UW Platteville Credit Card Handling Policy



Similar documents
Appendix 1 Payment Card Industry Data Security Standards Program

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Information Technology

Payment Card Industry Compliance

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Credit Card Handling Security Standards

Viterbo University Credit Card Processing & Data Security Procedures and Policy

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

POLICY SECTION 509: Electronic Financial Transaction Procedures

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

E-Market Policy Accepting Online Payment for Conducting University Business

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

How To Control Credit Card And Debit Card Payments In Wisconsin

TERMINAL CONTROL MEASURES

Saint Louis University Merchant Card Processing Policy & Procedures

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

Failure to follow the following procedures may subject the state to significant losses, including:

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Accepting Payment Cards and ecommerce Payments

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Merchant Card Processing Best Practices

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Credit and Debit Card Handling Policy Updated October 1, 2014

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Project Title slide Project: PCI. Are You At Risk?

University Policy Accepting Credit Cards to Conduct University Business

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

Clark University's PCI Compliance Policy

Standards for Business Processes, Paper and Electronic Processing

The University of Georgia Credit/Debit Card Processing Procedures

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

policy D Reaffirmation of existing policy

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Acceptance Administrative Policy

CREDIT CARD PROCESSING & SECURITY POLICY

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Credit Card Processing and Security Policy

PCI Compliance Information Packet for Volunteers - Credit Card Processing for Product Sales and Online Camp / Event Registration

Welcome to the Duke Medicine Credit Card PCI Education session.

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Office of Finance and Treasury

Frequently Asked Questions

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Emory University & Emory Healthcare

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation. Understanding the Merchants Responsibilities for PCI Compliance

Registry of Service Providers

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

PCI Compliance Overview

Dartmouth College Merchant Credit Card Policy for Processors

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

A Compliance Overview for the Payment Card Industry (PCI)

Miami University. Payment Card Data Security Policy

Self Assessment Questionnaire A Short course for online merchants

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Payment Card Industry Data Security Standards Compliance

Your Compliance Classification Level and What it Means

UCSB Credit Card Processing and PCI Compliance

How To Complete A Pci Ds Self Assessment Questionnaire

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

A PCI Journey with Wichita State University

Transcription:

UW Platteville Credit Card Handling Policy Issued: December 2011 Revision History: November 7, 2013; July 11, 2014; November 1, 2014; August 24, 2015 Overview: In order for UW Platteville to accept credit card payments, it is bound by contracts with the corresponding payment card companies. Payment card companies and governmental agencies have collaborated to develop a comprehensive, thorough and rigorous data security standards including: Payment Card Industry Data Security Standards (PCI DSS); Fair and Accurate Credit Transactions Act (FACTA); Payment Application Data Security Standards (PA DSS). In order to continue to accept credit card payments, UW Platteville must prove and maintain compliance with these various standards. An event such as a security breach of credit card data attributable to UW Platteville jeopardizes the institution s ability to continue to conduct transactions, potentially costing the institution a great deal of revenue. The contract also allows fines to be levied by the card companies in order to continue to do business with them should a breach occur. Statement of Procedure: It is the intent of UW Platteville to reduce institutional risk associated with the administration of merchant cards through the establishment and adoption of standard payment systems and clear assignment of responsibility. This procedure s intent is to provide campus departments and recognized student organizations with compliant, reliable and supportable methods for securely and conveniently accepting credit card payments. This reduces risk to individuals who entrust credit card information to UW Platteville and UW Platteville affiliated entities for transactions. Definitions: Merchant: Any department or recognized student organization that accepts credit cards or utilizes third party software credit card processing on behalf of the university. 1

Operating Principles: The following operating principles and responsibilities must be used by departments, recognized student organizations and university employees when accepting credit card information in order to process payments for services, purchases, registration, etc. 1. All merchant sites, including hosted sites, must be authorized by the UW Platteville Controller s Office. See Application and Service Level Agreement (SLA). SLAs must be renewed annually. 2. All merchant card services offered by the University must be delivered using software, systems, and procedures that are compliant with applicable standards. 3. UW Platteville will pre authorize e Payment services for use by UW Platteville units. (Click to see Pre Authorized e_payment services) 4. There should be a certain level of uniformity/branding in the look and feel of UW Platteville storefronts as indicated in the campus web policy except where the vendor dictates. This uniformity not only gives institutional identity to UW Platteville but can be used to avoid phishing. 5. Units must coordinate the delivery of goods and services with the timing of charging e Payments to customers as defined in the credit card operating regulations. 6. The unit selling the goods or services must develop processes for handling credit card and bank account information provided by customers on paper in a safe way. Paper documents showing this information must be cross shredded. Documents should be retained only for the period specified in the appropriate record retention schedule. Retention Schedule 7. UW Platteville units must reconcile e Payments with goods and services provided and with funds deposited by the e Payment processor into University bank accounts and into the Shared Financial System ledger. These reconciliations should be performed using the appropriate separation of duties. Credit Card Merchant (Department/Recognized Student Organization) Responsibilities (agreed to in SLA): Requirements associated with this policy apply to departments, recognized student organizations and university employees that accept credit card information. Credit Card Merchant Numbers a) All credit card merchant sites, including hosted sites, must be established through Controller's Office. Departments and recognized student organizations are prohibited from obtaining merchant ID numbers directly from the credit card companies or setting up hosted sites without 2

