Purpose. vendor provides. credit card. information. owns and. doing. terms of this. liabilities. Statement



Similar documents
Accepting Payment Cards and ecommerce Payments

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Payment Card Industry Compliance

b. USNH requires that all campus organizations and departments collecting credit card receipts:

Appendix 1 Payment Card Industry Data Security Standards Program

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Credit Card Processing and Security Policy

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

E-Market Policy Accepting Online Payment for Conducting University Business

Saint Louis University Merchant Card Processing Policy & Procedures

Information Technology

CREDIT CARD PROCESSING POLICY AND PROCEDURES

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

The following are responsible for the accuracy of the information contained in this document:

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

University Policy Accepting and Handling Payment Cards to Conduct University Business

Table of Contents. 2 TouchSuite Welcome Kit

How To Control Credit Card And Debit Card Payments In Wisconsin

Vanderbilt University

Credit/Debit Card Processing Policy

Standards for Business Processes, Paper and Electronic Processing

Failure to follow the following procedures may subject the state to significant losses, including:

Payment Card Industry Data Security Standard

POLICY SECTION 509: Electronic Financial Transaction Procedures

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

UW Platteville Credit Card Handling Policy

Accounting and Administrative Manual Section 100: Accounting and Finance

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Emory University & Emory Healthcare

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

PCI Data Security and Classification Standards Summary

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

IT04 UO ACH Security Policy

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING

New York University University Policies

Credit Card (PCI) Security Incident Response Plan

TERMINAL CONTROL MEASURES

How To Complete A Pci Ds Self Assessment Questionnaire

Frequently Asked Questions

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

An article on PCI Compliance for the Not-For-Profit Sector

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Introduction to PCI DSS

Payment Card Industry Data Security Standards

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Clark University's PCI Compliance Policy

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

How To Protect Your Business From A Hacker Attack

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

CREDIT CARD POLICY DRAFT

PCI Policies Appalachian State University

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Policy for Protecting Customer Data

Credit Card Handling Security Standards

Payment Card Industry Data Security Standards Compliance

Ball State University Credit/Debit Card Handling Policy and Procedures

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Miami University. Payment Card Data Security Policy

Fraud Protection, You and Your Bank

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Fraud - Preparing Data Card Transactions

2.1.2 CARDHOLDER DATA SECURITY

CENTRAL WASHINGTON UNIVERSITY PAYMENT CARD SECURITY PROCEDURES

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Merchant Card Processing Best Practices

Credit and Debit Card Handling Policy Updated October 1, 2014

Bradley University Credit Card Security Incident Response Team (Response Team)

4/13/2016. Cash Handling & Deposits Informational Session Presented by Wendall Ho. Contact Information. Staff. Financial Management Office

Payment Card Acceptance Administrative Policy


Information Security Policy

Payment Card Industry Data Security Standard PCI DSS

McGill Merchant Manual

University Policy Accepting Credit Cards to Conduct University Business

Your Compliance Classification Level and What it Means

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Transcription:

Credit/Debit Card Acceptance Practice Owner: Finance and Fiscal Services Effective Date: June 30, 2011 Impacts: Activities that accept credit cards as payment Purpose The Alamo Colleges District has adoptedd the following practice and supporting procedures for all types of credit card activity transacted in-person, over the phone, via fax, mail or the Internet. The purpose of this practicee is to protect the interests of the college district and its customers by establishing strong internal businesss controls and standardd revenue collection methods. This outline will provide guidance so thatt the processes of accepting credit/debit card payments complies with the Payment Card Industryy Data Security Standards (PCI DSS) and are appropriately integrated with the financial and other systems. In addition, adherence to this practice will ensure compliance with federal,, state and local laws, related to the protection of credit/debit card information and other personal identifying information. Alamo Colleges has contracted with a third-party vendor whose core business includes the support and processing of credit card and electronic transactions. The vendor provides the District with a secure gateway and hosted solution in which all electronic personal payment informationn is securely transmitted to and stored on off-site computers which the company owns and maintains. The vendor maintains PCI DSSS compliance certification. This relationship enables the Alamo Colleges to provide secure infrastructure for acceptance of electronic payments. Applicability Any Alamo Colleges employee, contractor or agentt who, in the course of doing businesss on behalf of the District, is involved in the acceptancee of credit card and electronic payments is subject to this practice. Failure to comply with the terms of this practice may expose the department and/or the District to financial lossess and/or legal liabilities. Statement

