7.5.2 University Acceptance of Credit Cards

Purpose

The University accepts Credit Cards for payment of goods and services under controlled conditions to protect against the exposure and possible theft of account and personal cardholder information that has been provided to Illinois State University; and to comply with Payment Card Industry (PCI) requirements which became effective June 30, 2005. The University must adhere to these standards to limit its liability and continue to process payments using payment cards.

Scope

This policy applies to all Illinois State University departments and affiliated units, employees, contractors, consultants, temporaries, and other workers. This policy is applicable to any unit that processes, transmits, or handles cardholder information in a physical or electronic format. All computers and electronic devices at Illinois State University involved in processing payment card data are governed by the PCI Data Security Standard.

This includes servers which store payment card numbers, workstations which are used to enter payment card information into a central system (for example, ordering tickets over the phone), and any computers or credit/debit card swipe devices through which the payment card information is transmitted

Policy

All transactions that involve the transfer of credit card information must be performed on systems approved by the Comptroller’s Office and will include a compliance and security review. Any specialized servers that have been approved for this activity must be housed behind a University Data Center firewall, approved by the Comptroller, and must be administered in accordance with the requirements of all Illinois State University and PCI policies.

Departments involved with the acceptance of and processing of credit card for payment of goods and services must design adequate processes to ensure the following are maintained:

• Approval of the Comptroller’s Office before entering into any contracts or purchases of software and/or equipment related to credit card processing. This requirement applies regardless of the transaction method or technology used (e.g. e-commerce, POS device).
• Departments must comply with the Payment Card Industry Data Security Standard.
• Establish departmental procedures for safeguarding cardholder information and secure storage of data. This pertains to ALL transactions initiated via the telephone, over the counter, mail order, Internet, etc.
• Credit card numbers must not be transmitted in an insecure manner, such as by e-mail, unsecured or stored fax (including RightFax or similar networked fax servers), or through campus mail (sealed envelopes must be used).
• Sensitive cardholder data [i.e., full account number, card type, expiration, PIN, and card-validation code (three-digit or four-digit value printed on the front or back of the card) should not be stored in any University system, personal computer, or e-mail account.
• Do not print the entire credit card number on either the department copy or customer copy of any receipts. Old receipts with the entire credit card number should have all but the last four digits blacked out. Do not print the full credit card number under any circumstances.
• All documentation containing card account numbers must be stored in a secure environment until processed. Secure environments include locked drawers and safes, with limited access to only individuals who are processing the credit card transaction. Processing should be done as soon as possible and the credit card number should immediately be blacked out to the last four digits and the card expiration date must be masked.
• Stored credit card information will be retained according to the approved document retention policy. All media used for credit cards must be destroyed when retired from use. All hardcopy must be shredded prior to disposal.
• Background checks must be performed prior to hiring of any positions with access to stored cardholder information.
• Credit card handlers and processors must agree (in writing) not to disclose or acquire any information concerning a cardholder’s account without the cardholder’s consent, and to follow all PCI standards.
• Require all personnel involved in credit card handling to attend card security training every year in conjunction with required PCI audits.
• Assign an individual to administer the control of log-in privileges, limit software access to secure locations, delete access to software for terminated employees, and do not use vendor-supplied defaults for system passwords.
• Units using third-party software, including cash register systems, are prohibited from storing complete payment card numbers on University computers at any time.
• Contractually require all third parties with access to cardholder data to adhere to PCI security requirements and provide proof of PCI certification to the merchant department.

Procedures

All credit card and debit card processing contracts and renewals, including web based procurement, must be initiated and approved through the Comptroller’s Office. Because the sale of goods and services to entities outside the university community may raise special considerations (e.g. unrelated business tax, accounting, legal, etc) business plans concerning credit sales should also be reviewed by the Comptroller’s Office. Forms for initiating services are on the comptroller’s Web page.

Illinois State University’s preferred credit system is Touchnet, a web based solution to credit card sales. After review by the Comptroller’s Office, a specialized Merchant Number will be established and Touchnet will provide the secure payment mechanism. The department will work with Institutional Web Support and Administrative Information Systems for creating their web site and integrating the payment mechanism to the Touchnet system.

Technical instruction and documentation are available on the Comptroller’s web site. Once the payment program is properly configured to pass the required parameters to the Touchnet system, secure payment will be executed, and approval codes and other related elements will be returned to the originating web site. In addition, the accounting of the journal entry will be made automatically.

Departments who need to accept credit/debit cards through a physical terminal or a Data Capture machine for either swipe or key transactions need to contact the Comptroller’s Office to execute the required paper work, obtain a Merchant Number, receive training, and be given direction as to the accounting of those transactions on the books of the University. Data Capture machines must be configured according to PCI requirements to meet security standards and certified by university policy.

Under no circumstances will it be permissible to obtain credit card information, or transmit credit card information by e-mail.

The Comptroller’s Office has established the E-commerce Committee to review all proposed business plans involving credit card sales over the internet. The committee will include, but is not limited to, representatives from the Comptroller’s Office, Administrative Information Systems, Institutional Web Support and Telecommunications and Networking.

• The E-commerce Committee will review each proposal for intended business purpose, consistency with the University's mission and policies, and selling department’s ability to support an E-commerce activity.
• Following review and approval, the Comptroller’s Office will notify the requesting department of approval status, determine the appropriate accounts and revenue object codes to be credited for sale proceeds, and issue a unique merchant ID identifier for the selling department.
• Any significant changes to approved Business Plans must be reviewed and approved by the E-commerce Committee prior to implementation. The changes include changes to the departmental Web site, products or services to be sold, intended customer base, anticipated transaction volume, outside advertising, application software, or changes in the departmental contacts responsible for the e-commerce business plan. Proposed changes should be routed to the Comptroller's Office.

Sanctions

Departments not complying with this policy may lose the privilege to serve as a credit card merchant. Additionally, fines may be imposed by the affected credit card company, beginning at $50,000 for the first violation.

Persons in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.

Definitions and Resources

A. PCI: The PCI Standard is the result of collaboration between the four major credit card brands to develop a single approach to safeguarding sensitive data. The PCI standard defines a series of best practices for handling, transmitting and storing sensitive data.

B. Cardholder data: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, or Card Validation Code (e.g., three-digit or four-digit value printed on the front or back of a payment card (e.g.’ CVV2 and CVC2 data)).

C. Merchant: any person or department accepting money for goods or services. Includes conference registrations, memberships, fees, etc.

D. Resources & Links

• Information on Accepting Credit Cards - Comptroller's Office
• See the VISA web sitefor the following:
  • Payment Card Industry (PCI) Data Security Standard
  • PCI Self-Assessment Questionnaire
  • PCI Security Scanning Procedures
• Top Five Data Security Vulnerabilities Identified to Promote Merchant Awareness - Aug. 2006
• PCI Security Standards Council