EFTPOS Terminal Compliance Policy and Procedures

University staff members who operate or manage the University’s EFTPOS terminals.
Contractors, sub-contractors and students are not authorised to operate and manage EFTPOS Terminals.

To ensure that:

• EFTPOS terminals are only installed in appropriate locations and operated and managed by staff members who understand their obligations.
• There are controls in place to protect the University’s EFTPOS terminals from tampering or substitution.
• The University meets the requirements of the Payment Card Industry Data Security Standard (PCI DSS).

1. All requests for EFTPOS terminals must be approved by the Shared Transaction Center before issuance.
2. University staff members who operate or manage the EFTPOS terminals must be trained on induction, and then annually.
3. EFTPOS terminals must be inspected regularly for tampering or substitution.
4. It is the responsibility of the person in charge of the EFTPOS terminal (as identified by Financial Control) to ensure that staff members operating and managing the EFTPOS terminal are trained, and that regular inspections of the EFTPOS terminals are performed.
5. If the EFTPOS terminal has been tampered with or substituted this must be reported to Financial Control in accordance with the procedures outlined in the Incident Management Response Plan.

6. Requests for EFTPOS terminals must be submitted to the Shared Transaction Center to approve and arrange via the staff intranet portal (select “Shared Transaction center” as the service, “Accounts Receivable and Billing” as the topic, and “EFTPOS Terminals” as the sub-topic).
7. EFTPOS terminals must only be approved for installation at locations where there is evidence that the applicant accepts card payments.
8. Staff members operating and managing EFTPOS terminals are to be trained on the following:

• background on the Payment Card Industry Data Security Standard (PCI DSS) and its importance
• best practices to keep credit card data safe
• how to inspect an EFTPOS terminal for tampering or substitution
• awareness of suspicious behaviour and to report tampering or substitution of EFTPOS terminals to Financial Services via staff intranet portal (select “Financial Services” as the service, “Finance Compliance” as the topic and “EFTPOS Terminal Compromise” as the sub-topic.

9. Staff members operating and managing EFTPOS terminals must complete an online training module on EFTPOS Terminal Compliance, available through Career Tools. The online training should be completed on induction and annually.
10. The person in charge of the EFTPOS terminal must ensure that all staff members operating and managing the EFTPOS terminals have been trained on online EFTPOS terminal compliance upon induction and annually.
11. Financial Control is responsible for reviewing, and where necessary updating, this document at least annually, or earlier if there has been a significant change to the University’s Card Data Environment (CDE).

The following definitions apply to this document:
Staff members refer to an individual employed by the University on a full, casual or part-time basis.
University means Waipapa Taumata Rau - the University of Auckland and includes all subsidiaries.
EFTPOS Terminal is an electronic payment system involving electronic funds transfers based on the use of payment cards, such as debit cards and credit cards, at payment terminals located at point of sale.
PCI DSS means The PCI DSS (Payment Card Industry Data Security Standard, an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.

Include the following:

• Receipting and Banking Policy
• Payment Card Industry Data Security Standards
• Incident Management Response Plan

Owner: Chief Financial Officer
Content manager: Tax and Financial Compliance Manager  
Approved by: Vice-Chancellor
Date approved: 30 November 2017
Date last reviewed or amended: 15 October 2024
Next Review date: 31 December 2029