Credit/Debit Card Security Policies

According to the credit/debit card policy, departments that accept payments by credit or debit card are responsible for properly safeguarding the cardholder’s information, reconciling, recording, and submitting cash journals promptly. In order to comply with this policy, the following processes/procedures must be followed:

  • No department should accept credit/debit card transactions without a valid business reason and the expressed consent of University Treasury.  No credit or debit cards may be accepted until explicit approval is received from University Treasury.
  • Departments that need to engage in electronic commerce are required to use the university-wide solution approved by the Associate Vice President for Finance and Associate Treasurer.  In the rare instances that this solution is not appropriate, prior to purchasing or contracting for other solutions, departments are required to work with the Office of Information Protection and Security to ensure that the ecommerce application they are considering meets all university policies and recommended security standards, and to ensure it complies with PCI-DSS requirements.
  • Once acceptance is approved, the department must complete the appropriate Self Assessment Questionnaire (SAQ) and review 40.2.15 Credit Card Acceptance Policy. After all employees who will have access to payment card data have reviewed this policy, managers of the departments must acknowledge, in writing, acceptance of this policy and agreement to be bound by the terms thereof. 
  • The SAQ is required annually by the managers of all departments accepting credit cards.  Failure to submit the questionnaire will result in the termination of the department’s ability to accept credit cards (merchant IDs will be suspended) until the documents are submitted.
  • Departments accepting credit/debit cards, in person or through the web (if not through the universitywide ecommerce solution), must apply for their own merchant IDs and should use their own credit card machines for better control. 
  • Departments should not set up online accounts with person-to-person products such as PayPal, Venmo, Square, etc. to accept payment for University business.  
  • Departments should batch out credit card processes daily—NO EXCEPTIONS.
  • Departments must submit cash journals no later than the day after credit card transactions occur. There are limited exceptions to the requirement to submit cash journals on a daily basis; however, these exceptions must be approved by the Office of the University Controller.  
  • Credit card numbers should not be received via fax machine
  • At no time should credit card information be sent/or delivered through email.
  • At no time should credit card machines be left unattended. If not in use, the machines should be locked in a secure location with limited access to the machine. Before being reconnected, stored credit card machines should be inspected to ensure no devices have been attached that could compromise the machines. 
  • Card readers must be inspected periodically to ensure that they have not been tampered with
  • Every merchant department must maintain the following documentation:
    • Incident Response Plan
    • Data Flow Diagram(s)
    • Local Procedures for credit card security