Credit and Debit Card Transaction Procedures. University of Bath



Similar documents
University of York Policy on the Management of Debit/ Credit Card Data

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

CREDIT CARD PROCESSING POLICY AND PROCEDURES

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Accepting Payment Cards and ecommerce Payments

Cash & Banking Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Standards for Business Processes, Paper and Electronic Processing

Credit and Debit Card Handling Policy Updated October 1, 2014

Credit Card Handling Security Standards

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

TERMINAL CONTROL MEASURES

Clark University's PCI Compliance Policy

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Information Technology

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Failure to follow the following procedures may subject the state to significant losses, including:

Appendix 1 Payment Card Industry Data Security Standards Program

University of Sunderland Business Assurance PCI Security Policy

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

The University of Georgia Credit/Debit Card Processing Procedures

Payment Card Acceptance Administrative Policy

How To Control Credit Card And Debit Card Payments In Wisconsin

CREDIT CARD PROCESSING & SECURITY POLICY

Payment Card Industry Compliance

Saint Louis University Merchant Card Processing Policy & Procedures

LSE PCI-DSS Cardholder Data Environments Information Security Policy

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

Office of Finance and Treasury

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

PCI Data Security and Classification Standards Summary

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

How To Complete A Pci Ds Self Assessment Questionnaire

Approved and commenced March 2015 Review by March, 2017 CONTENTS

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

University of Liverpool

New York University University Policies

Cashier s Office. Income Procedure Guidance

Business Debit Card. Cardholder Terms. HB00520_BusDebitCard_TC-12pp.indd 1 01/08/ :07

Merchant Payment Card Processing Guidelines

The Online Payment Process

Date Adopted:

Dartmouth College Merchant Credit Card Policy for Processors

Banking terms and conditions

General Terms and Conditions Current Accounts Terms and Conditions Savings Accounts Terms and Conditions

An introduction to CashFlows and the provision of on-line card acceptance services we provide to Young Enterprise companies

Welcome to the Duke Medicine Credit Card PCI Education session.

POLICY SECTION 509: Electronic Financial Transaction Procedures

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

A Rackspace White Paper Spring 2010

University of St Andrews. Unit Income and Cash Handling Policy

University of Virginia Credit Card Requirements

Merchant Card Processing Best Practices

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Policies and Procedures. Merchant Card Services Office of Treasury Operations

SWEDBANK AS TERMS AND CONDITIONS FOR PAYMENT CARDS SERVICING Valid from

Policy for Protecting Customer Data

EFTPOS Merchant Facilities Quick Reference Guide

Information Security

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

General Terms and Conditions Current Accounts Terms and Conditions Savings Accounts Terms and Conditions

Newcastle University Information Security Procedures Version 3

credit card Conditions of Use

Controls should be appropriate to the scale of the assets at risk and the potential loss to the University.

Transcription:

Credit and Debit Card Transaction Procedures University of Bath

Table of Contents Introduction Ethics and Acceptable Use Policies Credit and Debit Card Transactions Protection of Stored Data Protection of Data in Transit Restriction of Access to Data Physical Security Security Awareness and Procedures Third Parties holding Cardholder Data Security Management / Incident Response Plan - 1 -

Introduction The security of information related to credit and debit cards has become increasingly important in recent years. As an organisation which processes card-holder data, the University is now obliged to comply with the Payment Card Industry Data Security Standard (PCI/DSS) In the longer term, the University will be moving towards using web-based processing, where the card-holder information is held only by the payment service providers who have enhanced security in place. In the meantime, it is important that the University does not store this sort of data on electronic systems, which may be vulnerable to hacking and other unauthorised access. For this reason, while transaction processing may be carried out electronically, e.g. on credit card terminals, all procedures detailed below which relate to information storage will be paper-based. These procedures cover the security of credit and debit card-related information and must be distributed to all University employees who deal with credit and debit card transactions. Management will review and update the procedures at least once a year to incorporate relevant security needs that may develop. Each employee involved must read the procedures and verify that they have read and understood them. Ethics and Acceptable Use Policies These procedures are subject to the appropriate University Regulations and Policies. Of particular relevance are :- University Policy 12 Business Ethics and Fraud (http://www.bath.ac.uk/finance/regulations/policies.html#up12) IT Security Policy (http://www.bath.ac.uk/bucs/aboutbucs/policies-guidelines/policies-itsecurity.html). An employee s failure to comply with the procedures set forth in this document may result in disciplinary action up to and including the termination of employment. - 2 -

Credit and Debit Card Transactions Credit Card Terminals Departments with access to credit card terminals must use them in accordance with the security measures specified with those terminals. Credit card slips should be retained for at least 6 months, to enable chargebacks. However, they must be held securely. They should in any case not be held for longer than 2 years. Departments without terminals Departments who do not have access to a credit card terminal must use the appropriate University pre-printed Credit and Debit Card Transaction Form. There is one form for sending out to customers for them to complete and return. This form can be obtained from the Downloadable Forms sections of the Finance Office web page (http://www.bath.ac.uk/finance). There is also a pre-numbered form for internal departmental use only. This form is obtainable from the Cashier s Office. On occasion, a Department may wish to combine a course or conference enrolment form with the credit/debit card form. All such forms must be agreed in advance of use with the Cashier s Office. It is prohibited to use any other style of form for credit and debit card transactions. Transaction Form - Customer use This form will typically be used where customers are paying for conference or course fees, etc. When a customer expresses an interest, the department sends out a form for payment. The customer will complete cardholder details and card details. The department will complete the payment details, and send the form to the Cashier s Office for processing. It is prohibited to make a copy of completed forms at any time. Transaction Form - Internal use When a department takes cardholder details directly from a customer, either where the customer is present, or over the telephone, they should use this form. These forms are pre-numbered. It is prohibited to make a copy of this form at any time, either before or after completion. - 3 -

