(33) Associated information includes:

1. PCI DSS Security Standards Council