Policy identification number: To come...
File: Business & Finance Policies > Finance and Administration Policies
Accepting and Processing Credit Cards
This policy ensures that the College is in compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account data security. PCI DSS compliance is mandatory for any organization that collects, processes, or stores credit card information.
Vice President for Finance and Administration
March 18, 2015
March 18, 2015
vpfa, a, c, accepting, processing, credit, cards
Scheduled for Review
This policy applies to all forms of credit card processing on behalf of the College. Credit card processing includes any payment card transaction (whether credit card, debit card, or other instrument linked to such a card) or other transmission, processing or storage of credit card data regardless of the means by which that transaction occurs. This includes transactions initiated in-person, via the telephone or other telephonic means, in paper form, by U.S. mail or other courier, through a terminal, kiosk, computer system, website, mobile device or any other means.
II. Credit Card Processing
III. Reason for Policy
To mitigate the risk to the College inherent in the acceptance and processing of credit card transactions, to assign the authority and responsibility for such transactions, and to ensure compliance with applicable laws and regulations maintained by the Payment Card Industry Security Standards Council through its Data Security Standard (PCI DSS).
Controller’s Office responsibilities: The Controller’s Office will provide guidance to departments that accept payments, including the security for credit card transactions and will act as the main point of contact for the merchant services company that processes credit card transactions. The office will provide daily oversight of all credit card transactions and reconcile credit card transactions. The office will assist the Information Technology Department (IT) in responding to PCI self-assessment questionnaires and other surveys.
IT responsibilities: IT will maintain all internal infrastructure related issues for PCI compliance. In the event of unauthorized access or disclosure (breach) of credit card numbers, IT will notify the individuals of the security breach within 14 days, provided notification will not impede a law enforcement investigation. IT will respond to self-assessment PCI compliance surveys from merchant services companies.
Department responsibilities: Departments that accept payment for services shall adopt processes that protect credit card data. Departments are responsible for timely communication with the Controller’s Office or IT regarding any credit card inquiries or requests for information, such as for surveys and questionaires regarding credit card processing. Departments who suspect a breach and/or fraud involving credit cards should contact the Controller’s Office immediately. Departments must inspect their point-of-sale devices on a regular basis, and should notify the Controller’s Office or IT if something appears to be changed, added or different.