Accepting Payment Cards and ecommerce Payments



Similar documents
POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

b. USNH requires that all campus organizations and departments collecting credit card receipts:

Information Technology

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Purpose. vendor provides. credit card. information. owns and. doing. terms of this. liabilities. Statement

University Policy Accepting and Handling Payment Cards to Conduct University Business

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Saint Louis University Merchant Card Processing Policy & Procedures

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

New York University University Policies

Standards for Business Processes, Paper and Electronic Processing

Appendix 1 Payment Card Industry Data Security Standards Program

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

University of Virginia Credit Card Requirements

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

University Policy Accepting Credit Cards to Conduct University Business

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

Credit Card Handling Security Standards

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

TERMINAL CONTROL MEASURES

Merchant Card Processing Best Practices

Credit Card Processing and Security Policy

PCI Policies Appalachian State University

Frequently Asked Questions

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Important Info for Youth Sports Associations

2.1.2 CARDHOLDER DATA SECURITY

Accounting and Administrative Manual Section 100: Accounting and Finance

Payment Card Industry Compliance

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Josiah Wilkinson Internal Security Assessor. Nationwide

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Policies and Procedures

How To Protect Your Business From A Hacker Attack

Payment Card Acceptance Administrative Policy

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Becoming PCI Compliant

CREDIT CARD SECURITY POLICY PCI DSS 2.0

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Dartmouth College Merchant Credit Card Policy for Processors

Your Compliance Classification Level and What it Means

Office of Finance and Treasury

And Take a Step on the IG Career Path

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

The following are responsible for the accuracy of the information contained in this document:

Payment Card Industry Data Security Standards Compliance

PCI Compliance Overview

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

University of Sunderland Business Assurance PCI Security Policy

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PAI Secure Program Guide

PCI Compliance: How to ensure customer cardholder data is handled with care

Clark University's PCI Compliance Policy

Why Is Compliance with PCI DSS Important?

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Payment Card Industry Data Security Standards

Vanderbilt University

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

How To Protect Visa Account Information

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING

Sales Rep Frequently Asked Questions

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standards.

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Understanding Payment Card Industry (PCI) Data Security

PCI Compliance. Top 10 Questions & Answers

An article on PCI Compliance for the Not-For-Profit Sector

How To Protect Your Credit Card Information From Being Stolen

Emory University & Emory Healthcare

Project Title slide Project: PCI. Are You At Risk?

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI COMPLIANCE GUIDE For Merchants and Service Members

Credit/Debit Card Processing Policy

Transcription:

Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont limits the acceptance of credit and debit cards, referred to collectively as payment cards, to those departments who are given authority by the Controller s Office. Permission to accept payment cards is based upon volume of payments and existing internal controls. In order for a department to accept payment cards, it must become a UVMauthorized Merchant, as defined below. In doing so, the department must commit to adhere to the Payment Card Industry Data Security Standards (PCI DSS). Reason for the Policy The University of Vermont s acceptance of payment cards for gifts, goods, and services has been growing over the past several years. Increased interest in accepting payments over the internet (e-commerce) has also grown, spurring the need to establish business processes and policies that protect the interests of the University and its customers. While the costs for accepting payment cards can be significant (approximately 1.5% 3.0% of every transaction, depending on the card type), it often makes sense to accept this type of payment for business reasons, which include control of receivables, competitive position, and efficient processing. To the extent that it makes economic sense, the University wishes to support this activity. In order to ensure that payment card activities are consistent, efficient, auditable, and secure, the University has adopted the following policy and supporting procedures for all types of payment card activity transacted in-person, over the phone, and via fax, mail, or the internet. This policy provides guidance so that credit card acceptance and e-commerce processes can comply with PCI DSS and are appropriately integrated with the University s financial and other systems.