approval from the Controller s Office. Departments and recognized student organizations must notify the Controller s office of software upgrades in a timely manner prior to the upgrade. Personnel and equipment changes related to credit card processing must be communicated within 5 business days of the change. b) Each campus merchant site must identify a current contact person for the Controller s Office. Credit Card Transaction Channels c) Credit card information can only be accepted through a UW Platteville authorized web application, mail, in person or by telephone (secure line, not Voice over Internet Protocol (VOIP) or mobile). d) Credit card information cannot be accepted via email and must never be e mailed from the department or recognized student organization. Credit card information must not be photocopied. e) Any processing of credit card transactions must be done on a PCI compliant workstation. f) Without approval from the Controller s Office, departments and recognized student organizations are not permitted to locally or remotely transmit, process, or store credit card information on UW Platteville or personal computer systems, mobile devices, fax machines, the Internet, e mail, e messaging or any removable electronic storage (USB memory stick, hard drive, zip disk, etc.); not even if encrypted. Credit Card Information Storage g) Without approval from the Controller s Office, credit card merchants cannot store credit card information on a local computer or server. h) Under no circumstances should the Card Identification Number (CID) be stored electronically. If collected on paper, the CID must be destroyed securely immediately after processing. The CID number is the three digit security code on the back of the credit card. It is also referred to as the CVC2 and CVV2. i) While waiting to be processed, paper records of the transaction, with credit card information, must be stored in a locked room or file cabinet. Access to the storage area(s) must be limited to authorized personnel only. j) Paper records containing credit card data must be securely destroyed at the earliest possible date while complying with relevant data retention schedules. 3

Credit Card Receipts k) Credit card receipts that go to the customer may only show the last four digits of the credit card number. Also, the credit card expiration date should not appear on the receipt. l) Retain the original receipts, which show last four digits of the credit card number, for all transactions and any original, signed documentation in a secure location for a minimum of 12 months as required by the University of Wisconsin System Fiscal and Accounting General Records Schedule. Fees, Reconciliations, Refunds & Disputes m) Departments and recognized student organizations are responsible for all credit card processing fees. Departments and recognized student organizations may choose to charge a convenience fee to cover the actual amount incurred if allowed by credit card brand and method of acceptance. n) Departments and recognized student organizations are responsible for the cost of equipment required to process transactions within the university credit card environment. The cost of credit card compliance will be allocated out to the respective departments and recognized student organizations. Departments and recognized student organizations will return the equipment to the appropriate office (Controller s office for readers, ITS for computer equipment) when such equipment is no longer needed for proper disposal. o) Reconciliation of credit card merchant activity must be performed at least monthly. Reconciliations will be subject to audit. p) There must be adequate separation of duty between any person authorized to issue a refund and the individual reconciling the account. q) Refunds must be credited to the same credit card account from which the original purchase was made. r) Each department and recognized student organization is responsible for following up and resolving disputed transactions, in conjunction with the Controller s Office. s) Each department and recognized student organizations is responsible for ensuring the timely remittance of credit card receipts to UW Platteville by hosted sites. Annual Self Assessment & Network Scan t) Each department and recognized student organization processing merchant cards must complete an annual risk/security questionnaire/self assessment subject to audit. As part of this self assessment, the Merchant must verify that all third party payment application software, service providers and gateways that store, process or transmit cardholder data as part of an 4

