1 Policy Number: 339 Policy Title: Credit Card Processing Policy, Procedure, & Standards Review Date: Approval Date: POLICY: All individuals involved in handling credit and debit card transactions made to Georgia Perimeter College must take all the appropriate measures in order to protect and safeguard the information gathered through the transaction in accordance with Payment Card Industry s Data Security Standards (PCI-DSS), USG Policy and other applicable laws. Financial transactions including electronic based transactions involving the transfer of credit and debit card information must be performed on systems approved by the Office of Financial Affairs and Office of Information Security. Purpose: The purpose of this policy is to establish a set of standards, guidelines, and procedures for processing payments to protect against exposure to corruption, damage, theft, or any other disruption to the authentic state of account and personal cardholder information that has been provided to Georgia Perimeter College; and to comply with the PCI-DSS requirements for transferring, handling and storage of credit card and other payment information. Scope: This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format. Enforcement: Persons in violation of this policy are subject to a range of sanctions (determined and enforced by GPC management), including the loss of computer network access privileges, disciplinary action, dismissal from the college, and legal action. Some violations may constitute criminal offenses, as outlined in the Georgia Computer Systems Protection Act, Code Site , and other local, state, and federal laws, and could lead to criminal prosecution Reason for Policy This policy provides requirements and guidance for all credit and debit card processing activities
2 for Georgia Perimeter College. At the initial publication of this policy, the following sources were consulted and provided the basis for this program: ISO 17799, Payment Card Industry (PCI) Security Standards, and the Card Association Merchant Operating Regulations (Visa, MasterCard, American Express, and Discover). As card association regulations change, this policy will be updated as needed, and adhered to on a continued basis. This policy deals with access to Georgia Perimeter College s computing and network resources. All relevant provisions in the Information Security Policies and Ethics Policies are applicable and included by reference in this document. Related Standards and Procedures Credit Card Processing Standards Credit Card Processing Procedures The Credit Card Processing Procedures carries the full force of the Credit Card Processing policy. This separation allows for easier modifications to the procedures due to the changing nature of business, technology and security. Georgia Perimeter College currently accepts four major credit cards (American Express, Discover, MasterCard and Visa) for payment of services rendered and goods sold. Debit cards with the Discover, MasterCard, and Visa logos are also accepted. All campus merchants are required to process card transactions through the merchant services provider selected by the College. 1) Any College unit wishing to accept credit cards for goods and/or services should complete a Credit Card Merchant Application. Applications will be reviewed to ensure your request for processing credit card sales is in compliance with current College policies. 2) If specialized software and/or systems are required, the Office of Financial and Administrative Affairs, Information Security Officer, Office of Information Technology, and the applicable computer support unit will work with the campus merchant to ensure processing standards and safeguarding measures are met. 3) All campus merchants accepting credit cards for payment must comply with the Georgia Perimeter College Credit Card Processing Policy, Payment Card
3 Industry (PCI) Standards, Board of Regents policy, Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. GPC s Information Security Plan is to protect the private financial information of College customers. The GLBA and FTC Safeguards Rule are available at 4) Access to cardholder information should be limited to only those persons whose job requires such access. 5) If any campus merchant shall become aware that cardholder data has been compromised; the merchant must follow the Compromise Incident Response Procedures as outlined in the Credit Card Processing Procedures. 6) A Payment Card Industry (PCI) Questionnaire will be dispersed annually to each campus merchant for review and update as needed. 7) Campus merchants and employees in key roles (refer to Policy and Procedures Definition section) must participate in all training sessions offered. 8) Campus merchants operating point of sale equipment/ software must adhere to the following standard/policy which states personal use is prohibited on any computer or electronic device used for credit card processing, and as such reasonable measures shall be taken to limit personal use or any other unintended use of computers and devices that store, process or transmit credit card data. These reasonable measures include, but are not limited to: - Anti-virus software - Firewalls - Automatic updating of the operating system No web browsing may be done on this computer or electronic device except for web sites related to credit card processing. (Payment Card Industry Security Standards) (Minimum Security Standards for USG Networked Devices
