- 1. Introduction:
New card payment solutions through a third party payment service provider must satisfy the necessary Payment Card Industry – Data Security Standard.
- 2. Policy
To assess suitable solutions for a new card payment solution, the following documents must be submitted to PCI DSS Committee (pcidsscom@imperial.ac.uk):
- An Attestation of Compliance (AOC) must be supplied (PCI Security Standards Council (SSC) official form)
- Form Requirement:
- The AOC must be valid within 12 months.
- If the AOC is not signed by a PCI SSC certified QSA or ISA, the vendor must be required to supply addition information such as the current quarter's Approved Scanning Vendor (ASV) report and/or current year's penetration test report for external network.
- 3. Follow up
If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.
- 4. Responsibility for Policy Maintenance
PCI Committee – College PCI Committee whose members include the Network and Security Services Manager, Compliance and Information Governance Manager and Head of Treasury Management. (pcidsscom@imperial.ac.uk) are responsible for maintaining the Policy.
Changelog:
22 Sep 2017 |
Anh Duong |
First draft of new policy |
||||