Security breaches can result in serious consequences for the University, including release of confidential information, damage to reputation, added compliance costs, the assessment of substantial fines, possible legal liability, and the potential loss of the ability to accept credit card payments. The University of Vermont has contracted with a third-party vendor ( Authorized Vendor ), as designated by the Vice President for Finance and Treasurer, whose core business includes the support and processing of e-commerce transactions. The Authorized Vendor will provide the University with a secure gateway and hosted solution in which all payment card and personal payment information is transmitted to and stored on off-site computers that the Authorized Vendor owns and maintains. The Authorized Vendor must maintain PCI DSS compliance certification. This relationship will enable the University to leverage the volume of e-commerce transactions and reduce processing costs. Applicability of the Policy Any University of Vermont employee, contractor, or agent who, in the course of doing business on behalf of the University, is involved in the acceptance of payment card and e-commerce payments for the University is subject to this policy. Failure to comply with the terms of this policy may result in disciplinary actions and could also limit a department s payment card acceptance privileges. Noncompliance by a contractor or agent may result in a breach of contract and/or termination of a contract or agency agreement. Policy Elaboration Any department accepting payment card and/or electronic payments on behalf of University of Vermont for gifts, goods, or services ( Merchant ) must designate an individual within that department who will have primary authority and responsibility for e-commerce and credit card transaction processing within that department. This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible Person or MDRP. All MDRPs must: 1. Execute on behalf of the relevant Merchant the Procedures to Initiate Acceptance of Payment Cards and e-commerce Payments detailed below. 2. Ensure that all employees (including the MDRP), contractors, and agents with access to payment card data within the relevant Merchant read and understand this Policy for Accepting Payment Cards and e-commerce Payments. 3. Complete the appropriate PCI DSS Self Assessment Questionnaire (SAQ) for the Merchant on an annual basis, and register IP address(es) and conduct required quarterly vulnerability scans, as applicable. A current SAQ must be certified by a Dean, Director, or Chair, completed within the past twelve months, and kept available for inspection. Page 2 of 8

4. Ensure that all payment card data (including, but not limited to, account numbers, card imprints, and Terminal Identification Numbers (TIDs)) collected by the relevant Merchant in the course of performing University of Vermont business, regardless of how the payment card data is stored (physically or electronically) is secured. Data is considered to be secured only if the provisions of the University s Information Security and Privacy Policy, PCI DSS Security Policy, and PCI Data Security Standards are followed. Some of the criteria include: Only those with a need-to-know are granted access to payment card and electronic payment data. Email should not be used to transmit payment card or personal payment information. If it should be necessary to transmit payment card information via email, only the last four digits of the payment card number can be displayed. Payment card or personal payment information is never downloaded onto any portable devices such as USB flash drives, compact disks, laptop computers or personal digital assistants, or other digital media. Fax transmissions (both sending and receiving) of payment card and electronic payment information occurs only on those fax machines to which access is restricted to just those individuals who must have contact with payment card information in order to do their jobs. The processing and storage of personally identifiable payment card or payment information on University computers and servers is prohibited, except as provided in this policy. Exceptions can only be made if the processing and storage methods are compliant with this policy and the aforementioned policies and standards. These standards detail strict encryption protocols. (NOTE: University of Vermont s Enterprise Technology Services (ETS) maintains a staff of security professionals who are available, as required, to provide consultative services on appropriate security practices. ETS can be contacted to request information security services at ISO@list.uvm.edu, or 656-2123 or 866-236-5752.) Only secure communication protocols and/or encrypted connections to the Authorized Vendor are used during the processing of e-commerce transactions. Only encrypted connections are used for the internal transmission of data. The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form. The full contents of any track from the magnetic stripe (on the back of a credit card, in a chip, etc.) are never stored in any form. All but the last four digits of any payment card account number are always masked, should it be necessary to display payment card data. Page 3 of 8

Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont limits the acceptance of credit and debit cards, referred to collectively as payment cards, to those departments who are given authority by the Controller s Office. Permission to accept payment cards is based upon volume of payments and existing internal controls. In order for a department to accept payment cards, it must become a UVMauthorized Merchant, as defined below. In doing so, the department must commit to adhere to the Payment Card Industry Data Security Standards (PCI DSS). Reason for the Policy The University of Vermont s acceptance of payment cards for gifts, goods, and services has been growing over the past several years. Increased interest in accepting payments over the internet (e-commerce) has also grown, spurring the need to establish business processes and policies that protect the interests of the University and its customers. While the costs for accepting payment cards can be significant (approximately 1.5% 3.0% of every transaction, depending on the card type), it often makes sense to accept this type of payment for business reasons, which include control of receivables, competitive position, and efficient processing. To the extent that it makes economic sense, the University wishes to support this activity. In order to ensure that payment card activities are consistent, efficient, auditable, and secure, the University has adopted the following policy and supporting procedures for all types of payment card activity transacted in-person, over the phone, and via fax, mail, or the internet. This policy provides guidance so that credit card acceptance and e-commerce processes can comply with PCI DSS and are appropriately integrated with the University s financial and other systems.

Security breaches can result in serious consequences for the University, including release of confidential information, damage to reputation, added compliance costs, the assessment of substantial fines, possible legal liability, and the potential loss of the ability to accept credit card payments. The University of Vermont has contracted with a third-party vendor ( Authorized Vendor ), as designated by the Vice President for Finance and Treasurer, whose core business includes the support and processing of e-commerce transactions. The Authorized Vendor will provide the University with a secure gateway and hosted solution in which all payment card and personal payment information is transmitted to and stored on off-site computers that the Authorized Vendor owns and maintains. The Authorized Vendor must maintain PCI DSS compliance certification. This relationship will enable the University to leverage the volume of e-commerce transactions and reduce processing costs. Applicability of the Policy Any University of Vermont employee, contractor, or agent who, in the course of doing business on behalf of the University, is involved in the acceptance of payment card and e-commerce payments for the University is subject to this policy. Failure to comply with the terms of this policy may result in disciplinary actions and could also limit a department s payment card acceptance privileges. Noncompliance by a contractor or agent may result in a breach of contract and/or termination of a contract or agency agreement. Policy Elaboration Any department accepting payment card and/or electronic payments on behalf of University of Vermont for gifts, goods, or services ( Merchant ) must designate an individual within that department who will have primary authority and responsibility for e-commerce and credit card transaction processing within that department. This individual will be referred to in the remainder of this policy statement as the Merchant Department Responsible Person or MDRP. All MDRPs must: 1. Execute on behalf of the relevant Merchant the Procedures to Initiate Acceptance of Payment Cards and e-commerce Payments detailed below. 2. Ensure that all employees (including the MDRP), contractors, and agents with access to payment card data within the relevant Merchant read and understand this Policy for Accepting Payment Cards and e-commerce Payments. 3. Complete the appropriate PCI DSS Self Assessment Questionnaire (SAQ) for the Merchant on an annual basis, and register IP address(es) and conduct required quarterly vulnerability scans, as applicable. A current SAQ must be certified by a Dean, Director, or Chair, completed within the past twelve months, and kept available for inspection. Page 2 of 8

4. Ensure that all payment card data (including, but not limited to, account numbers, card imprints, and Terminal Identification Numbers (TIDs)) collected by the relevant Merchant in the course of performing University of Vermont business, regardless of how the payment card data is stored (physically or electronically) is secured. Data is considered to be secured only if the provisions of the University s Information Security and Privacy Policy, PCI DSS Security Policy, and PCI Data Security Standards are followed. Some of the criteria include: Only those with a need-to-know are granted access to payment card and electronic payment data. Email should not be used to transmit payment card or personal payment information. If it should be necessary to transmit payment card information via email, only the last four digits of the payment card number can be displayed. Payment card or personal payment information is never downloaded onto any portable devices such as USB flash drives, compact disks, laptop computers or personal digital assistants, or other digital media. Fax transmissions (both sending and receiving) of payment card and electronic payment information occurs only on those fax machines to which access is restricted to just those individuals who must have contact with payment card information in order to do their jobs. The processing and storage of personally identifiable payment card or payment information on University computers and servers is prohibited, except as provided in this policy. Exceptions can only be made if the processing and storage methods are compliant with this policy and the aforementioned policies and standards. These standards detail strict encryption protocols. (NOTE: University of Vermont s Enterprise Technology Services (ETS) maintains a staff of security professionals who are available, as required, to provide consultative services on appropriate security practices. ETS can be contacted to request information security services at ISO@list.uvm.edu, or 656-2123 or 866-236-5752.) Only secure communication protocols and/or encrypted connections to the Authorized Vendor are used during the processing of e-commerce transactions. Only encrypted connections are used for the internal transmission of data. The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form. The full contents of any track from the magnetic stripe (on the back of a credit card, in a chip, etc.) are never stored in any form. All but the last four digits of any payment card account number are always masked, should it be necessary to display payment card data. Page 3 of 8