4 PROCEDURE: Purpose: The purpose of these procedures is to provide a series of steps in order to accomplish the adherence and successful implementation of the Credit Card Processing Policy. Scope: These procedures apply to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format. Enforcement: Persons in violation of these procedures are subject to a range of sanctions (determined and enforced by GPC management), including the loss of computer network access privileges, disciplinary action, dismissal from the college, and legal action. Some violations may constitute criminal offenses, as outlined in the Georgia Computer Systems Protection Act and other local, state, and federal laws, and could lead to criminal prosecution Compromise Incident Response Procedures Should you become aware that any cardholder data was subject to compromise, you should follow the steps outlined below within 24 hours: 1) Alert the following immediately: Office of Information Security Office of Financial and Administrative Affairs Note: if the compromise includes physical devices (e.g. computer, POS, etc.), please contact the College Police as well. 2) Immediately work with the Office of Information Security to limit the exposure. Prevent further loss of data by doing the following: Do not access or alter compromised systems Isolate compromised systems from the network Preserve logs and electronic evidence Log all actions taken Be on high alert and monitor all systems
5 3) The Office of Financial and Administrative Affairs will assist the campus merchant in notifying the third party vendor, if applicable. Record Retention Campus merchants should maintain adequate records of the sales transactions. Daily sales totals, receipts, logs, etc. substantiating revenue should be stored for 5 years in accordance with state record retention policies (Board of Regents, Records Retention Series M - ( Other documents with cardholder data such as the Credit Card Authorization Form (without the bottom section) should be stored in a locked filing cabinet or safe and only need to be retained for at least 2 years. At the time of disposal, all documents containing sensitive cardholder data should be shredded using a crosscut shredder. Individuals with access to cardholder information should be limited to only those persons whose job requires such access, such as resolving credit card reconciling issues and disputes. Point-of-Sale Transactions 1) The Office of Financial and Administrative Affairs will coordinate all credit cards processing for the College. The VP of Finance, Bursar, Chief Information Security Officer (CISO) or delegate(s) must approve all credit card processing activities at Georgia Perimeter College before a unit enters into any contracts or purchases software and/or equipment. 2) All card transactions will be processed on equipment compatible with the processing platform(s) of the College s card processor. 3) Effective July 1, 2004, all customer receipts must truncate the card number so only the last four digits are printed ( US/display/ /HB/213). 4) Campus merchants requiring equipment for point-of-sale (POS) transactions must contact the Office of Financial and Administrative Affairs before such equipment is purchased. The Office of Information Security will be consulted prior to equipment purchase if the requested equipment is not standard. An request must be submitted to the Logistical Services Office for assistance with vendor selection. Any vendor chosen by a campus merchant must be Payment Card Industry (PCI) compliant and remain certified as
6 compliant by the card associations. 5) Campus merchants shall maintain a listing of all devices used, location of them, model, serial number and the personnel that have access to the device(s). Periodically inspect device surfaces to detect tampering and substitution - 6) On a daily basis, the campus merchants processing credit card payments via POS devices must balance transactions and settle their sales electronically to the merchant services provider. 7) The campus merchant will send an to the Office of Student Accounts no later than noon of the day following settlement with the pertinent information so the sales revenue can be recorded in the College accounting system. Campus merchants shall send an to the College s Bursar in the Office of Student Accounts using the Credit Card Transmittal Form. It is important that campus merchants reconcile their point-of-sale transactions when they are settled. 8) Campus units must not accept or send credit/debit card information via . 9) All point-of-sale terminal transactions must be batched and transmitted to the card processor on a daily basis. Transmission of sensitive cardholder data should be encrypted using 128 bit encryption and purged after settlement. 10) Those units, which utilize a fax machine for credit card orders, must operate a stand-alone fax machine connected via Plain Old Telephone Service (POTS) Analog line only. Multipurpose machines will not be allowed for receiving any credit card information. The stand-alone fax machine must be located in a secure area away from public traffic. 11) Access to the physical location of credit cardholder data should be in a restricted, locked and fire secure area where only authorized persons are allowed. Any visitors in this restricted area should be identified and escorted at all times. 12) Cardholder data is not to be taken or distributed for unauthorized purposes.