authorization or settlement are compliant with applicable payment card requirements. This verification can be performed by: Application Software Determining if the applications software is listed on the Validated Payment Applications found on the PCI website with a non expired validation date [https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php]; Service Providers/gateways Determining if the service provider/gateway is listed on the Visa Global Registry of Service Providers PCI DSS Validated Entities with a non expired date. [http://usa.visa.com/download/merchants/cisp list of pcidss compliant service providers.pdf] In addition to the annual questionnaire, the merchant must complete a SAQ any time a credit card related system or process changes. Once completed, the questionnaire must be sent to the Controller s Office for tracking and distribution. The Controller s Office will then send the questionnaire to Internal Audit and the UW Platteville Information Security Officer for follow up. u) For all of the third party vendors, the Merchant must request written acknowledgement that the service providers are responsible for the security of cardholder data that the service providers possesses. v) Credit card numbers should not be stored electronically. Departments and recognized student organizations should work with UW Platteville Information Security to ensure that no credit card numbers are stored electronically. w) Departments and recognized student organizations must work to resolve exceptions identified on the annual risk/security questionnaire/self assessment. Departments and recognized student organizations should work with UW Platteville Information Security to address any exceptions pertaining to technology or electronic storage. Consult with Internal Audit as needed. Employees Handling Credit Card Information x) All employees handling cardholder data and their supervisors or others identified by the Controller s Office, should sign a Confidentiality Acknowledgement form. The form should be the campus wide form used by all departments. y) All employees handling cardholder data must receive annual training. The employee must sign the training checklist and route to the supervisor for signature. The supervisors of each area will submit a report to the Controller s office documenting those that have completed the training. z) All employees processing credit cards must use a PCI compliant workstation. 5

aa) Employees that are only generating reports related to credit card activity may use a campus computer to generate those reports as long as the full 16 digit credit card number is not displayed. Imprint Machines bb) Imprint machines are not allowed. Exceptions To These Responsibilities cc) While the Controller s Office does not have the authority to override the PCI Requirements, any exceptions you have to these responsibilities should be discussed with the Controller. The Controller s Office will consider exceptions to any of the above stated responsibilities on a case by case basis in consultation with UW Platteville Information Security Officer and Internal Audit. In considering exceptions, the Controller s Office will examine compliance with applicable standards and the existence and reliability of compensating controls. Departments and recognized student organizations are responsible for obtaining approval from the Controller s Office. Consequences of Not Complying dd) If a merchant does not comply with the above responsibilities, it may be determined that the merchant will no longer be allowed to accept credit cards and may result in significant financial penalties to the department or recognized student organization and the campus as a whole. Any additional monetary costs associated with remediation, assessment, forensic analysis or legal fees will be borne by the department, recognized student organization or college/division. The actions of one merchant can jeopardize all the campus merchants ability to accept credit cards. Controller s Office Responsibilities: a) Develop standards for the campus with respect to accepting credit cards. b) Apply for and secure all campus merchant ID numbers. c) Establish and maintain a process for campus departments and recognized student organizations to accept credit cards. d) Approve applications from campus departments and recognized student organizations before credit cards can be accepted. e) Initiate and approve Service Level Agreements with each department and recognized student organizations before credit cards can be accepted. Service Level Agreements will address the appropriate separation of duties within each department or recognized student organization. 6

f) Distribute monthly statements from credit card companies to departments and recognized student organizations for reconciliation. g) Ensure credit card processing fees are properly charged in accord with state, UWS and UW Platteville contracts. h) Ensure credit card processing fees are properly charged back to the appropriate department or recognized student organization. i) Initiate annual renewals of all Service Level Agreements between the Controller s Office and the departments and recognized student organizations. j) Provide appropriate training to the campus on merchant card transactions. k) Ensure that each campus department and recognized student organization that accepts credit cards completes the risk/security questionnaire/self assessment required by applicable standards on an annual basis. During this annual process, the Controller will be responsible for verifying that all Merchants provide appropriate compliance documentation of all third party payment application software, service providers and gateways that store, process or transmit cardholder data as part of an authorization or settlement. l) Maintain a central file of all documentation indicating third party vendor and third party payment application software compliance with applicable requirements. m) Provide an application form and approve departments and recognized student organizations to request merchant ID n) Serve as chair of the PCI core team. UW Platteville Information Technology Responsibilities: a) Work with the Controller s Office to develop standards for the campus with respect to accepting credit cards. b) When requested by the Controller s Office, Information Security Officer will approve/deny applications for departments and recognized student organizations that accept credit cards. c) Work to resolve exceptions pertaining to technology or electronic storage noted on the annual risk/security questionnaire/self assessment and quarterly network scans. Consult with Internal Audit as needed. d) Perform monthly internal network scans to ensure UW Platteville is PCI compliant. Coordinate this effort with Internal Audit. e) Maintain inventory of all credit card software and hardware components in consultation with Financial Services through the annual service level agreement process. 7

f) Notify Controller s office when departments and recognized student organizations initiate a request for software or hardware changes that relate to credit card processing. g) Notify and update Controller on issue tickets for any credit card processing related tickets. h) Members of the PCI core team. UW System Internal Audit Responsibilities: a) Member of the PCI core team. b) Internal Audit will monitor the overall effort by incorporating credit card risk into the audit plan. c) Serve as a resource for Controller s office. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information