All media containing payment card and personal payment data that are no longer deemed necessary or appropriate to store are destroyed or rendered unreadable, in accordance with other University policies concerning retention of records. No University of Vermont employee, contractor, or agent who obtains access to payment card or other personal payment information in the course of conducting business on behalf of University of Vermont may sell, purchase, provide, or exchange said information in any form, including, but not limited to, imprinted sales slips, carbon copies of imprinted sales slips, mailing lists, tapes, or other media obtained by reason of a card transaction to any third party other than to University of Vermont s acquiring bank, depository bank, Visa, MasterCard, or other payment card company, or pursuant to a government request. All requests to provide information to any party outside of one s own department must be coordinated with the Manager of the Cashier s Office. Merchants must use the services of the Authorized Vendor to process all e-commerce transactions. If a Merchant believes that it has a significant business case or processing requirement that cannot be achieved using the services of the Authorized Vendor and wishes to utilize an alternative, it must initiate its request to the Assistant Controller for Tax and Treasury Services for a release from the Authorized Vendor requirements specified by this policy. The Assistant Controller will forward the request to the Controller and Chief Information Officer (CIO) with a recommendation. Only the Controller and CIO may jointly authorize the adoption of alternative e-commerce vendors and products. In the event that the Controller and CIO authorize the use of an alternative e-commerce vendor, then the following must occur: The MDRP must provide proof initially, and annually thereafter, that the alternate e- commerce vendor is certified as PCI compliant; and The MDRP must ensure that the department and its vendor comply with all relevant provisions of the University s Information Security and Privacy Policy, PCI DSS Security Policy, and this Policy for Accepting Payment Cards and e-commerce Payments. In accordance with merchant agreements with card companies, the following requirements apply to all University Merchants: All Merchants accepting Visa, MasterCard, AmericanExpress, and/or Discover Card shall promptly honor all such valid transactions and will not establish minimum or maximum transaction amounts. All Merchants shall not select what sales or services may be charged by a cardholder. All sales or services provided at that location can be charged at the option of the cardholder. All transactions must be pre-authorized and when a cardholder is present a sales draft must be signed by the cardholder. All Merchants must exercise reasonable diligence to the best of their ability in determining that the signature on the sales draft is the same as the authorized signature on the card. Page 4 of 8

