EFTPOS Terminal Compliance Policy and Procedures


Application


University staff members who operate or manage the University’s EFTPOS terminals

Purpose


To ensure that:

  • EFTPOS terminals are only installed in appropriate locations and operated and managed by staff members who understand their obligations
  • there are controls in place to protect the University’s EFTPOS terminals from tampering or substitution
  • the University meets the requirements of the Payment Card Industry Data Security Standard (PCI DSS)

Policy


  1. All requests for EFTPOS terminals must be approved by Financial Services for issuance

  2. University staff members who operate or manage the EFTPOS terminals must be trained on induction and annually

  3. EFTPOS terminals must be inspected regularly for tampering or substitution

  4. It is the responsibility of the person in charge of the EFTPOS terminal (as identified by Financial Services) to ensure that staff members operating and managing the EFTPOS terminal are trained and that regular inspections of the EFTPOS terminals are performed

  5. If the EFTPOS terminal has been tampered with or substituted this must be reported to Financial Services in accordance with the procedures outlined in the Incident Management Plan

Procedures


6.    Requests for EFTPOS terminals must be submitted to Financial Services to approve and arrange via the intranet portal (select “Financial Services” as the service, “Revenue Collection” as the topic and “EFTPOS Terminals” as the sub-topic)

7.    EFTPOS terminals must only be approved for installation at cash collection locations where there is evidence that the applicant receives and/or handles cash on a regular basis

8.    Staff members operating and managing EFTPOS terminals are to be trained on  the following:

  • background on PCI DSS and its importance
  • best practices to keep credit card data safe
  • how to inspect an EFTPOS terminal for tampering or substitution
  • awareness of suspicious behaviour and to report tampering or substitution of EFTPOS terminals to Financial Services

9.    Staff members operating and managing EFTPOS terminals must complete and submit the EFTPOS Compliance Training Acknowledgement Form as evidence that they have been trained on induction and annually

10.    The person in charge of the EFTPOS terminal must complete and submit the EFTPOS Compliance Training Acknowledgement Form annually to acknowledge that all staff members operating and managing the EFTPOS terminal have been trained on induction and annually

11.    Financial Services are responsible for reviewing and where necessary updating this document at least annually, or earlier if there has been a significant change to the University’s Card Data Environment (CDE)

 

Key relevant documents


 

Receipting and Banking Policy

Payment Card Industry Data Security Standard

EFTPOS Compliance Training Acknowledgement Form

Incident Management Plan

Document management and control


Owner:                            Chief Financial Officer

Content manager:           Financial Services

Approved by:                  Vice-Chancellor

Date approved:               November 2017

Review date:                   November 2020