Credit Card Payment
||Reference: Credit Card Payment Security Policy
Deborah L. Ford
Campus Technology Services
Procedures for Credit Card Payment Security
Cashier's Office Responsibilities:
- Apply for and secure all campus merchant ID numbers.
- Establish and maintain a process for campus departments to accept credit cards.
- Reconcile monthly statements from credit card companies to the Shared Financial System.
- Ensure credit card processing fees are properly charged in accordance with State and University of Wisconsin-Parkside contracts.
- Ensure credit card processing fees are properly charged back to the appropriate department.
- Provide appropriate training to the campus on merchant card transactions.
- Maintain a central file of all documentation demonstrating all third-party service providers and payment application software's compliance with applicable requirements.
- Maintain written acknowledgements from all third party service providers that they are responsible for the security of cardholder data that they store and process.
- Perform reconciliation of credit card merchant activity at least monthly.
- The Bursar will be responsible for approving any changes to a department's credit card processes and will update any policies and procedures for securing relevant paper and card processing devices.
- Complete the annual risk/security Self-Assessment Questionnaires A & B for departments that accept credit cards as required by applicable standards.
Campus Technology Services Responsibilities:
- Work to resolve exceptions pertaining to technology or electronic storage noted on the annual risk/security questionnaire/self-assessment and quarterly network scans.
- Perform network scans required to be PCI compliant.
- Complete the annual risk/security Self-Assessment Questionnaire C for departments that accept credit cards as required by applicable standards.
- Collect all unused, old and broken credit card machines and properly secure the equipment.
- Follow the Incident Response Plan.
Internal Audit Responsibilities:
- Provide overall guidance and leadership to the campus wide credit card compliance effort.
- Assume the role of monitoring the continuation of the overall effort by incorporating credit card risk into the overall audit plan.
- Annually review the Cashier's Office central file for documentation indicating third-party vendor and third-party payment application software PCI compliance status.
- Annually review the Cashier's Office central file for written acknowledgements from all third party service providers responsible for the security of cardholder data.
- Annually review the completion of the Cashier's Office annual risk/security Self Assessment Questionnaires A & B for departments accepting credit cards.
- Annually review the completion of the Campus Technology Services' annual risk/security Self-Assessment Questionnaire C and required quarterly scanning for departments accepting credit cards.
Departments Accepting Credit Cards Responsibilities:
- All departments who wish to accept credit cards must be established through the Cashier's Office. Departments are prohibited from obtaining merchant ID numbers directly from the credit card companies.
- Each department must keep current a contact person for the Cashier's Office.
- Credit card information can be accepted through a University of Wisconsin-Parkside authorized web application or by telephone, mail, or in person. Credit card information cannot be accepted and used via email.
- Departments accepting credit cards are responsible for training employees on credit card security. This type of training can be short (depending on the employee's role) but should include: preventing credit card fraud, protecting paper receipts, and securing any devices that process credit card transactions. All employees must be reminded annually that they cannot send full credit card numbers over e-mail or other insecure online methods (chat, instant messaging, etc.)
- Departments are not permitted to transmit, process, or store credit card information on University of Wisconsin-Parkside computer systems, fax machines, the Internet, e-mail or any removable electronic storage (USB memory stick, hard drive, zip disk, etc.); not even if encrypted.
- Departments cannot store credit card information on a local computer or server without the prior approval of Campus Technology Services and the Internal Auditor. Personnel who are approved to store credit card information must protect cardholder data in a manner consistent with all other PC I-DDS requirements.
- Under no circumstances should the Card Identification Number (CID) be stored electronically or on paper. The CID number is the three digit security code on the back of the credit card. It is also referred to as the CVC2 and CVV2.
- Paper records must be stored in a locked room or file cabinet. Access to the storage area(s) must be lim"1ted to authorized personnel only. All stored information must be marked confidential.
- If it is absolutely necessary to record the entire credit card number to process the transaction, all but the last four digits of the credit card number must be blacked out so as to make the number completely unreadable.
- Credit card receipts that go to the customer may only show the last four digits of the credit card number.
- The original receipts, for all transactions which show the last four digits of the credit card number, must be retained in a secure location for a minimum of 12 months as required by the University of Wisconsin System Fiscal and Accounting General Records Schedule.
- There must be adequate separation of duty between any person authorized to issue a refund and the individual reconciling the account.
- When possible, refunds must be credited to the same credit card account from which the original purchase was made.
- Each department is responsible for following up and resolving disputed transactions.
- Each department is responsible for the access to the point-of-sale devices/terminals, payment applications, or computers. Departments are responsible for limiting access to employees who require access to do their jobs.
- Departments must work to resolve exceptions identified on the annual risk/security questionnaire/self-assessment. Departments should work with University of WisconsinParkside's Campus Technology Services to address any exceptions pertaining to technology or electronic storage. Consult with Internal Audit as needed.
- All new employees handling cardholder data should receive initial training from the department supervisor or the Bursar.
- All unused, old and broken credit card processing machines must be turned into the Campus Technology Services.
- All changes to a Department's credit card processing procedures must be reported to the Bursar, Auditor and Controller.
- Follow the Incident Response Plan.
Incident Response Plan
The Incident Response Plan must be followed for all security-related incidents, such as a hacker
breaking into a department's computer system, a robbery or missing credit card receipts, or an
employee theft of customer card numbers.
All employees must notify the Controller in the event of a compromise to customer credit card
numbers or to a card processing device. The Controller will immediately notify the Internal
Auditor, Bursar and CTS personnel to review the related security incident. Within twenty four
hours of a security related incident all findings must be presented to the Vice Chancellor for
Finance and Administration. The Vice Chancellor for Finance and Administration will determine
the appropriate notification to law enforcement agency, our merchant bank, and the various
card associations. (See Addendum)
Credit Card Payment Security Procedures Addendum
Vice Chancellor for Finance and Administration, 262-595-2141
Director of Campus Technology Services, 262-595-2010