BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)



Similar documents
Credit Card Processing and Security Policy

b. USNH requires that all campus organizations and departments collecting credit card receipts:

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Information Technology

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

POLICY SECTION 509: Electronic Financial Transaction Procedures

PCI Policies Appalachian State University

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

CREDIT CARD PROCESSING & SECURITY POLICY

How To Complete A Pci Ds Self Assessment Questionnaire

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Policy for Accepting Payment (Credit) Card and Ecommerce Payments

University Policy Accepting and Handling Payment Cards to Conduct University Business

Saint Louis University Merchant Card Processing Policy & Procedures

Payment Card Industry Compliance

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

Standards for Business Processes, Paper and Electronic Processing

Accepting Payment Cards and ecommerce Payments

New York University University Policies

TERMINAL CONTROL MEASURES

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Credit Card Handling Security Standards

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Appendix 1 Payment Card Industry Data Security Standards Program

Credit and Debit Card Handling Policy Updated October 1, 2014

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

University Policy Accepting Credit Cards to Conduct University Business

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Accounting and Administrative Manual Section 100: Accounting and Finance

PCI Data Security and Classification Standards Summary

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Clark University's PCI Compliance Policy

Viterbo University Credit Card Processing & Data Security Procedures and Policy

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Dartmouth College Merchant Credit Card Policy for Processors

Credit Card Security

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Ball State University Credit/Debit Card Handling Policy and Procedures

Payment Card Acceptance Administrative Policy

Information Security Policy

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

CREDIT CARD SECURITY POLICY PCI DSS 2.0

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Vanderbilt University

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

CREDIT CARD PROCESSING POLICY AND PROCEDURES

CREDIT CARD POLICY DRAFT

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

Payment Card Industry Data Security Standards

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Failure to follow the following procedures may subject the state to significant losses, including:

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Appendix 1 - Credit Card Security Incident Response Plan

Policies and Procedures. Merchant Card Services Office of Treasury Operations

E-Market Policy Accepting Online Payment for Conducting University Business

Information Security Policy

SonicWALL PCI 1.1 Self-Assessment Questionnaire

Emory University & Emory Healthcare

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Credit/Debit Card Processing Policy

How To Control Credit Card And Debit Card Payments In Wisconsin

The University of Georgia Credit/Debit Card Processing Procedures

Miami University. Payment Card Data Security Policy

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

UW Platteville Credit Card Handling Policy

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

CENTRAL WASHINGTON UNIVERSITY PAYMENT CARD SECURITY PROCEDURES

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Policies and Procedures

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Payment Card Industry Data Security Standard

3. Internet Credit Card Processing System generates a daily batch release report 4. Reporting Deposits to the University Depository

University of Virginia Credit Card Requirements

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

PCI Security Awareness for ECU Payment Card Merchants

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Transcription:

BUSINESS POLICY TO: All Members of the University Community 2012:12 DATE: April 2012 CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05) Contents Section 1 Policy Statement... 2 Section 2 Scope... 2 Section 3 Definitions... 3 Section 4 Responsibilities... 4 Director of Business Operations... 4 Information Technology Systems (ITS)... 4 Heads of departments and activities... 5 Section 5 Compliance... 5 Section 6 Other Related Policies... 5 1

Credit Card Processing and Security Policy 2012:12 Section 1 Scope This policy applies to all Ferris State University faculty, staff, students, organizations and individuals who, on behalf of the University, handle electronic or paper documents associated with credit or debit card receipt transactions or accept payments in the form of credit or debit cards. The scope includes any credit or debit card activities conducted at all Ferris State University campuses and locations. Section 2 Policy Statement University departments may accept credit and debit cards as a form of payment for goods and services provided, after receiving advance written approval from the Director of Business Operations in accordance with the Billing, Receipt Handling and Deposits Policy and following the objectives set forth in this policy. Departments, who need to accept credit/debit cards and obtain a physical terminal to either swipe or key transactions through a data capture machine, need to contact the Director of Business Operations and complete the required paper work to obtain a merchant number (see Attachment A). Departments wishing to engage in electronic commerce should use TouchNet s electronic payment gateway. Requests should be directed to the Director of Business Operations and Attachment A should be completed and filed with the Business Operations to obtain a merchant number. When they apply there will be a discussion to determine the best option for the area. This policy addresses Payment Card Industry (PCI) Security Standards that are contractually imposed by VISA and MasterCard on merchants who accept these cards as forms of payments. The policy covers the following specific areas contained in the PCI Security Standards related to cardholder data: collecting, processing, transmitting, storing and disposing of cardholder data. Procedures must be documented by authorized departments and be available for periodic review. Departments seeking final authorization must ensure that the following objectives are met: 1. Access to cardholder data collected is restricted only to those users who need it to perform their jobs. 2. Cardholder data, whether collected on paper or electronically, is protected against unauthorized access. 2