7 Card Present Transactions (in-person) 1. Ask for identification at the point of sale to verify the cardholder is using the card 2. Always swipe the card through the terminal/point of sale device, if applicable 3. Obtain authorization for every card sale 4. Ask the customer to sign the sales receipt 5. Match the printed number on the card to the four digits of the account number displayed on the Terminal. 6. Compare name and signature on the card to those on the transaction receipt 7. If you believe the card number or sale is suspicious, make a Card Present - Code 10 Call to the voice authorization center for the card being used. Card Not Present Transactions (phone or fax) 1. The College approved Credit Card Authorization Form is strongly recommended for card not present transactions. 2. Obtain cardholder name, billing address, shipping address (if different from billing address and if applicable), account number, and expiration date. 3. Verify the customer s billing address either electronically (by entering the zip code in the POS device) or by calling the credit card automated phone system. 4. Obtain a signature for goods or services where the recipient is not the cardholder. 5. Maintain credit card receipts and all delivery records for the retention period as specified in the Record Retention section of this document. Code 10 calls Code 10 calls allow GPC merchants to alert card issuers of suspicious activity and to take appropriate action when instructed to do so. You or your supervisor should make a Code 10 call to your voice authorization center whenever you are suspicious about a card, cardholder, or a transaction. The term Code 10 is used so the call can be made at any time during a transaction without arousing a
8 customer s suspicions. Making a Code 10 during a transaction You or your supervisor will call the credit card company s voice authorization center, and say, I have a Code 10 authorization request. It is important to note that Code 10 calls can be time consuming. The call may first be routed to a representative of your merchant bank that may need to ask you for some merchant or transaction details. You will then be transferred to the card issuer and connected to a special operator who will ask you a series of questions that can be answered with a simple yes or no. When connected to the special operator, answer all questions calmly and in a normal tone of voice. Your answers will be used to determine whether the card is valid. Follow all operator instructions. If the operator tells you to pick up the card, only do so if recovery is possible by reasonable and peaceful means. GPC employees are not obligated or expected to confiscate credit cards. Making a Code 10 call after a transaction Sometimes you may not feel comfortable making a Code 10 call while the cardholder is at the point of sale or you may become suspicious of a cardholder who has already left the store even if the transaction was not completed. It is important to know that Code 10 calls can be made even after a cardholder leaves the store. A Code 10 alert at that time may help stop fraudulent card use at another location, or perhaps during a future transaction at your store. Be prepared to provide as much customer information as you can - e.g. name on card, type of card (e.g. MasterCard) and card number. Cardholder Information received via If cardholder information is received via , campus merchants should follow the following procedure: The must be deleted immediately from both your In Box and Trash folders.
9 The campus merchant should notify cardholder that transaction will not be processed. Do not use reply. The campus merchant should send a new so that the cardholder information is not included in the response, adding the following (or similar) text to your Georgia Perimeter College does not accept or process credit card information provided via . That would be against Payment Card Industry Compliance Standards and College Policy. Therefore, your transaction will not be processed. Please contact us to request available payment options. E-Commerce Transactions 1) The Office of Financial and Administrative Affairs will coordinate all e- commerce processing for the College. No individual department may enter into a contract with a card processor without approval of the VP of Finance, Bursar, Chief Information Security Officer (CISO) or delegate(s). 2) Departments should contact and seek approval from the Office of Financial and Administrative Affairs prior to purchase of specialized software or equipment so that customized processing applications are reviewed in conjunction with policy and procedure. The Office of Financial and Administrative Affairs, the Office of Information Security, and the applicable computer support unit will work with the department to ensure processing standards and safeguarding measures are met. 3) All card transactions must be processed through a payment gateway approved by the VP of Finance, Bursar, Chief Information Security Officer (CISO) or delegate(s). An request must be submitted to the Office of Financial and Administrative Affairs ( address) for assistance with vendor selection. Any vendor chosen by a department must be Payment Card Industry (PCI) compliant and remain certified as compliant by the card associations. 4) To the extent possible, card processing transactions should be performed on the website of the payment gateway (i.e., the customer should enter sensitive cardholder data on a payment engine website) and not on College computer or network resources. 5) No campus merchant should store or process any sensitive cardholder data
