EFTPOS Terminal Compliance Policy and Procedures

Application

University staff members who operate or manage the University’s EFTPOS terminals.

Purpose

To ensure that:

  • EFTPOS terminals are only installed in appropriate locations and operated and managed by staff members who understand their obligations
  • there are controls in place to protect the University’s EFTPOS terminals from tampering or substitution
  • the University meets the requirements of the Payment Card Industry Data Security Standard (PCI DSS)

Policy

1. All requests for EFTPOS terminals must be approved by Financial Services for issuance.

2. University staff members who operate or manage the EFTPOS terminals must be trained on induction and annually.

3. EFTPOS terminals must be inspected regularly for tampering or substitution.

4. It is the responsibility of the person in charge of the EFTPOS terminal (as identified by Financial Services) to ensure that staff members operating and managing the EFTPOS terminal are trained and that regular inspections of the EFTPOS terminals are performed.

5. If the EFTPOS terminal has been tampered with or substituted this must be reported to Financial Services in accordance with the procedures outlined in the Incident Management Plan.

Procedures

6. Requests for EFTPOS terminals must be submitted to Financial Services to approve and arrange via the intranet portal (select “Financial Services” as the service, “Revenue Collection” as the topic and “EFTPOS Terminals” as the sub-topic).

7. EFTPOS terminals must only be approved for installation at cash collection locations where there is evidence that the applicant receives and/or handles cash on a regular basis.

8. Staff members operating and managing EFTPOS terminals are to be trained on the following:

  • background on PCI DSS and its importance
  • best practices to keep credit card data safe
  • how to inspect an EFTPOS terminal for tampering or substitution
  • awareness of suspicious behaviour and to report tampering or substitution of EFTPOS terminals to Financial Services

9. Staff members operating and managing EFTPOS terminals must complete and submit the EFTPOS Compliance Training Acknowledgement Form as evidence that they have been trained on induction and annually.

10. The person in charge of the EFTPOS terminal must complete and submit the EFTPOS Compliance Training Acknowledgement Form annually to acknowledge that all staff members operating and managing the EFTPOS terminal have been trained on induction and annually.

11. Financial Services are responsible for reviewing and where necessary updating this document at least annually, or earlier if there has been a significant change to the University’s Card Data Environment (CDE).

Definitions

The following definitions apply to this document:

EFTPOS means Electronic Funds Transfer at Point of Sale.

Payment Card Industry Data Industry Security Standard (PCI-DSS) is a standard the University must comply with because it accepts card payments. The standard was established by the payment card industry to define an appropriate set of security standards expected to be maintained by organisations receiving card payments.

Staff member refers to a person employed on a full or part time basis by the University.

University means the University of Auckland including all subsidiaries.

Key relevant documents

Incude the following:

Document management and control

Owner: Chief Financial Officer
Content manager: Financial Services
Approved by: Vice-Chancellor
Date approved: November 2017
Review date: November 2020