Credit/Debit Card Security Policies

According to the credit/debit card policy, departments that accept payments by credit or debit card are responsible for properly safeguarding the cardholder’s information, reconciling, recording, and submiting cash transmittals promptly. In order to comply with this policy, the following processes/procedures must be followed:

  • No department should accept credit/debit card transactions without a valid business reason and the expressed consent of the University Treasury.  No credit or debit cards may be accepted until explicit approval is received from the University Treasury.
  • Departments that need to engage in electronic commerce are required to use the universitywide solution approved by the Vice President for Finance and Associate Treasurer.  In the rare instances that this solution is not appropriate, prior to purchasing or contracting for other solutions, departments are required to work with the Office of Information Protection and Security to ensure that the ecommerce application they are considering meets all university policies and recommended security standards, and with the University Treasury to ensure it meets the PCI-DSS.
  • Once acceptance is approved, the department must complete the appropriate Self Assessment Questionnaire (SAQ) and review 40.2.15 Credit Card Acceptance Policy. After all employees who will have access to payment card data have reviewed this policy, managers of the departments must acknowledge, in writing, acceptance of this policy and agreement to be bound by the terms thereof. 
  • The SAQ and written acknowledgement of the policy is required annually by the managers of all departments accepting credit cards.  Failure to submit these documents will result in the termination of the department’s ability to accept credit cards (merchant IDs will be suspended) until the documents are submitted.
  • Departments accepting credit/debit cards, in person or through the web (if not through the universitywide ecommerce solution), must apply for their own merchant IDs and should use their own credit card machines for better control. 
  • Departments should not open PayPal accounts for the acceptance of university payments without the expressed written consent from the University Treasury.
  • Departments should batch out credit card processes daily—NO EXCEPTIONS.
  • Departments must deliver cash transmittals no later than the day after credit card transactions occur. There are limited exceptions to the requirement to submit cash transmittals on a daily basis; however, these exceptions must be approved by the Office of the University Controller.  
  • When credit card information is submitted over a telephone line or via a fax machine, the telephone line must be analog—it cannot be “voice over internet protocol” (“VOIP”). 
  • At no time should credit card information be sent/or delivered through email.
  • At no time should credit card machines be left unattended. If not in use, the machines should be locked in a secure location with limited access to the machine. Before being reconnected, stored credit card machines should be inspected to ensure no devices have been attached that could compromise the machines.