10 on any College computer or server. All sensitive cardholder data should be maintained by an approved service provider. All outside service providers must comply with the Payment Card Industry (PCI) standards. 6) All IP based point of sale devices and/or ecommerce transactions must be batched and transmitted to the card processor daily. For IP based point of sale devices, sensitive cardholder data must be encrypted using 128 bit encryption and purged after settlement. Transmissions for IP based point of sale devices should be coordinated and approved by the Chief Information Security Officer (CISO) or delegate. 7) It is strongly encouraged that campus merchants reconcile their e-commerce transactions on a monthly basis. 8) When the Office of Financial and Administrative Affairs receives charge back inquiries from the credit card companies, the applicable campus merchant will be contacted to provide the necessary information about the sales transaction in question. 9) Cardholder data is not to be taken or distributed for unauthorized purposes. 10) The Chief Information Security Officer (CISO) will be responsible for scheduling quarterly scans. Forms/Instructions Credit Card Authorization Form Credit Card Merchant Application Form Credit Card Transmittal Form Marketplace Access Request Form Related Policy and Procedures Credit Card Processing Policy Credit Card Processing Procedures
11 STANDARD: The Office of Financial Affairs, working with office of Information Security, shall develop, implement and enforce formal credit and debit card processing responsibilities and procedures to ensure strict control of all transactions, data retention and daily operations in order to ensure adequate consideration of the potential security impacts to the authentic state of account and personal cardholder information that has been provided to Georgia Perimeter College. Purpose: The standard is to establish a set of requirements in line with the Credit Card Processing Policy for processing payments to protect against exposure to corruption, damage, theft, or any other disruption to the authentic state of account and personal cardholder information that has been provided to Georgia Perimeter College. Scope: This standard applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format. Enforcement: Persons in violation of these standards are subject to a range of sanctions (determined and enforced by GPC management), including the loss of computer network access privileges, disciplinary action, dismissal from the college, and legal action. Some violations may constitute criminal offenses, as outlined in the Georgia Computer Systems Protection Act, Code Site , and other local, state, and federal laws, and could lead to criminal prosecution. Process Requirements The approval process for all credit card processing activities will be as follows: A. The Vice President of Finance, Bursar, Chief Information Security Officer (CISO) or delegate(s) must approve all credit card processing activities at Georgia Perimeter College before a unit enters into any contracts or purchases software and/or equipment. Please refer to the Georgia Perimeter College Credit Card Processing Procedures for additional information. This requirement applies regardless of the transaction method used (e.g., e-commerce, POS device, or e-commerce outsourced to a third party). Approved units must register their credit card processing information with the Office of Financial and Administrative Affairs. B. All technology implementation (including approval of authorized payment gateways) associated with the credit card processing must be in accordance with the Georgia Perimeter College Credit Card Processing Procedures, Payment Card Industry Data Security Standards (PCI-DSS), the University
12 System of Georgia Board of Regents policies. In addition, the implementation must be approved by the Vice President of Finance, Bursar, Chief Information Security Officer (CISO) or delegate(s). C. Sensitive cardholder data should not be stored in any fashion on Georgia Perimeter College computers or networks. Transmission of sensitive cardholder data must follow guidelines for point of sale and e-commerce as described in the College credit card procedures. Credit card point of sale receipts should follow approved procedures for storage and retention. Exemptions to this must be approved by the Vice President of Finance, Bursar, Chief Information Security Officer (CISO) or delegate(s). D. Units approved for credit card processing activities must maintain the following standards: i. All employees (business managers, operations personnel, and technical staff) involved in e- commerce or POS transactions must attend annual PCI and College training. ii. All units should create, maintain and test annually, business continuity and disaster recovery plans. A copy of the Compromise Incident Response Procedures can be found in the Credit Card Processing Procedures. iii. All servers and POS devices will be administered in accordance with the iv. requirements of the Credit Card Processing Procedures. All cardholder data should be treated the same as cash. It should be in a restricted, locked and fire secure area. Access to credit card processing systems and related information (i.e. forms) must be restricted to appropriate personnel. These individuals are defined as needing access to credit card information in order to perform their day to day job responsibilities. Destroy all media containing unnecessarily stored cardholder data. Cross cut shredding is the minimum requirement by which cardholder data on paper is acceptably assumed destroyed. Shredding should be done as soon as it is no longer required for business purposes. E. The college will utilize the CISO's appointed Certified PCI-DSS Internal Security Assessor and contract with an approved certified PCI 3 rd party assessor to review GPC processes and determine any vulnerability as it relates to PCI compliance. Each unit responsible for credit card processing must have a completed PCI questionnaire on file with the CISO. This questionnaire needs to be reviewed annually to ensure compliance with this policy and the associated procedures. Each unit, with the exception of point of sale campus merchants, must also enroll and participate in network scans with the College s Information Security Department. Each campus merchant s questionnaire and scans will be documented and tracked by the approved third party assessor. The Office of Financial and Administrative Affairs and the Office of Information Security will have access to each campus merchant s status on a continual basis. The CISO or delegate will, at the request of the unit, assist in the initial PCI questionnaire. Audits will be performed periodically to confirm the results of the PCI questionnaire. F. On an annual basis, the CISO and/or Office of Financial and Administrative Affairs will provide appropriate training to all employees associated with credit card processing.
