Collecting income using credit/debit cards

Who is this relevant for?

This is relevant for anyone at the University, or one of its subsidiaries, involved in acquiring systems to take payments or taking payments by credit or debit card.

What’s the issue?

Any company that takes credit or debit card payments must comply with the Payment Card Industry Data Security Standard, commonly referred to as PCI DSS.

This set of rules tells people responsible for taking credit and debit card payments how to handle the data taken safely to avoid the risk that it could be lost, stolen or intercepted and used for fraudulent activities.  It covers:

  • How to take a payment safely.
  • What to do with sensitive financial information which we get when we take a payment.
  • How to store information and rules around destruction after use.
  • How to manage your IT network to ensure that all data is safe.

Why is it important?

We are handling sensitive data of people which if not treated correctly could fall into the wrong hands.  When card details are stolen and used fraudulently the average loss per customer is around £500 and the total value of card based frauds in the UK was £388 million in 2012 (source:

If we do not comply with PCI DSS we would face significant fines and ultimately we could lose the right to take credit and debit card payments at the University.

Buying or developing an income system

As part of our financial regulations, anyone considering acquiring an income collection system needs to consult with Finance/ and/or ITS, to ensure that it is required, compliant with PCI DSS and can be integrated into our financial systems. 

Further details on this can be found here.

Five golden rules to follow

The University has a PCI DSS policy which gives all of the things users of income collecting systems must comply with.  Users must sign a declaration to confirm that they have read and understood the policy.

PCI DSS is a very important area but it really all boils down to common sense.  There are five key things that people involved in the credit/debit card process must always remember.

1. Consult: If you are considering acquiring or developing an income collection system, you must consult with Finance and/or ITS at the University to ensure that it is PCI DSS compliant and will not compromise the University in any way.

2. Payments: when taking payments, check that your payment system has not had anything unusual added to it (a USB driver/Dongle for example) and after the payment has been taken immediately put the receipt and any related paperwork safely away in a locked till/draw.

3. Sensitive information: never write down on paper, in an electronic document or add to any system the:

  • PAN number (the long 14 or 16 digit number of the front of the card).
  • The three digit code on the back of the card.
  • The customers own PIN (for chip and pin cards) – we should never have this.

Once a transaction has been taken we do not need this information and holding it puts the University at huge risk. 

We have turned off the production of the PAN number on all of our University Merchant Receipt from October 2013 therefore we should never get this information however if you notice that your system is generating it contact one of the individuals in the Contacts section please.

If you lose credit or debit card information contact one of the individuals listed here immediately so that we can help resolve the situation. 

If in doubt about security of the data or integrity of the payment system or device, please do not use it and contact us immediately.

4. Paperwork: Sensitive Credit/ debit card paperwork (any paperwork which includes the full card number as detailed in 3. above) needs to be hand delivered daily to the Fees Payments Office in Fielding Johnson and cannot be put in the internal post as it is as valuable as cash.

If the full credit/debit card number is not shown the information can be sent in the internal mail.

5. Destroy: Receipts or other documents with the PAN, and/or three digit security number, shown, must be destroyed securely using a cross cutting shredding machine.

Credit/ debit card machine for events

We offer a credit/ debit card machine loans system for departments that need a machine for a short period of time. If you are attending or running an event where you will be selling items we can provide you with a mobile credit/ debit card machine so that customers can pay you using their card. Please contact Margaret Palmer ( in the first instance to arrange this and Gary Toon ( ) in Margaret's absence.

There is no charge to your department for this service.

We are here to help

This is an important area with lots or rules and regulations around it.

The individuals shown on our Contacts page are experts in this area and can provide support and advice. We are also happy to support training staff on using card machines.


Share this page: