Credit Card Acceptance Merchant Responsibilities
As the demand grows for additional departments accepting credit cards on campus, the University must manage the increased volume and complexity of potentially dealing with multiple interface requirements. In order to mitigate these problems, we have developed the following guidelines. Your support and cooperation in following these guidelines will ensure that our limited administrative resources are used efficiently and that banking and accounting requirements can be met in the most effective way possible in conducting the business of the University.
The following guidelines provide procedures and responsibilities to assist Merchants/departments when they are accepting credit card payments.
- Must designate a Primary PCI Contact who holds the primary authority and responsibility for payment card processing for their assigned Merchant Account. This person oversees the daily PCI activities associated with the Merchant Account such as managing cashier access, ensuring employees are appropriately trained, and properly managing PCI documentation.
- Must designate a Business Service representative who is responsible for daily reconciling of cash and credit card transactions associated to that Merchant Account.
- Must designate additional PCI Team members, as appropriate, depending on the complexity of a PCI application and system. A PCI Team might include members such as:
- Secondary Contact- an individual who may assist the Primary Contact in fulfilling PCI and/or operational duties.
- IT System Admin - an IT individual implementing, securing and managing a PCI on premise server.
- Primary IT Support- IT individual assigned to implementing and maintaining the PCI application and/or endpoint devices.
- Secondary IT Support - a secondary IT individual assigned to assist with the implementation and management of PCI application and hardware.
- Primary Website Administrator - an individual who is tasked with the implementation and management of a web application that connects to or directly processes to an e-commerce payment collection page.
- Comply with all PCI DSS guidelines, Cash Handling Policy 530, and other university policies and procedures for payment card acceptance and security.
- Must maintain an Information Security Plan that addresses protection of cardholder data and other related sensitive data.
- Manage documentation of compliance as outline in Merchant's Role in PCI Compliance.
- Attest PCI compliance annually. The PCI Compliance Officer will assist Merchants with Attestation of Compliance reports as requested by Merchant Services or Service Providers.
- Pay costs associated with payment card processing (bank and interchange fees, equipment fees, etc.).
- Must train personnel who have access to cardholder data in the University's Cash and Credit Card Handling training; upon hire and annually thereafter.
- Notify Treasury Services promptly when a Merchant account is no longer needed.
- Respond to chargeback notifications and credit card company inquiries within the time frame specified on the notification.
- Provide full cooperation with the University's PCI Compliance Officer and/or authorized third-party assessors whenever necessary.
MERCHANT CASH HANDLING AND SECURITY PLAN GUIDELINES
As part of the PCI DSS requirements, each Merchant must provide processes for how they satisfy their respective PCI DSS questionnaire, which may varies due to the application and methods in which cardholder data is processed, stored or transmitted. The following sections outline common PCI security controls which a Merchant should adopt, where applicable, and include in their respective Cash Handling Procedures, Information Security Plan, and or PCI procedure documentation.
Reconciliation of Credit Card Payments
All campus credit card revenue and fees are deposited/charged to the index and account code provided when setting up a Merchant Account. Departments are responsible for reconciling their revenue and fees to the appropriate department revenue and expense accounts. If funds are deposited into a 102900 cash clearing account, transferring of funds should be done on a daily basis.
- Perform a daily reconciling between the daily transactions from the system/website to what is received in Banner.
- Gateways, where applicable, should be closely managed and reconciled as needed. Ensure the system/website application are processing the correct amounts.
- Fraudulent transactions should be refunded back to the card when detected.
- Include reconciling, handling refunds, and methods for identifying fraudulent transactions in a department's Cash Handling Procedures.
Physical Access Controls
- Credit card terminals must be kept in a secure location with limited physical access.
- Terminals need to be inspected for tampering at the start of every shift/daily, if applicable, or when putting a terminal into service for those that are stored when not in use.
- Develop procedures to help all personnel easily distinguish between employees and visitors.
- Webpages that accept credit card payments must be inventoried and scanned monthly for vulnerabilities.
- E-commerce Merchants have it link on their payment processing webpage describing their refund policy, privacy, and terms and conditions of the sales and services rendered. Visit E-Commerce Website Refund, Privacy, and Terms and Condition to see a sample notification.
