University departments that are approved to sell goods or services may choose to accept credit cards from its customers as a payment. This document identifies the requirements that departments, offices, and all other entities that accept or want to accept payments by credit cards must follow. There are four accepted methods for processing transactions: (1) card swipe terminal, (2) secure website through a gateway authorized by Student Account Services (3) University authorized point of sale system or back office system, and (4) contract with external payment partner signed by a University designated contract signer. This document consists of three sections. Section I provides general guidance for University credit card operating polices, regardless of the type of processing. Section II pertains to credit card transactions processed through a card swipe terminal. Section III is for credit card transactions processed by a customer over the web through a hosted payment gateway. Sections IV and V are under construction.
The Payment Card Industry Data Security Standard (PCI DSS) Program is a mandated set of security standards that were created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding cardholder data for all credit card brands.
The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The requirements apply to all methods of credit card processing, from manual to computerized; the most comprehensive and demanding of which apply to e-commerce websites, and retail POS systems that process credit cards over the Internet.
The University and all departments that process payment card data have a contractual obligation to adhere to the PCI Data Security Standard (PCI-DSS) which are national technical and business standards developed by the credit card industry which apply to all organizations that process, transmit or store credit cardholder data. Payment Card Industry Data Security Standards are incorporated into the University of Alabama Credit Card Policies but also may be accessed on-line at https://www.pcisecuritystandards.org/.
The department is responsible for adhering to all the standards in the PCI-DSS and for annually certifying their continued compliance by submitting the PCI-DSS Self Assessment Questionnaire (SAQ) appropriate to their credit card activities. Further information is found for each type credit card processing and the associated questionnaire (SAQ) at http://oit.ua.edu/oit/security.
Section I – Credit Card Operations General Policies – Applicable to all types of Credit Card Operations
Establishing a University Merchant Services Account
Any department intending to begin the generation of revenue must first receive approval from the Student Account Services Associate Director of Cash Receipting Operations, regardless of the proposed tender types /funds. This request should be made by the business manager of the associated college or operation. Complete a Request to Establish a New Revenue Generating Operation Form and return to Student Account Services. Do not begin the revenue generating operation until approval has been given and training has been completed.
Any department wishing to generate revenue with additional tender types, including bank cards, or make changes in existing revenue generating operations must first receive approval from Student Account Services before any funds are collected. This request should be made by the business manager of the associated college or operation. Do not expand or implement changes to an existing revenue generating operation until approval has been given and training has been completed.
- A central merchant services contract is negotiated by the University for all University authorized merchant accounts. By centralizing all merchants, the University of Alabama negotiates a lower rate based on the University’s overall transaction volume. Any questions or problems with a departmental merchant account should be directed to Student Account Services, who will communicate with the merchant services provider if necessary.
- All merchant accounts for accepting credit cards must be obtained and approved by the Office of Student Account Services. Departments will complete a Request to Establish a Credit Card Operation form and submit it to Student Account Services.
- Departments cannot negotiate their own contracts with credit card processing companies or contract with companies accepting credit card payments on the department’s behalf.
Costs Associated with Accepting Payment by Credit Card
- The University is charged a discount fee on all credit card transactions which is passed on to the department (by merchant account). In addition to the per transaction charges, a department may incur other monthly charges, (e.g., insurance, paper statements, charge backs, etc.) and start-up costs such as the cost of a terminal, a phone line, etc.
- The department is responsible for all expenses associated with credit card merchant accounts. These expenses will be reflected on the department’s monthly credit card statements. At month-end, these expenses will be charged to the Banner FOAP that was provided by the department when the credit card operation was originally established.
- The price of goods or services cannot be increased because payment is received by credit card rather than another payment method (e.g. check, cash, money order, etc.)
Daily Recording of Credit Card Transactions
- All University funds received via credit card must be deposited into a University designated bank account. This is accomplished by settling the credit card batch on any UA merchant.
- All credit card transactions must be settled daily and recorded timely in the University financial records, via a University daily cash transmittal form submitted to Student Account Services.
- Credit card bank deposit activity is monitored and reconciled monthly by Student Account Services to ensure that credit card activity is being recorded in UA’s bank account.
- Departmental personnel must reconcile transactions processed through the terminal/web processor as reflected on the monthly merchant services statement with the sales transactions posted to the department’s Banner Finance records.
Refunding and Disputes of Credit Card Payment
- When an item or service is purchased using a credit card, and a refund is necessary, the refund must be credited to the same credit card account from which the purchase was made. This is a requirement of the credit card contract. Crediting to the same account used for the charge protects the customer. Processing refunds as a credit back to the card honors the banking agreement and reduces credit card fees incurred by the department.
- When a customer disputes the validity of a bank card transaction, a notification is sent to Student Account Services and a charge back to the University’s bank account is automatically generated by the University’s merchant services provider. If necessary, Student Account Services will contact the department to obtain information or supporting documentation on the disputed transaction. Departments should not receive such charge back notices directly from UA’s merchant services provider. If this should occur, contact Student Account Services. If the dispute is settled in favor of the customer, a refund is automatically issued to the customer by Compass Bank. The department which accepted the payment will be charged for the amount of the transaction plus a $10 charge back fee. The department will be notified that this action has been taken. If applicable, departmental records should be adjusted to reverse the original payment. If the dispute is settled in favor of the University, the department will be charged only the $10 fee (which is charged to UA regardless of the outcome of the dispute).