All media containing payment card and personal payment data that are no longer deemed necessary or appropriate to store are destroyed or rendered unreadable, in accordance with other University policies concerning retention of records. No University of Vermont employee, contractor, or agent who obtains access to payment card or other personal payment information in the course of conducting business on behalf of University of Vermont may sell, purchase, provide, or exchange said information in any form, including, but not limited to, imprinted sales slips, carbon copies of imprinted sales slips, mailing lists, tapes, or other media obtained by reason of a card transaction to any third party other than to University of Vermont s acquiring bank, depository bank, Visa, MasterCard, or other payment card company, or pursuant to a government request. All requests to provide information to any party outside of one s own department must be coordinated with the Manager of the Cashier s Office. Merchants must use the services of the Authorized Vendor to process all e-commerce transactions. If a Merchant believes that it has a significant business case or processing requirement that cannot be achieved using the services of the Authorized Vendor and wishes to utilize an alternative, it must initiate its request to the Assistant Controller for Tax and Treasury Services for a release from the Authorized Vendor requirements specified by this policy. The Assistant Controller will forward the request to the Controller and Chief Information Officer (CIO) with a recommendation. Only the Controller and CIO may jointly authorize the adoption of alternative e-commerce vendors and products. In the event that the Controller and CIO authorize the use of an alternative e-commerce vendor, then the following must occur: The MDRP must provide proof initially, and annually thereafter, that the alternate e- commerce vendor is certified as PCI compliant; and The MDRP must ensure that the department and its vendor comply with all relevant provisions of the University s Information Security and Privacy Policy, PCI DSS Security Policy, and this Policy for Accepting Payment Cards and e-commerce Payments. In accordance with merchant agreements with card companies, the following requirements apply to all University Merchants: All Merchants accepting Visa, MasterCard, AmericanExpress, and/or Discover Card shall promptly honor all such valid transactions and will not establish minimum or maximum transaction amounts. All Merchants shall not select what sales or services may be charged by a cardholder. All sales or services provided at that location can be charged at the option of the cardholder. All transactions must be pre-authorized and when a cardholder is present a sales draft must be signed by the cardholder. All Merchants must exercise reasonable diligence to the best of their ability in determining that the signature on the sales draft is the same as the authorized signature on the card. Page 4 of 8

All Merchants will establish a fair policy for exchange and returns and give proper credit or issue credit vouchers. All Merchants must exercise reasonable diligence to the best of their ability in determining whether fraudulent or unauthorized use of a credit card has occurred. By becoming a Merchant, the unit agrees to: Be charged a merchant fee for all credit card transactions calculated at a predetermined rate. A lower rate is charged for cards that are physically present and swiped through the terminal. Be charged a per-transaction fee for all transactions processed through the Authorized Vendor for e-commerce transactions, and a fixed monthly amount for hosting/maintenance. Balance, settle, and close their credit card terminal on a daily basis, including weekends. Maintain the original sales draft for at least 30 days. Maintain a copy of the sales draft for a minimum of two years, acknowledging a chargeback may occur for up to seven years. Process payment credit card transactions through the merchant bank processor with which the University of Vermont has a merchant banking relationship. By becoming a Merchant, the unit agrees to follow security best practices as prescribed by PCI DSS standards, such as: Mask all but the last four digits of any payment card account on the sales draft in order to protect such cardholder data. Use anti-virus software that is kept updated automatically. Not use vendor-supplied defaults for systems passwords and other security parameters; change systems passwords when key personnel associated with credit-card processing leave positions with Merchant. Assign a unique ID to each person with computer access, including student employees. House computer systems that process payment cards behind a firewall with the highest level of protection consistent with the system's access requirements. Use computer systems that process payment cards with the ability to monitor and track access to network resources, the computer itself, and cardholder data. Report all suspected or known security breaches in accordance with Procedures for Responding to a Security Breach, below. Develop practices and procedures consistent with any applicable existing policy of the University related to information security and privacy, and the retention or destruction of records. Definitions Authorized Vendor: A third-party vendor with PCI Compliance Certification as selected by the Controller s Office to provide the University with a secure gateway and hosted solution in which all payment card and personal payment information is transmitted to and stored on off-site computers owned and maintained by the Authorized Vendor. Page 5 of 8