Payment Collection Controls
- Process all in-person or over-the-phone payments directly into an approved PCI device while the customer is present or on the phone.
- Must not process cardholder data via email or fax. If a customer sends card information via email or fax, please delete the information and contact the customer and acquire the card information via an approved method of collecting payment.
Personnel Access Controls
- Define multiple roles and responsibilities for personnel accessing, transmitting, or processing cardholder data (e.g. cashiers, supervisors, back end register managers, report pullers, IT System Admins).
- Restrict access rights to privileged user IDs to the least privileges necessary to perform job responsibilities.
- Limit access to system components and cardholder data to only those individuals whose job requires such access.
- Passwords or manager authorization codes should be added for refunds/voids where appropriate. Such authorization codes should be entered by someone other than the person processing the refund/void whenever possible.
- All access must be immediately terminated when an employee or contractor leaves the university or changes roles or positions.
Protection of Cardholder Data
- All systems must adhere to the PCI DSS requirements regarding non-storage of sensitive authentication data after authorization.
- Under no circumstance should the full contents of any track from the magnetic stripe be stored. In the normal course of business, the following data elements from the magnetic stripe may need to be retained. To minimize risk, store only these data elements as needed for business.
- The cardholder’s name
- Primary account number (PAN)
- Expiration Date
- Under no circumstance should the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) be stored after processing.
- Under no circumstance should the personal identification number (PIN) or the encrypted PIN block be stored.
- All backups must be inventoried and encrypted at rest.
Transmission of Cardholder Data
- All transmission of sensitive cardholder data must use a secure method to avoid unauthorized access. Where possible, adopt point-to-point or end-to-end encryption.
- Never send or accept cardholder or other sensitive information via unencrypted e-mail, instant messaging, or any other insecure method (e.g. File Transfer Protocol (FTP), Hypertext Transport Protocol, etc.).
- Mask the credit card's Primary Account Number (PAN) when displayed on a screen.
Storage of Cardholder Data
- Merchants must not write down cardholder data (credit card number, expiration date, card verification codes, etc.) on paper. All over the phone payments must be processed directly into a PCI device while customer is on the phone.
- Merchants that have a business need for storing the full sixteen digit credit card number for processing reoccurring payments must use an approved third-party payment vault to securely store cardholder data.
- Approved Merchants that do Direct Mail Solicitation Reply Forms are the only Merchants that are authorized to accept credit card payment information on reply forms. Please see the Direct Mail Solicitation for more information.
Maintain an Information Security Plan
- A strong security plan that references internal, University and/or local or state security policies outline the security expectation for the Merchant and employees.
- All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.
- The security plan should be reviewed at least once a year and updated as needed to reflect any changes to business objectives or the risk environment.
- Strong security practice must be used for all applications, devices, and systems (including shared or dedicated web servers hosting e-commerce sites) in the Cardholder Data Environment (“CDE”), including at a minimum:
- All default passwords must be changed prior to deploying a system or device.
- Any unnecessary generic or default user accounts must be removed or disabled prior to deploying a system or device.
- User IDs and/or passwords must never be shared for any reason.
- All system access requires at a minimum a User ID and strong password.
- Passwords must at a minimum have seven or more characters, and contain at least one letter and one number.
Deploy, Disposal and Reuse of Hardware
- Every system that passes, processes, or stores credit card information is required to have all application servers, database servers, and terminal endpoints on the appropriate PCI network.
- Terminals that are used by USU to process credit cards, even devices that access online, third party vendor payment processing are considered payment terminals and are in PCI scope.
- USU has specific PCI Hardware Security Configurations and a PCI Hardware Registration process for deploying and decommissioning hardware on appropriate PCI networks.
- To learn more, please reference the Deploying, Reusing, or Disposal of PCI Hardware article in ServiceNow.
In the event of a verified or suspected security breach in which a person’s Personal Information or cardholder data is reasonably believed to have been stolen by an unauthorized person, the breach must be reported immediately to a supervisor, and the department/Merchant responsible party must follow the instructions in the section referring to Incident Response: Suspected Cardholder Data Compromise.