Reconciliation of Credit Card Records
- Each merchant account will receive a monthly statement of credit card activity. Visa, Mastercard and Discover transactions will all appear on one monthly statement. If a department is accepting American Express, a separate monthly statement will be issued by AMEX.
- Departments are responsible for balancing their monthly statements against what has been recorded on UA records. Contact Student Account Services concerning discrepancies or questions.
Protecting and Securing Customers’ Personal Information
- All personal credit card information must be strictly controlled and protected; and securely stored for only as long as there is a business necessity. Failure to maintain strict controls over this information could result in unauthorized use of a credit card number and serious problems for the customer, the department and the University.
- Personal credit card data should never be moved from the department receiving this data unless a secure delivery method is established and a transfer of custody is in place.
- Never send or request cardholder information to be sent via unencrypted e-mail, instant messaging, chat, etc.
Possible Loss or Stolen Credit Card Data
- If a UA customer contacts a department to report suspected fraudulent use of their credit card, the department should contact Student Account Services. Student Account Services will assist and involve other departments as needed.
- If a department knows or suspects that their credit card receipts or other stored credit card data have been breached, the department should contact the OIT Information Security Officer as quickly as possible.
- UA has an incident response team which will determine the appropriate course of action needed.
Maintain a Policy that Addresses Information Security
- Each department that takes payment by credit card must have a written credit card policy and associated procedures to address protection of credit card data. This policy must include data access limitation, data storage, data retention, and data disposal.
- Each department’s credit card policy and associated procedures must be reviewed annually and updated as appropriate.
- The department should require all employees (permanent or temporary) who have access to credit card data to acknowledge in writing they have read and understood the department’s security policy and procedures. This written acknowledgement must be reviewed and re-signed annually.
- The signed acknowledgments should be maintained by the department.
- You may want to view the policy in force for the Office of Student Account Services, although each department should tailor its policy as appropriate.
- In addition to the department requirements listed above, UA has Security Policies of a technical nature that apply http://oit.ua.edu/oit/security/.
Section II – Credit Card transactions processed through a card swipe terminal (an authorized credit card machine)
Note: Section I should also be used in conjunction with this section when developing a department’s individual policies.
Acquiring credit card equipment
- Credit Card terminals must be requested through Student Account Services. The needed equipment and supplies will be obtained by Student Account Services and distributed to the department.
- The department will be responsible for equipment costs which will be reflected on the department’s monthly credit card statement.
Processing, settling and recording credit card transactions that were taken with a card swipe terminal
- Initial training for operating the card swipe terminal to process a transaction will be provided by Student Account Services.
- The terminal activity should be settled daily. Initial training will be provided by Student Account Services.
NOTE: Settlements not done within 24 hours will result in an increased rate for all transactions in that batch.
- Department records should be maintained of the type(s) of revenue (e.g., sales, services, gifts, fees, etc.) that were paid with credit card.
- Once settled, the summary settlement tape (Totals/settlement report) is the equivalent of depositing the funds into the University’s bank account electronically. However, the department must record the revenue to the appropriate University FOAPs in order to reflect the departmental revenue.
Restrict access to cardholder data by business need to know
- Access to credit card terminals should be limited to only authorized employees. The physical location of credit card terminals should not be accessible by the public.
- Only authorized employees should have access to credit card terminal settlement processes.
- Access to secure storage areas should be limited to only authorized personnel. Make sure all visitors are authorized before entering areas where cardholder data is processed or maintained.
- Maintain strict control over the internal and/or external distribution of any kind of media that contains cardholder data.
- Classify credit card media so that it can be identified as confidential.
- Management approval should be obtained prior to moving any and all media containing cardholder data from a secured area.
Securely Store and Retain Cardholder Data
- Under no circumstances should a department create or store electronic files of customer credit card numbers and expiration dates (including spreadsheets, databases).
- Do not store the card-validation code or value which is the three-digit or four-digit number printed on the front or back of a payment card. This is normally used to verify identity when the credit card is not available to swipe.
- Do not store the personal identification number.
- Physically secure all paper and media that contain cardholder information.
- Store credit card settlement tapes in a secure, locked (limited access) area.
- Store any credit card data for which there is a business need to keep in a secure, locked area.
- Limit the retention time of credit card data to that which is required for business, legal, and/or regulatory purposes. This should not exceed a year.
- Destroy media containing cardholder information when it is no longer needed, according to the department retention policy.
- Cross-cut shred hardcopy materials so that cardholder data cannot be reconstructed.
Section III – Credit Card Transactions Processed by the Customer through a Web Site with a Hosted Payment Gateway – Self Assessment Questionnaire A (SAQ A)
Note: Section I should also be used in conjunction with this section when developing a department’s individual policies.
Section III pertains to a secure website accepting payments through a hosted payment gateway which has been authorized (both the website and the payment gateway) by Student Account Services. Student Account Services will meet with the department to review the department’s plan for a web site and discuss services that are centrally provided to accommodate web processing and to provide advice and guidance regarding proposed options and/or vendors. To be approved as a secure website accepting payments through a hosted payment gateway, the following conditions must be met:
- Electronic files containing customer credit card numbers and expiration dates are not created or stored (including spreadsheets, databases).
- The security code or value is not stored. This is normally used to verify identity when the credit card is not available to swipe.
- The personal identification number is not stored.
- Department employees do not enter credit card data on behalf of the customer into the web site.