Last Modified: March 9, 2022
Purpose
This policy provides guidance for University credit card operations to comply with Payment Card Industry Data Security Standard (PCI DSS) Program standards.
Policy
University departments that are approved to sell or offer at auction goods or services may choose to accept credit cards from its customers as a payment. This document identifies the requirements that departments, offices, and all other entities that accept or want to accept payments by credit cards must follow. There are four accepted methods for processing transactions: (1) card swipe terminal, (2) secure website through a gateway authorized by Student Account Services (SAS), (3) University authorized point of sale system or back office system, and (4) contract with external payment partner signed by a University designated contract signer.
PCI Compliance
The PCI DSS Program is a mandated set of security standards that were created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands.
The PCI DSS requirements apply to all payment card network members, merchants, and service providers that store, process, or transmit cardholder data. The requirements apply to all methods of credit card processing. The University and all departments that process payment card data have a contractual obligation to adhere to the PCI DSS. The PCI DSS are incorporated into the University of Alabama Credit Card Policies but also may be accessed on-line.
Each department that accepts credit card payments is responsible for adhering to all the standards in the PCI-DSS and for annually certifying their continued compliance by submitting the PCI-DSS Self-Assessment Questionnaire (SAQ) appropriate to their credit card activities. Further information is found for each type of credit card processing and the associated questionnaire (SAQ) on the Cybersecurity Resources webpage.
Section I – Credit Card Operations General Policies – Applicable to all Types of Credit Card Operations
Establishing a University Merchant Services Account
Any department intending to begin the generation of revenue must first receive approval from the Student Account Services (SAS) Associate Director of Accounting, regardless of the proposed tender types/funds. This request should be made by the business manager of the associated college or operation. Complete a Request to Establish a New Revenue Generating Operation Form and return to SAS. Do not begin the revenue generating operation until approval has been given and training has been completed.
Any department wishing to generate revenue with additional tender types, including credit cards, or make changes in existing revenue generating operations must first receive approval from SAS before any funds are collected. This request should be made by the business manager of the associated college or department. Do not expand or implement changes to an existing revenue generating operation until approval has been given and training has been completed.
- A credit card services contract is negotiated by the University for all University authorized merchant accounts. By centralizing all merchants, the University of Alabama negotiates a lower rate based on the University’s overall transaction volume. Any questions or problems with a departmental merchant account should be directed to SAS, who will communicate with the merchant services provider if necessary.
- All merchant accounts for accepting credit cards must be obtained and approved by SAS. Departments will complete a Request to Establish a Credit Card Operation form and submit it to SAS.
- Any contract with credit card processing companies or with companies accepting credit card payments on the department’s behalf must be reviewed, negotiated, and approved by SAS with review by the Office of Counsel.
Costs Associated with Accepting Payment by Credit Card
- The University is charged a discount fee on all credit card transactions which is passed on to the department (by merchant account). In addition to the per transaction charges, a department may incur other monthly charges, (e.g. PCI insurance, paper statements, charge backs, etc.) and start-up costs such as the cost of a terminal, a phone line, etc.
- The department is responsible for all expenses associated with credit card merchant accounts. These expenses will be reflected on the department’s monthly credit card statements. At month-end, these expenses will be charged to the Banner FOAP that was provided by the department when the credit card operation was originally established.
- The price of goods or services cannot be increased because payment is received by credit card rather than another payment method (e.g., check, cash, money order, etc.). Convenience fees must be reviewed and approved by SAS before they can be charged.
Daily Recording of Credit Card Transactions and Reconciliations
- All University funds received via credit card will be processed and deposited to a University designated bank account.
- All credit card transactions must be processed, or settled, daily and recorded timely in the University financial records, via TouchNet GL update or a University Daily Cash Transmittal Form submitted to SAS.
- Credit card bank deposit activity is monitored and reconciled monthly by SAS to ensure that credit card activity is being recorded in UA’s bank account.
- Departmental personnel must reconcile transactions processed through the terminal/web processor as reflected on the monthly merchant services statement with the sales transactions posted to the department’s Banner Finance records.
Each merchant/department will receive a monthly statement of credit card activity. Visa, Mastercard and Discover transactions will all appear on one monthly statement. If a department is accepting American Express, a separate monthly statement will be issued by AMEX.
Refunding and Disputes of Credit Card Payment
- When an item or service is purchased using a credit card, and a refund is necessary, the refund must be credited to the same credit card account from which the purchase was made. This is a requirement of the credit card contract and reduces credit card fees incurred by the department.
- When a customer disputes the validity of a bank card transaction, a notification is sent to SAS and a charge back to the University’s bank account is automatically generated by the University’s merchant services provider. If necessary, SAS will contact the department to obtain information or supporting documentation on the disputed transaction. Departments should not receive such charge back notices directly from UA’s merchant services provider. If this occurs, contact SAS. If the dispute is settled in favor of the customer, a refund is automatically issued to the customer by the University’s designated bank . The department which accepted the payment will be notified and charged for the amount of the transaction plus a charge back fee. If applicable, departmental records should be adjusted to reverse the original payment. If the dispute is settled in favor of the University, the department will be charged only the charge back fee (which is charged to UA regardless of the outcome of the dispute).
Protecting and Securing Customers’ Personal Information
- All personal credit card information must be protected and should not be stored unless there is a valid business need. Failure to maintain strict controls over this information could result in a breach of the data, large fines and penalties, and the inability to continue to process credit card transactions.