Any department desiring to collect revenue (throughh credit cards or checks) on behalf of the District for goods or services must utilize the secure web based storefront. Marketplace is the District s preferred web based application for electronic collection of revenue. This application can accommodate receiptt of checks and credit cards (Master Card, Visa, American Express, and Discover) in a secure environment which is maintained by the third-party provider as referencedd in the Purpose section. REFUNDING When a credit card payment is processed at Alamoo Colleges and a refund is due, the following occurs: 1. All students are requested to create an electronic refunding profile on line through their ACES account. 2. When a refund is due to overpayment andd or dropping of a course (s), the preferred refund method is to be sent to your checking or saving account electronically or the alternate method is too print a check. 3. If funds need to be returned to the credit card, the card holder will need to advise the District Business office at 210-485-0359, otherwise the acceptable process will be as described in step 2 above. Responsibilities of a Merchant Department Merchant Department: A Merchant Department iss the department designated as the primary representative for revenue collections. VBO: The Virtual Business Office (VBO) offers safe, convenient and secure online servicess for students, staff and faculty, as well as the surrounding community. The VBO offers the Market Place Mall, which is an online system that allows products, services, or fees to be purchased online with a credit card or personal check at any Alamo College or in the comfort of your home. Merchant Departments are designated as the District s collegee Business offices. The following responsibilities are an important aspect off the District s compliance with the PCI Data Standards. All credit card payment transactions will be taken using the VBO or a walk up to one of the colleges Business offices. 1. Follow the Card Acceptance guide (or similar rules) of the merchant processor/acquirer (e.g., Global Payments) and thee operating regulations and rules of any card associations/networks that will be accepted by the Merchant Department (e.g., MasterCard, Visa, etc.). 2. Ensure that all employees, including the MDR, contractors and agents with access to payment card data complete compliance training on an annual basis.

3. Revenue collection arrangemen nts that require payees to enter credit card numbers on preprinted order forms whichh are then mailed to a District department are not allowed. 4. Ensure that all credit card data collected, regardless of how it is stored (physically or electronically, ncluding but not limitedd to account numbers, card imprints, and Terminal Identification Numbers) is secured. Data is considered to be secured only if the following criteria are met: O Only those with a need-to-know aree granted access to credit card and electronic payment data. o Email is not used to transmit credit card payment information. If the use of email is necessary, only the last four digitss of the credit card number are displayed. O No photocopies of credit cards are accepted. o Credit card or electronic payment information is never downloaded onto any portable devices such as USB flash drives, compact disks, laptop computers or personal digital assistants. o Fax transmissions (both sending and receiving) of credit card and electronic payment information are limited to those fax machines whose access is restricted to authorized individuals. The transactions must be processed immediately and the documents must be shredded. o The processing and storage of personally identifiable credit card or electronic payment information on District computers and servers is prohibited. Exceptions can only be made if the processing and storage methods are compliant. o Only secure communication protocols and/or encrypted connections are used during the processing of electronic transactions. o The three-digitt card-validation code printed on the signature panel of a credit card is never stored in any form. o all but the last four digits of any credit card account number are masked if credit card data is displayed. o all credit card and electronic payment data thatt is no longer deemed necessary or appropriate to store is destroyed or rendered unreadable. o All discovered instances of the full credit card number, bank Account number, or social security number must be reported to the, Chief Bursar, and the Information Security Technology Office and remedied immediately. 5. No credit card receipt or other document referencing the transaction shall include more than the last four digits of the account numberr or the month and year of the expiration date. No District employee, contractor or agent who obtains access to credit card or other personal payment informationn may sell, purchase, provide, or exchange said information in any form to any third party other than to the District s acquiring bank,