13 G. Campus merchants will report any anticipated changes in their credit card processing procedures using the Change Management Process. (Request to be submitted to sponsor in office of Information Security) H. Campus merchants and employees in key roles must be aware and adhere to the College s policy and procedures. I. Employees hired to be involved with credit card processing require a background check as a condition of employment before hiring. This includes (but is not limited to) key roles, such as cashiers. Please refer to the Employee Handbook for the College's policy regarding background and credit checks. Should you become aware cardholder data has been compromised, you must follow the Compromise Incident Response Procedures as outlined in the Credit Card Processing Procedures. J. Each College unit processing credit cards will be responsible for adhering to the credit card merchants data security program. The Office of Information Security will maintain links to the various merchant s data security programs Any questions with regard to the technical specifications should be directed to the Chief Information Security Officer (CISO). K. Each campus merchant ID assigned will have at least one person subscribed to the College credit card listserv to receive updates on the credit card policy and procedures.
14 Related Policy and Procedures Credit Card Processing Policy Credit Card Processing Procedures References (College Information Systems Use) (Payment Card Industry Security Standards) (Minimum Security Standards for USG Networked Devices (Information Security) Management.pdf (USG Password Security and Composition Standard) Terms and Definitions Account Number: The unique number identifying the cardholder s account which is used in financial transactions. Campus Merchant: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the four members of PCI SSC (American Express, Discover, MasterCard or Visa) as payment for goods and/or services. Cardholder Data: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. This data can be on paper or electronic. Cardholder Information Security Program (CISP): CISP defines a standard of due care for securing Visa cardholder data, wherever it is located. CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data. CISO: Chief Information Security Officer Credit Card Processing: Act of storing, processing, or transmitting credit cardholder data. Data Security Standard (DSS): Data security standards mandated by American Express. E-Commerce Applications: Any internet enabled financial transaction application.
15 Employee: Any employee as defined by the GPC Human Resources Policies and Procedures. Employee in Key Roles: Any employee with the following roles concerning credit card sales: manager overseeing credit card sales, accountant for credit card sales, technical support to credit card solutions and equipment, and any other staff member with access to physically stored credit card receipts. ISO 17799: The International Standards Organization document defining computer security standards. Payment Application Data Security Standard (PA-DSS): Set of recommended practices for software vendors to create secure payment applications to help their customers comply with PCI. Payment Card Industry Data Security Standard (PCI-DSS): Set of requirements adopted by the Card Associations to protect and safe guard against cardholder data exposure and compromise. This standard is inclusive of the Visa CISP, MasterCard SDP, and American Express DSS. POS Device: Point-of-sale (POS) computer or credit card terminals either running as a standalone system or connecting to a server at Georgia Perimeter College or remotely off site. RRCS: Office of Revenue, Receivable and Cashiering Services Sensitive Cardholder data: This is defined as the account number, expiration date, CVC2/CVV2 (a three- digit number imprinted on the signature panel of the card), any sensitive authentication data subsequent to authorization, PVV (PIN Verification Value) and data stored on track 1 and track 2 of the magnetic stripe of the card. Site Data Protection Program (SDP): The formal data protection program mandated by MasterCard. The SDP Program provides acquiring members with the ability to deploy security compliance programs, ensuring that online merchants and member service providers are adequately protected against hacker intrusions and account data compromises. Web Development: The design, development, implementation and management of the user interface of the e-commerce application.
CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.