Where the credit card security code (the 3 to 4 digit code on the back of the card) has been taken to validate a transaction, it should be recorded on the tear-off strip of the Credit and Debit Card Transaction Form. The strip should be separated from the rest of the form and stored separately. Transaction Form - Combined booking form / credit/debit card details The format and use of all such combined forms must be agreed in advance with the Cashier s Office. A copy may be made of the booking section of the form, but never of the card details. Credit/Debit Card Paying-in Advice Account coding for the transactions should be entered on the paying-in advice, which should be sent to the Cashier s Office together with the Transaction Forms. The use of this advice is similar to that of the advices used for the paying in of cash or cheques Protection of Stored Data All sensitive information must be stored securely and disposed of in a secure manner when no longer required for business reasons. Only paper media should be used to store sensitive information, and it must be protected from unauthorised access. Media no longer needed must be destroyed in a manner to render sensitive data irrecoverable (e.g. shredding, etc). If in doubt, please refer to the guidance contained on the web-site :- http://www.bath.ac.uk/internal/rm/waste/htm Department All sensitive information must be stored securely in a locked cupboard or drawer, with access limited to those properly authorised (see below). Credit and debit card information should never be retained in the department for longer than 24 hours (unless over a weekend or Bank Holiday). The card security code and the rest of the cardholder information should be stored separately from each other. Cashier s Office The Cashier s Office will store cardholder information, in the Cashier s safe or in an alternative secure environment, for up to 2 years to enable refunds to be made. Card security code information must be destroyed as soon as it has been used for a particular transaction - 4 -

Credit and Debit Card Information Handling Specifics It is prohibited to store the contents of the card magnetic stripe (track data) on any media whatsoever It is prohibited to store the card security code (last 3 or 4 digit value printed on the signature of the card) on any media whatsoever except the tear-off strip from the pre-numbered Credit and Debit Card Transaction Form It is prohibited to store cardholder information on PCs or any other electronic media. Cardholder information is defined as :- o Card account number o Expiry date o Cardholder name (in conjunction with the above) The card security code must never be stored with the cardholder information Destroy cardholder information by a secure method when no longer needed. Media containing card information must be destroyed by shredding or other means of physical destruction that would render the data irrecoverable Protection of Data in Transit Sensitive information should never be transported electronically. Physical transport should always be via a trusted and secure method. Department Cardholder information and card security code should be taken or sent for processing within 24 hours (or immediately after a weekend or Bank Holiday). Separate envelopes should be used for the two types of information - cardholder data to the Cashier s Office, and the card security code to the Cashier s Office Manager in the Finance Office. Cashier s Office Once the card security code information has been matched with appropriate cardholder information and the transaction has been processed, the card security code must be destroyed. Credit and Debit Card Information Handling Specifics Card account numbers must never be e-mailed Media containing card account numbers must only be given to trusted persons for transport within the University. - 5 -

Restriction of Access to Data Access to sensitive information should be restricted to those who have a need to know. No employees should have access to card account numbers unless they have a specific job function that requires such access. Access for each such employee must be authorised by their Head of Department and the Director of Finance or her deputy. A list of these employees will be held centrally in the Finance Office. Before authorising an employee to handle credit and debit card transactions, the Head of Department must be satisfied that the employee has read and understood the procedures, and understands how it affects their job. Physical Security Restrict physical access to sensitive information to protect it from those who do not have a need to access that information. Media containing sensitive information must be securely handled and distributed Media containing stored sensitive information should be properly inventoried and disposed of when no longer needed for business reasons, by shredding, etc In areas that may contain sensitive information, be aware of the need to hold such information securely, especially in relation to visitors and others who should not have access to it Cardholder information will be retained by the Cashier s Office in order to enable later refunds. It should not be retained for longer than necessary for business reasons, and in any case never for longer than 2 years. At the end of the period of retention, it must be physically destroyed by shredding, etc. Security Awareness and Procedures Keeping sensitive information secure requires periodic training of employees and contractors to keep security awareness levels high. - 6 -

Third Parties holding Cardholder Data The Treasury Accountant will maintain a central list of service providers who hold cardholder data. All third parties with access to card account numbers are contractually obliged to comply with card association security standards (PCI/DSS) Security Management / Incident Response Plan These procedures are subject to the Financial Regulation G14 Irregularities (http://www.bath.ac.uk/finance/regulations/other.html#irr) In the event of a compromise of sensitive information, the Internal Auditor will oversee the execution of the incident response plan. Incident Response Plan 1. If a compromise is suspected, alert the Internal Auditor ( internalaudit@bath.ac.uk ) 2. The Internal Auditor will conduct an initial investigation of the suspected compromise. 3. If a compromise of information is confirmed, the Internal Auditor will alert management and begin informing parties that may be affected by the compromise. If the compromise involves card account numbers, the Internal Auditor will perform the following :- Contain and limit the extent of the exposure by shutting down any systems or processes involved in the compromise Alert necessary parties (Merchant Bank, Visa Fraud Control, the police, etc) Provide compromised or potentially compromised card numbers to Visa Fraud Control within 24 hours More information - http://usa.visa.com/business/accepting_visa/ops_risk_mamagemnt/ci sp_if_compromised.html - 7 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information