Issue - meetings

The report was introduced by the Information Governance Officer.

Payment Card Industry Data Security Standard (PCI DSS) was a worldwide standard that was set up to help businesses process card payments securely and reduce card fraud.  It did this through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handled.  PCI DSS was intended to protect sensitive cardholder data. If an organisation lost card data and was not PCI DSS compliant then there was the potential for financial penalties.

Requirement 12 of the Standard required all organisations who took card payments to maintain a strong security policy, as set out in the report.  The report therefore presented a new policy to comply with Requirement 12.  The policy would be a sub-policy of the Council’s IT Security Policy and, whilst essentially standalone, must be read and applied in conjunction with other policy documents in the set.

The Policy applied to staff, contractors and third parties who accessed the

Council’s Cardholder Data Environment (CDE) for the purposes of taking payments or maintaining the payment systems.

It was clarified that the Audit undertaken was by the County Council’s auditors and the policy was part of moving from limited to substantial assurance.

The policy was moved for adoption and seconded.  On being voted upon it was:

RESOLVED that:

a)    the PCI-DSS Security Policy be approved for formal adoption; and

b)    delegated authority be granted to the Senior Information Risk Owner (SIRO) to make minor house-keeping amendments to the Policy in the future, in consultation with the Chairmen of the Corporate Policy and Resources Committee and the Joint Staff Consultative Committee.