- Personal credit card data should never be moved from the department receiving this data unless a secure delivery method is established and a transfer of custody is in place. Such processes should be reviewed and approved by SAS prior to being established.
- Never send or request cardholder information to be sent via unencrypted e-mail, instant messaging, chat, etc. Personal credit card information is designated as restricted information under the University’s Information Classification Policy and should be treated with the corresponding security measures outlined in the Information Protection Procedure.
Possible Lost or Stolen Credit Card Data
- If a UA customer contacts a department to report suspected fraudulent use of their credit card, the department should contact SAS. SAS will assist and involve other departments as needed.
- If a department knows or suspects that their credit card receipts or other stored credit card data have been breached, the department should contact the OIT Information Security Officer as quickly as possible.
- The Information Security Office will be responsible for conducting or coordinating the investigation, making or assessing recommendations for corrective action, reporting the incident to the Executive Computer Incident Response Team (ECIRT) and other administrative units as needed.
Maintain Procedures that Addresses Information Security
- Each department that takes payment by credit card must have written credit card procedures to address protection of credit card data. These procedures must include data access limitation, data storage, data retention, and data disposal.
- SAS can assist with the writing of departmental information security procedures.
- Each department’s procedures must be reviewed at least annually and updated as appropriate.
- The department should require all employees (permanent or temporary) who have access to credit card data to acknowledge in writing they have read and understood the department’s security procedures. This written acknowledgement must be reviewed and signed annually.
- The signed acknowledgments should be maintained by the department.
- In addition to the department requirements listed above, UA’s Information Classification Policy (ua.edu) also applies.
Section II – Credit Card Transactions Processed through a Card Swipe Terminal (an Authorized Credit Card Machine)
Note: Section I should also be used in conjunction with this section when developing a department’s individual policies.
Acquiring Credit Card Equipment
- Credit Card terminals must be requested through SAS. The needed equipment and supplies will be obtained by SAS and distributed to the department.
- The department will be responsible for equipment costs which will be reflected on the department’s monthly credit card statement.
Processing, Settling, and Recording Credit Card Transactions taken with a Card Swipe Terminal
- Settlements not done within 24 hours will result in increased merchant processing fees for all transactions in that batch. Department records should be maintained that include data on the type(s) of revenue (e.g., sales, services, gifts, fees, etc.) that were paid with credit card.
- Once settled, the summary settlement tape (totals/settlement report) is the equivalent of depositing the funds into the University’s bank account electronically. However, the department must record the revenue to the appropriate University FOAPs in order to reflect the departmental revenue.
Restrict Access to Cardholder Data
- Access to credit card terminals should be limited to only authorized employees. The physical location of credit card terminals should be protected, monitored, and secured.
- Only authorized employees should have access to credit card terminal settlement processes.
- Access to secure storage areas should be limited to only authorized personnel. Make sure all visitors are authorized before entering areas where cardholder data is processed or maintained.
- Cardholder data should only be stored when absolutely necessary. This will be rare for most departments. Maintain strict control over the internal and/or external distribution of any kind of media that contains cardholder data.
- In compliance with PCI DSS all credit card media has to be classified as confidential so adequate privacy and security controls can be implemented.
- Management approval should be obtained prior to moving all media containing cardholder data from a secured area.
Securely Store and Retain Cardholder Data
- Under no circumstances should a department create or store electronic files of customer credit card numbers and expiration dates (including spreadsheets, databases).
- Do not store the card-validation code or value which is the three-digit or four-digit number printed on the front or back of a payment card. This is normally used to verify identity when the credit card is not available to swipe.
- Do not store the personal identification number.
- Physically secure all paper and media that contain cardholder information.
- Store credit card settlement tapes in a secure, locked (limited access) area.
- Store any credit card data for which there is a business need to keep in a secure, locked area.
- Limit the retention time of credit card data to that which is required for business, legal, and/or regulatory purposes. This should not exceed a year.
Destruction of Previously Retained Cardholder Data
- Destroy media containing cardholder information when it is no longer needed, according to the department retention policy.
- Cross-cut shred hardcopy materials so that cardholder data cannot be reconstructed.
Section III – Credit Card Transactions Processed by the Customer through a Web Site with a Hosted Payment Gateway – Self Assessment Questionnaire A (SAQ A)
Note: Section I should also be used in conjunction with this section when developing a department’s individual policies.
Section III pertains to a secure website accepting payments through a hosted payment gateway which has been authorized (both the website and the payment gateway) by SAS. SAS will meet with the department to review the department’s plan for a web site and discuss services that are centrally provided to accommodate web processing and to provide advice and guidance regarding proposed options and/or vendors. To be approved as a secure website accepting payments through a hosted payment gateway, the following conditions must be met:
- Electronic files containing customer credit card numbers and expiration dates are not created or stored (including spreadsheets, databases).
- The security code or value is not stored. This is normally used to verify identity when the credit card is not available to swipe.
- The personal identification number is not stored.
- Department employees do not enter credit card data on behalf of the customer into the web site.
Scope
This policy applies to all University of Alabama departments and foundations under affiliation agreement with UA, and the associated employees involved in any way with credit card operations. All individual departments’ procedures established for the credit card operations must be developed within the parameters of these overarching policies.