AskUGA 1 of 5 Credit/Debit Cards Responsible administrator: Senior Vice President for Finance and Administration Related Procedure: The Credit/Debit Card Processing Procedures Responsible department: Bursar's
The University of Georgia Credit/Debit Card Processing Procedures The University of Georgia currently accepts four major credit cards (MasterCard, Visa, Discover and American Express) for payment of services
NUMBER: BUSF 4.11 SECTION: Business and Finance SUBJECT: Credit/Debit Card Processing Policy DATE: November 1, 2006 Policy for: All Campuses Procedures for: All Campuses Authorized by: Rick Kelly Issued
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
Louisiana State University Finance and Administrative Services Operating Procedure FASOP: AS-22 CREDIT CARD MERCHANT POLICY Scope: All campuses served by Louisiana State University (LSU) Office of Accounting
USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
Credit Card Procedures and Policies Texas A&M Health Science Center offers university departments the convenience of accepting credit cards in payment for goods and services provided. All University departments
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to email@example.com when requesting a stand-alone dial up terminal. The University
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS I. Introduction, Background and Purpose This Merchant Account Agreement (the Merchant Agreement or Agreement ) is entered
Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,
Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
Internal Credit/Debit Card Processing Policies and Procedures for University of Tennessee Merchants Merchant: DBA Effective: Date Reviewed: Date Revised: Date 1. General Statement 2. Point-of-Sale Processing
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Credit Card Handling and Acceptance Policy Policy Number: C3875 Effective Date: November 8, 2006 Issuing Authority: Office of VP Business and
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive
The requirements for PCI-DSS compliance are quite numerous and at times extremely complicated due to their interdependent nature and scope. The University has deemed it necessary for those areas currently
Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc
Merchant Card Processing Best Practices Background: The major credit card companies (VISA, MasterCard, Discover, and American Express) have published a uniform set of data security standards that ALL merchants
UNIVERSITY OF NORTH DAKOTA FINANCE & OPERATIONS POLICY LIBRARY ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS Policy 2.3, Accepting Credit Cards and Electronic Checks to Conduct
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance
BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.
FINANCE AND TREASURY POLICIES AND PROCEDURES E071 CREDIT CARD PROCESSING & SECURITY POLICY PURPOSE The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
Credit and Debit Card Handling Policy Updated October 1, 2014 City of Parkville 8880 Clark Ave. Parkville, MO 64152 Hours: 8:00-5:00 p.m. Monday -Friday Phone Number 816-741-7676 Email: firstname.lastname@example.org
University of Virginia Credit Card Requirements The University of Virginia recognizes that e-commerce is critical for the efficient operation of the University, and in particular for collecting revenue.
Prepared by Treasury Office. This amends A8.710 dated July 2001. A8.710 April 2005 A8.700 TREASURY P 1 of 5 A8.710 Credit Card Program 1. Purpose To provide uniform procedures for the processing of credit
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
Contents CISP Program Overview... 2 1. To whom does CISP apply?...2 2. What does VISA define as "cardholder data"?...2 3. What if a merchant or service provider does not store Visa cardholder data?...2
SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES POLICY STATEMENT Introduction Some San Diego State University Research Foundation
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary
BUSINESS POLICY TO: All Members of the University Community 2012:12 DATE: April 2012 CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05) Contents Section 1 Policy Statement... 2 Section
Andrews University Payment Card Acceptance Policies & Procedures Prepared by Financial Administration July 12, 2011 Part I: Introduction of Policy and Purpose Formatted: Font: 12 pt In order to protect
Credit Card Processing and Security Policy Policy Number: Reserved for future use Responsible Official: Vice President of Administration and Finance Responsible Office: Student Account Services Effective
Vanderbilt University Payment Card Processing and PCI Compliance Policy and Procedures Manual PCI Compliance Office Information Technology Treasury VUMC Finance Table of Contents Policy... 2 I. Purpose...
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
Payment Card Industry Data Security Standards Compliance Please turn off, or to vibrate, all cell-phones/electronics Expected course length: 1 Hour Questions are welcomed. Who Created It? & What Is It?
ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card
University of Oxford Finance Division FINANCIAL POLICY 2.1.2 CARDHOLDER DATA SECURITY Date: 21 March 2013 Version: 2.1.2 Status: Approved Author: Simon Blee Bridget Midwinter TABLE OF CONTENTS Page EXECUTIVE
Page 1 SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures SOURCE: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology It is the University s responsibility
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
Emory University & Emory Healthcare Payment Card Processing and Compliance Policy and Procedures Manual Office of Cash and Debt Management Mailstop 1599-001-1AE 1599 Clifton Road, 3 rd Floor Atlanta, GA
Welcome Kit Table of Contents Important Account Information... Welcome to TouchSuite Merchant Services... Help Desk Card Enclosed... Your Merchant ID (MID)... 3 3 3 3 Customer Support Numbers... 4 Card
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
McGill Merchant Manual The McGill Merchant Manual is a complementary document to the Merchant (PCI) Policy and Procedures and serves to aid Merchants in ensuring their operations comply with Payment Card
APPROVED BY Ronald J. Paprocki I. Policy Statement Any office of the University that processes credit card transactions may do so only in the manner approved by the University Treasury Office and in compliance
Fall Conference November 19 21, 2013 Merchant Card Processing Overview Agenda Industry Definition Process Flows Processing Costs Chargeback's Payment Card Industry (PCI) Guidelines for Convenience Fees