Merchant: A University department or unit that has been approved by the Controller s Office to accept payment cards and electronic payments for gifts, goods, and/or services. Merchant Department Responsible Person (MDRP): The person within each Merchant department responsible for managing credit card and/or e-commerce transaction processing. Payment Card Industry Data Security Standards (PCI DSS): A uniform set of data security standards developed by the major credit card companies (VISA, MasterCard, Discover, and American Express) with which everyone that stores, processes, or transmits cardholder data must comply (https://www.pcisecuritystandards.org/). Non-compliance with PCI DSS standards puts the University at risk for: Large monetary fines assessed to the Merchant and/or the University Loss of merchant status for department Loss of merchant status for the University Loss of faith in the University of Vermont s name Procedures to Initiate Acceptance of Payment Card and ecommerce Payments The MDRP or his/her designee must follow the steps below in order to initiate payment card processing and e-commerce at the University of Vermont. 1. Complete an Application to Become a Merchant. (For an application click here). Applications must be signed by the MDRP as well as the college/school/division Budget Manager. It is the responsibility of the Budget Manager to approve the business case for the department to become a merchant department, the PeopleSoft information provided, and the designated Merchant Department Responsible Person. 2. Submit the application for review and approval to the Manager of the Cashier s Office at 220 Waterman. Allow two to four weeks for processing of the request. All applications require the approval of the Assistant Controller for Tax and Treasury Services. If the application is approved, the Manager of the Cashier s Office will provide the requesting department any necessary equipment (at the expense of the Merchant Department) and training. Procedures for Responding to a Security Breach In the event of a breach or suspected breach of security, the Merchant department must immediately execute each of the relevant steps detailed below. 1. The MDRP or individual suspecting a security breach must follow the University s Breach Notification Procedures (https://www.uvm.edu/ets/security/?page=breach.html) developed to comply with An Act Relating to the Protection of Personal Information (9 V.S.A. chapter 62). Report a data breach to the UVM Information Security and Page 6 of 8

Assistance line by calling the toll-free number 866-236-5752 or internal UVM number 656-2123. 2. The MDRP or individual suspecting a security breach must also immediately notify the Manager of the Cashier s Office (802-656-3462) of an actual breach or suspected breach of credit card information. Details of the breach, particularly any personally identifiable information, should not be disclosed in email correspondence. 3. The Manager of the Cashier s Office shall alert the Controller s Office, merchant processing bank, and University of Vermont s Police Services. 4. Depending on the nature of the suspected breach and following PCI DSS protocols, the payment card associations, the Federal Bureau of Investigation, United States Secret Service, and other relevant regulatory agencies may need to be informed. That determination will be made by senior officials. 5. Where an actual breach of credit card data is confirmed, the Manager of the Cashier s Office, with the assistance of the ETS Information Security Office, will ensure that compromised credit card account information is securely sent to the appropriate card company Fraud Control Groups and affected credit card associations. 6. Within 48 hours of the breach, the Manager of the Cashier s Office, with assistance from the relevant MDRP, shall provide the affected credit card associations with proof of PCI compliance. 7. Within four business days of the breach, the Manager of the Cashier s Office, with assistance from the relevant MDRP, shall provide the affected credit card associations with an incident report. 8. At the relevant credit card associations request and depending on the level of risk and data elements compromised, the Manager of the Cashier s Office in conjunction with the University ETS Information Security Office shall, within four business days of the event: Forms Arrange for an independent forensic review. Arrange for a network and system vulnerability scan. Complete a compliance questionnaire and submit it to relevant card association(s). Application to Become a Merchant Page 7 of 8

Contacts Questions related to daily operational interpretation of this policy should be directed to: Manager, Cashier s Office (802) 656-3462 Assistant Controller for Tax and Treasury Services (802) 656-0674 The Vice President for Finance and Treasurer is the official responsible for the interpretation and administration of this policy. Related Documents/Policies Computer, Network, and Communications Acceptable Use Policy http://www.uvm.edu/policies/cit/compuse.pdf Information Security - Interim http://www.uvm.edu/policies/cit/infosecurity.pdf Privacy http://www.uvm.edu/policies/general_html/privacy.pdf PCI DSS Security Policy (under development) PCI Security Standards Council https://www.pcisecuritystandards.org/ Merchant Rules and Operating Regulations: o Visa Rules http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf o MasterCard Rules http://www.mastercard.com/us/merchant/pdf/bm-entire_manual_public.pdf o AmericanExpress Merchant Reference Guide https://www260.americanexpress.com/merchant/singlevoice/singlevoiceflash/useng/pdf files/merchantpolicypdfs/us_%20refguide.pdf o Discover Network Merchant Operating Regulations http://www.pipelinedata.com/tc/discover.pdf Effective Date Approved by President September 29, 2010. Page 8 of 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information