Policy Contact: Accounts Receivable
Purpose
This policy provides guidance for University departments currently accepting credit card payments for goods or services for deposit to University accounts in compliance with the Payment Card Industry (“PCI”) Data Security Standards (“DSS”).
- Definitions
- Card Holder Data (“CHD”): refers to a cardholder’s card number, expiration date, PIN, and the 3 or 4 digit CAV2/CVC2/CVV2/CID number on the back of the credit card.
- Card Holder Data (“CHD”): refers to a cardholder’s card number, expiration date, PIN, and the 3 or 4 digit CAV2/CVC2/CVV2/CID number on the back of the credit card.
- Policy
- University employees are required to comply with all applicable laws, rules, regulations and policies pertaining to the acceptance of credit card payments for goods or services at the University, including those standards set by the PCI.
- All University employees involved in the collection, processing, storage, or transmission of CHD are required to participate in PCI Awareness Training as provided by the University prior to their handling of CHD.
- Student employees at the University who handle the processing of more than one (1) credit card transaction at a time (i.e. bulk transactions) must have a background check conducted and participate in PCI Awareness Training as provided by the University prior to their handling of CHD.
- Student employees at the University who handle the processing of more than one (1) credit card transaction at a time (i.e. bulk transactions) must have a background check conducted and participate in PCI Awareness Training as provided by the University prior to their handling of CHD.
- All departments at the University who process CHD must document specific departmental procedures for the collection and processing of CHD. These procedures must include, not exclusively, the following:
- Steps to process CHD received in person, by mail, by telephone, and/or via electronic communications in adherence with this policy;
- A ‘start of day’ process including instructions that all credit card terminals should be checked to ensure the tamper resistant seal on the bottom of the terminal is intact, documented as being so; and
- An ‘end of day’ process including an instruction that credit card terminals shall be batched out each day.
- The physical location of all credit card terminals at the University must be approved by the University’s PCI Compliance Officer, successor, or designee.
- No agreement or contract associated with the collection, storage, processing, or transmission of CHD shall be entered into without the review and approval of the University’s PCI Compliance Officer, successor, or designee. This includes the handling of credit card processing through third parties.
- Access to credit card information at the University shall be limited to departmental employees on a “need-to-know” basis. Unauthorized personnel, including custodial staff, shall not be permitted access to CHD.
- Collection of CHD
- Collection of CHD using an electronic fax machine is discouraged, but permitted at the University.
- The fax machine must be accessible to departmental staff only.
- Departments accepting CHD via fax cannot use the option that converts faxes to electronic documents.
- Collection of CHD over the telephone or through mail is discouraged, but permitted at the University if all other procedures are followed as set forth in this policy.
- Collection of CHD through electronic mail (e-mail) is not permitted at the University.
- In the event that CHD is delivered via e-mail, individuals must immediately notify the University’s PCI Compliance Officer, or designee, with the circumstances of the email: date, time, from address, to address, and subject line - In the body, include the last 4 digits of the CC number involved– format (ie. XXXXXXXXXXXX1234). The email containing the CHD must not be forwarded during this notification process.
- Following notification to the University’s PCI Compliance Officer, individuals must delete the e-mail message by highlighting the e-mail message in Outlook and using ‘shift+delete’ with confirmation, or by deleting the e-mail message and then immediately emptying their ‘deleted items’ folder.
- The credit card payment must not be processed from the e-mail. Instead, the individual must contact the donor/customer directly via telephone or e-mail (do not reply to the original e-mail, but create a new e-mail message) and indicate that the University cannot accept CHD via e-mail and request the information is provided over the telephone.
- Collection of CHD using an electronic fax machine is discouraged, but permitted at the University.
- Storage of CHD
- Electronic storage of credit card information is not permitted at the University under any circumstances.
- Temporary physical storage of CHD is permitted at the University, provided that any document containing CHD is stored in a locked cabinet/file for a maximum of two (2) business days. If it is necessary to store documents with CHD for more than two (2) business days, individuals must receive approval from the University’s PCI Compliance Officer, successor, or designee.
- Permanent physical storage of CHD is not permitted. CHD on documents or forms must be destroyed using a cross-cut or micro shredder. Destroying the information with a strip shredder is not sufficient.
- The transportation of CHD from one place to another for any reason shall be limited to employees who have regular access to the CHD. The transportation must occur in a secure, locked device.
- All in-person, telephone, mail, and fax credit card payments at the University shall use Elavon Merchant Services devices, or any other device as approved by the University.
- All online/e-commerce credit card payments at the University shall be processed using Elavon Merchant Services and Authorize.Net applications, or any other service as approved by the University.
- University employees are required to comply with all applicable laws, rules, regulations and policies pertaining to the acceptance of credit card payments for goods or services at the University, including those standards set by the PCI.
Responsible Administrator
The Vice President for Finance and Budget, or designee, is responsible for the annual and ad hoc review of this policy and its procedures. The University President is responsible for approval of this policy.
Approved by President on 09/29/2015.
Sources: