COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING



Similar documents
POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Accepting Payment Cards and ecommerce Payments

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Saint Louis University Merchant Card Processing Policy & Procedures

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

TEXAS TECH UNIVERSITY HEALTH SCIENCES CENTER EL PASO

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

How To Comply With The Pci Ds.S.A.S

Standards for Business Processes, Paper and Electronic Processing

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

How To Protect Your Business From A Hacker Attack

POLICY SECTION 509: Electronic Financial Transaction Procedures

Vanderbilt University

Payment Card Industry Data Security Standard

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Office of Finance and Treasury

Payment Card Industry Compliance

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

La règlementation VisaCard, MasterCard PCI-DSS

Dartmouth College Merchant Credit Card Policy for Processors

Important Info for Youth Sports Associations

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Accounting and Administrative Manual Section 100: Accounting and Finance

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Credit/Debit Card Processing Policy

CREDIT CARD POLICY DRAFT

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

Payment Card Industry Data Security Standards.

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

CSU, Chico Credit Card PCI-DSS Risk Assessment

PCI COMPLIANCE GUIDE For Merchants and Service Members

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Viterbo University Credit Card Processing & Data Security Procedures and Policy

E-Market Policy Accepting Online Payment for Conducting University Business

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Credit Card Handling Security Standards

University of Virginia Credit Card Requirements

Information Technology

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Self Assessment Questionnaire A Short course for online merchants

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

AISA Sydney 15 th April 2009

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

UCSB Credit Card Processing and PCI Compliance

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

UW Platteville Credit Card Handling Policy

Emory University & Emory Healthcare

How To Complete A Pci Ds Self Assessment Questionnaire

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

University Policy Accepting and Handling Payment Cards to Conduct University Business

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

CREDIT CARD PROCESSING POLICY AND PROCEDURES

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Merchant Card Processing Best Practices

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

How To Protect Visa Account Information

Fraud Protection, You and Your Bank

University of Oregon Policy Statement Development Form

University Policy Accepting Credit Cards to Conduct University Business

What credit card brands would you like to accept as payment?

Project Title slide Project: PCI. Are You At Risk?

Sensible Development. Payment integration. Date: May 2012 Version: 1.1

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Credit Card Processing and Security Policy

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Why Is Compliance with PCI DSS Important?

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Data Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association

Payment Card Acceptance Administrative Policy

FAQ s for Payment Card Processing at the University

Miami University. Payment Card Data Security Policy

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Clark University's PCI Compliance Policy

Josiah Wilkinson Internal Security Assessor. Nationwide

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

Credit Card Processing Overview

PCI Security Compliance

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

PCI Compliance: Protection Against Data Breaches

Payment Card Industry (PCI) Data Security Standard

New York University University Policies

PCI Compliance Overview

PAYMENT GATEWAY ACCOUNT AND MERCHANT ACCOUNT SETUP FORMS

How To Ensure Account Information Security

CENTRAL WASHINGTON UNIVERSITY PAYMENT CARD SECURITY PROCEDURES

Transcription:

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING Supersedes: None Date: March 17, 2014 I. PURPOSE To establish business processes and procedures for the processing of credit/debit card payments as defined herein on behalf of New York Medical College, its departments, units, faculty, staff, students or any affiliates using the College's systems to minimize risk, protect the security of data, comply with the rules and regulations established by the Payment Card Industry and ensure that debit/credit card acceptance procedures are appropriately integrated with the College's financial system. II. POLICY It is the policy of New York Medical College to require a valid business purpose is established in advance of the processing of credit/debit card transactions and that proper authorization is obtained for acceptance of debit/credit payments in accordance with the procedures set forth in this Policy. III. SCOPE This policy applies to all forms of credit/debit card processing on behalf of the College by its departments, units, faculty, staff and students, or by affiliates using the College's systems. Credit card processing includes any payment card transaction (whether credit card, debit card, or other instrument linked to such a card) or other transmission, processing or storage of credit card data regardless of the means by which that transaction is actuated. This includes transactions initiated in-person, via the telephone or other telephonic means, in paper form, by US mail or other courier, through a terminal, kiosk, computer system, website, mobile device or any other means. This policy applies to whether the processing is performed by the College or by an outside pmiy acting as a service provider to the College. This policy applies to all College departments, units, faculty, staff, students who, in the course of doing business on behalf of the College, accept process, transmit or otherwise handle the cardholder information in physical or electronic format. This Policy applies to existing, new and changed services and applies regardless of whether revenue/expense is deposited/withdrawn in a College or departmental account. IV. DEFINITIONS Credit Card - A card issued by a financial institution giving the holder an option to borrow funds, usually at point of sale. Debit Card - A card which allows vendors to access holder funds immediately, electronically.

Payment Card Industry Data Security Standard (PCI-DSS) - A multi-faceted security standard that includes requirements for security management, policies and procedures, network architecture, software design and other critical protective measures. V. EFFECTIVE DATE This policy is effective as of the date signed below. VI. PROCEDURES A. Department 1. Before initiating any transactions or arrangements within the scope of this Policy, obtain a completed" Application To Become A Merchant Department" form that has been approved in writing by the Associate Vice President and Controller. The form is attached and incorporated hereto as Exhibit A. 2. Designated an individual within that department who shall have primary authority and responsibility for debit/credit card transaction processing, protection, storage and disposal of personal information and reporting of any security breach. 3. Obtain equipment and/or software application (e-commerce) that is PCI DSS compliant. 4. Create, maintain and update menu of services for which the department can accept payment including minimum amount per transaction. 5. Verify monthly all revenues and processing fees on the Payment Card Merchant Statement indicating department's approval and signature prior to submission to the Office of General Accounting for further processing. 6. Ensure all processing fees, including those on the monthly Payment Card Merchant Statement, will be charged against the expense account of each department. 7. Retain a copy of the fully executed vendor Agreement(s) and subsequent official documents related to terms and pricing. 8. Ensure that all payment card data collected in the course of performing College business, regardless of how the payment data is stored, is secured. Data may be physical or electronic, and includes, but is not limited to, card imprints and account numbers. 9. Annually submit to the Office of the Controller a completed PCI-DSS Self Assessment Questionnaire A or B, as applicable. Such form is available at https ://www.pcisecuritystandards.org/ security standards/ document s.php?category=saq standard 2

10. Ensure that no debit/credit information is obtained or transmitted via e mail. If it should be necessary to transmit debit/credit card information via e-mail only last four digits of the debit/credit card number can be displayed. 11. Ensure that no debit/credit card information shall be stored on individual PCs or servers that have not been deemed PCI compliant. All hard-copy debit/credit card information must be stored in a manner that would protect the individual cardholder information from misuse. 12. Hard copy debit/credit card information must not be stored for more than 24 months. 13. Ensure that access to cardholder data is restricted to authorized College personnel with a business "need to know". 14. Ensure that fax transmissions (both sending and receiving) of electronic debit/credit information occurs using only fax machines which are attended by those individuals who must have contact with payment card data to do their job. 15. Prohibit the use of vendor-supplied defaults for system passwords and other security parameters. 16. Promptly report any security breach (even perceived) first to the Payment Card Processor then to Office of the Controller, Information Technology, Office of General Counsel and Security. 17. Notify the Office of the Controller when changes occur to the most recently submitted /1 Application To Become A Merchant Department" form and complete a new form. B. Information Technology 1. Build and maintain a secure system and application through installation and maintenance of a firewall configuration. 2. Maintain a program of continuous use and regular update of anti-virus software or programs. 3. Implement strong access control measure by assigning a unique ID to each person with computer access. 4. Regularly monitor and test networks by testing security systems and processes, documenting the efforts. C. General Accounting 1. Record monthly recurring journal entry for debit/credit activities. 2. Journalize monthly debit/credit activities using as support Payment Card Merchant Statement as verified and signed by departments. 3

3. Verify that all activities submitted by the department on a monthly basis are accounted for and accurately credited in the proper general ledger account(s) and on the actual month the activities occurred. 4. Ensure that debit/credit fees per approved Payment Card Merchant Statements agree to the debit/credit fees per the bank statement retaining the documents for three (3) years. D. Office of the Controller 1. Review and approve all submissions of' Application To Become A Merchant Department' form. Originals to be retained for three (3) years after the Department's merchant number is no longer used. 2. Obtain annual documentation from all College-authorized payment processors to ensure that they are PCI-DSS compliant. 3. Obtain completed PCI-DSS Self-Assessment Questionnaires from departments annually. 4. Overall administration and oversight of the College's PCI-DSS compliance. 5. Provide advice and guidance with respect to the interpretation and administration of this policy. 6. Provide business terms, including pricing, to the Office of the General Counsel. E. Office of the General Counsel - negotiate vendor Agreement(s), to include the business terms and pricing provided by the Office of the Controller, and subsequent official documents related to terms and pricing. Maintain copies of and forward all documents. VII. POLICY RESPONSIBILITIES A. Department - maintain all records and process all transactions in accordance with this policy. B. Information Technology - provide necessary technical support for processing of debit/credit card transactions in accordance with this policy. C. Controller's Office - process applications and maintain necessary documentation to ensure compliance with this policy. D. Office of General Counsel- review and retain copies of fully executed vendor Agreement(s) and subsequent official documents related to terms and pricing. E. Vendor(s) I Payment Processor(s) 4

1. Provide a secure gateway and hosted solution in which all debit/credit card transactions and personal payment information is transmitted to and stored on off-site computers which the payment processor maintains. 2. Ensure PCI-DSS compliance. 3. Assign a unique merchant identification number to each College department that has been approved by the Controller to accept payments by debit/credit cards. 4. Provide monthly Payment Card Merchant Statements for each department accepting debit/credit cards including the Office of General Accounting. VIII. POLICY MANAGEMENT Responsible Executive: Responsible Officer: Responsible Office: Senior Vice President and Chief Financial Officer Associate Vice President and Controller Office of the Controller Approved: t;, J/J- Edward C. Halperin, M.D., M.A. Chancellor for Health Affairs and Chief Executive Officer Date 5

Exhibit A APPLICATION TO BECOME A MERCHANT DEPARTMENT Application Date: Name: Title: School/Division: Department: Email: Extension: Fax: Describe the goods, services and/or gifts for which you will receive payments. Please be specific: Is this an existing or new source of revenue? Provide the Account Number where funds will be deposited: I I I - I I I I I - I I I I. I Provide the Account Number where processing fees will be charged: I I I - I I I I I - I I I I. I I 6

What benefits do you expect to gain by accepting debit/credit cards? Please quantify and/or provide additional documentation to support this application. Describe the frequency of payments. Is this a one-time event? Are payments for seasonal or year-round activity? Provide detailed timeframes. Will debit/credit be the sole method of payment? If not, what other methods of payment do you anticipate accepting for this specific purpose? How do you plan to process these payments? (Check all that apply) Din-person (card present) 0Mail/phone/fax order* 0Internet *Note: Payment card data should never be transmitted via email correspondence. Faxes must be secured. If you are planning to accept payments via the Internet, do you have a College webpage for this purpose? If so, please provide the URL: Please indicate the estimated annual dollar volume and number of transactions for each applicable debit/credit card acceptance process: In-person $ # transactions Mail/phone/fax order $ # transactions Internet $ # transactions Who will be the Department Responsible Person? The Department Responsible Person is responsible for managing debit/credit card and/or ecommerce transaction processing including protection, storage and disposal of personal information and reporting of any security breach. Include name, job title and phone extension and describe duties. 7

Please identify any additional staff who will be involved in processing payments. Include name, job title and phone extension and describe duties. Will any other departments, software packages or outside vendors be involved in the processing of payments? If so, please identify all parties and describe their roles and responsibilities. Signatures: Name Department Responsible Person Name Department Head Name Associate Vice President and Controller By signing this form, the Department Responsible Person acknowledges that he/she understands his/her role and accepts the responsibility of that role. By signing this form, the Associate Vice President and Controller approves of the business case presented for the department to become a Merchant Department, the account numbers provided and designated Department Responsible Person. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information