depository bank, Visa, MasterCard or other credit card company, or pursuant to a government request. All requests to provide information to any outside party must be reviewed and approved in advance by the Associatee Vice Chancellor or their designee. Processs to become a Merchant Department The MDR or his/her designee must follow the stepss below in order to request approval to obtain a merchant number and or to become a Merchant Department. 1. Notify the Chief Bursar in Finance and Fiscal Services of a need to accept credit cards and/or electronic payments by presenting a formal request to become a Merchant Department. 2. Final approval request should come from the division Department Head. It is the responsibility of the Department Head to approve the business case and all other information provided in the request. 3. The official request should be submitted too the Chief Bursar for review and approval by the Associate Vice Chancellor. 4. If the request is approved, the Chief Bursar will coordinate the District Web Services design of a new Marketplace storefront forr the Department. The requesting Department should allow sufficient time for this process to be completed. 5. The Chief Bursar will arrange the necessary training for the Department, as well as any additional information pertinent to the approved payment method. Third Party Vendors Scope of the Third Party Vendor There are limited services not offered by Alamo Colleges i.e. food service, bookstore, vending machines and ATM s. Therefore, occasionally Alamo Colleges releases a RFP where outside vendors will provide a service for Alamo Colleges within the Alamo Colleges premises. Responsibi ilities of the Third Party Vendor Third Party vendors are not Alamo Colleges employees. Thesee vendors may offer services where credit card payments are accepted. The services offered are offered on their behalf and not Alamo Colleges. Thesee vendors service our customerss due to an agreed upon contract. All transactions (including electronic based) that involve the transfer of credit

card data must be performed on systems approved by Alamo Colleges Information Technology department. The contract willl require the contracting vendor to supply Alamo Colleges an annual document/certificate indicating PCI Compliance. Failure to submit said document couldd cause a rejection of its contract. If a third Party Vendor should experience or even suspect breach of security, the vendor should contact: Associate Vice Chancellor and the IT Security Incident response Protocol for contacts within one business day of identified breach. Processs for Responding to a Security Breach Security breaches can result in serious consequenc ces for the District, including release of confidential information, damage to reputation, added compliance costs, the assessment of substantial fines, possible legal liability and the potential loss of the ability to accept credit card and electronic payments. In the event of a breach or suspected breach of security, 1. Contact the Associate Vice Chancellor andd the Incident Coordination Team (ICT). ICT will provide further instructionss which willl include measures that will preserve electronic evidence. 2. ICT will facilitate a Crisis Response Plan too isolate, investigate, document and remediate the situation in partnership with the Associate Vice Chancellor or designee. 3. All investigations and collection of evidence will be done by ICT. To prevent alteration of the compromised system or systems, Information Security asks the MDR to follow the requests below: o Do not switch off the compromised machine. o Do not attempt to isolate the compromised system(s) from the network by unplugging the network connection cable.. o Do not log on to the machine and/orr change passwords o Be on HIGH alert and monitor all electronic applications and report suspicious activity to Information Security. 4. The Associate Vice Chancellor or designee shall alert the merchant bank, the payment card associations and the Alamo Collegess Police Department. The Associate Vice Chancellor shall report the suspected breach to the Vice Chancellor who will in turn take the appropriate actions to alert the Chancellor.. 5. Where an actual breach of credit card dataa is confirmed, the Associate Vice Chancellor, along with ICT, will ensure that compromised credit card account information is securely sent to the appropriate credit card associations and credit reporting agencies.

6. Within 24 hours of the breach, the Associate Vice Chancellor, with assistance from the relevant MDR, shall provide the affected credit card associationss with proof of PCI compliance. 7. Within 4 business days of the breach, the Associate Vice Chancellor, with assistance from the relevant MDR, shall provide thee affected credit card associations with an incident report. 8. At the relevant credit card associations request and depending on the level of risk and data elements compromised, the District may, within 4 business days of the event: o Arrange for a network and system vulnerability scan. o Complete a compliance questionnai ire and submit it to relevant card association( s). 9. In the event that personal data is exposed, per Alamo Colleges IT Security Incident Response Protocol, the District will providee notificationn to any resident of Texas and dataa an owner whose personal identifying information was or is reasonably believed to have been acquired without authorization. Ongoing Management Alamo Colleges may make modifications from timee to time as required, provided that all modifications are consistent with Payment Card Industry Data Security Standards then in effect. The Associate Vice Chancellor along with Informationn Technology and the District Business Office are responsible for initiatingg and overseeing an annual review of this Practice, making revisionss and updates and ensuring that the updated practice has received the appropriate approvals. The revised practice will be distributed to the Merchant Departments. References Links to Global Payments, MasterCardd and Visa are provided for reference: Global Payments Card Acceptance http:// /www.globalpaymentsinc.com/myglobal/cag.html MasterCard Worldwide Rules and Chargeback http:// /www.mastercard.com/us/merchant/support/rules.html Visa Merchant Responsibility and Card Acceptance Guide http://usa.visa.com/merchants/new_acceptance/merchant_responsibility.html Relevant Statutes: Sections 35.60, 72.004 and 502.002 of the Texas Businesss & Commercial Code

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information