3. All equipment used to collect data is secured against unauthorized use in accordance with the PCI Data Security Standard. 4. Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets where the equipment or documents containing cardholder data is stored. 5. Cardholder data is not processed, stored or transmitted using the University s network unless the PCI Compliance Officer and IT have verified the technical controls, including firewalls and encryption, are in accordance with the PCI Data Security Standard. 6. Cardholder data is not to be sent via end-user messaging technologies. (E-mail, text message, instant messenger, etc.) 7. Databases do not store credit/debit card number, the full contents of any track from the magnetic stripe or the card-validation code. Reports must mask the card number to the first six or last four digits only. 8. Portable electronic media devices should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives. 9. Cardholder data is deleted or destroyed before it is disposed. Paper documents should be cross-cut shredded and destroyed when it s no longer needed for business or legal reasons in accordance to University Records Management Policy. Computer drives must be erased, degaussed, or physically destroyed in accordance with the University s Information Security Guidelines referenced within the Information Security Policy. 10. Credit card terminals are physically secured and batch/transmitted on a daily basis. 11. In the event of a compromise to customer credit card numbers or to a card processing device, departments will notify the Director of Business Operations immediately, who will then report the incident to appropriate law enforcement, the merchant bank, the cardholder and various card associations as needed. Section 3 Definitions Cardholder: The individual to whom a credit card or debit card has been issued or the individual authorized to use the card. Cardholder data: All personally identifiable data about the cardholder gathered as a direct result of a credit or debit card transaction (e.g. account number, expiration date, etc.). Card-validation code: The three-digit value printed on the signature panel of a payment card used to verify card-not-present transactions. On a MasterCard payment card this is called CVC2. On a Visa payment card this is called CVV2. 3

Credit or Debit Card Receipt Transactions: Any collection of cardholder data to be used in a financial transaction whether by facsimile, paper, card presentation or electronic means. Database: A structured electronic format for organizing and maintaining information that can be easily retrieved. Simple examples of databases are table or spreadsheets. Encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information from unauthorized disclosure between the encryption process and the decryption process (the inverse of encryption). Firewall: Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources. Magnetic Stripe Data (Track Data): Data encoded in the magnetic stripe used for authorization during a card present transaction. Network: A network is defined as two or more computers connected to each other so they can share resources. PCI: Purchasing Card Industry Standard is the result of collaboration between the four major credit card brands to develop a single approach to safeguarding sensitive data. The PCI standard defines a series of best practices for handling, transmitting and storing sensitive data. Section 4 Responsibilities Director of Business Operations The Director of Business Operations or designee is responsible for the periodic reviews of departmental procedures and practices in connection with credit and debit card receipt transactions. Results will be reported to the Associate Vice President for Finance. All issues of non-compliance will be reported immediately to the Associate Vice President for Finance. Information Technology Systems (ITS) The Information Technology Systems Office is responsible for regularly monitoring and testing the Ferris network. ITS will cooperate with the PCI Compliance Officer in accordance the University s compliance with the PCI Standard technical requirements and verify the security controls of systems authorized to process credit cards. 4

Heads of departments and activities Department heads are responsible for documenting departmental procedures and for ensuring that credit and debit card activities are in compliance with this policy. Departments will potentially be responsible for any fines levied against the University that result from noncompliance by the department. Section 5 Compliance The Vice President for Administration and Finance and/or the Associate Vice President for Finance will terminate credit and debit card collection privileges for any department not in compliance with this policy. Failure to meet the requirements outlined in this policy will result in suspension of physical and or electronic payment capability for the affected departments. Additionally, fines may be imposed by the affected credit card company, beginning at $500,000 for the first violation, from each card company. Persons in violation of this policy are subject to the full range of sanctions up to and including termination. Some violations may constitute criminal offenses under local, state and federal laws. The University will report such violations to the Vice President for Administration and Finance and/or the Associate Vice President for Finance. Section 6 Other Related Policies Billing, Receipt Handling and Deposits Policy; Consolidated Billing Policy; Information Security Policy; Proper Use of Information Resources, Information Technology, and Networks Policy. Jerry L. Scoby Vice President for Administration and Finance Contact Office: Associate VP for Finance 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information