Subject Area: Cash Management
Responsible Office: Office of the Bursar
Sponsor: Chief Financial Officer
Originally Issued: November 2006
Revised: January 2010; August 2012
Refer Questions To: Michael Kocelko, 773-702-3951
Purpose: To mitigate the risk to the University inherent in the acceptance and processing of credit card transactions, to assign the authority and responsibility for such transactions, and to insure compliance with applicable laws and regulations, such as those maintained by the Payment Card Industry Security Standards Council.
- This policy applies to all forms of credit card processing on behalf of the University or by affiliates using University systems. Credit card processing includes any payment card transaction (whether credit card, debit card, or other instrument linked to such a card) or other transmission, processing or storage of credit card data regardless of the means by which that transaction is actuated. This includes transactions initiated in-person, via the telephone or other telephonic means, in paper form, by US mail or other courier, through a terminal, kiosk, computer system, website, mobile device or any other means. This policy applies to whether the processing is performed by the University or by an outside party acting as a service provider to the University.
- This Policy applies to existing, new and changed services.
- All units that wish to process credit card transactions must establish a valid business purpose and become familiar with IT Services policy for eCommerce. All units that are currently accepting or would like to accept credit card payments are required to: review and become familiar with the Information Technology Services (IT Services) policy for eCommerce (IT Services Information Security Policy for eCommerce Payment Card Applications), to request and obtain approval from the Bursar’s Office and from IT Services before initiating any credit card transactions, and to establish the valid business purpose of the proposed arrangements.
- All units that wish to process credit card transactions must obtain a University credit card merchant ID account from the Bursar’s Office. Units within the University or affiliates using the University’s systems may not negotiate their own contracts with credit card companies, processors, or external services that accept credit card payments on the University’s behalf. A University department accepting credit cards is deemed a credit card merchant. Only the Bursar’s Office is authorized to issue University credit card merchant ID account numbers, which are required for University acceptance of credit card payments and to enable deposits through the Bursar’s Office. University departments must comply with this policy and all related security policies in order to maintain their credit card merchant IDs. Credit card merchants are expected to protect cardholder data and prevent the unauthorized use of that data. Cardholder data refers to information printed, processed, transmitted or stored in any form from a credit card. Cardholder data elements include the primary account number (PAN), cardholder name, service code, and expiration date. Units may retain only the first six (6) digits and/or last four (4) digits of the PAN, as these data are not considered to be cardholder data under PCI DSS.
- All system and service components utilized for credit card processing must be purchased through an approved University vendor for such purposes. The University has established contracts, incorporating the necessary security provisions, for many system and service components needed for the acceptance and processing of credit card transactions. Where such contracts exist, all units processing credit card payments, e.g., through the World Wide Web, are required to use them. If a required service is not already covered by a University contract, the unit must work through Procurement and Payment Services to identify and contract for approved necessary services and ensure the security of those services. Procurement and Payment Services will engage IT Services and the Bursars Office in the approval process.
- All devices used to process credit card transactions must be approved by IT Services prior to credit card processing. Any University computer, Web site, software application, Point-Of-Sale terminal, credit card reader or other device connected to the campus network or phone system that is involved in any way in the processing of credit card payments must undergo a security review by and receive approval from IT Services before credit card processing can begin. Any computer system used in any way in credit card payment processing must be registered with IT Services by the unit as a regulated computer and maintained in accordance with the IT Services Regulated Computer Policy. Such systems and devices may be required to undergo periodic internal or external security scans. Any costs related to these internal or external scans are the responsibility of the merchant unit.
- Credit card information is not accepted via e-mail, fax, and fax-to-e-mail and units may not retain any paper records with credit card information. The University accepts credit card transactions in face-to-face, mail order, telephone order, or Web environments. Departments and merchants may not process credit card information transmitted via e-mail, fax, fax-to-email, or store that data on any University computer, storage device, or other electronic medium. If an email containing cardholder data is received, it should be deleted immediately by the recipient, and the sender informed (a) that their transaction was not processed, and (b) of the acceptable channels for the transaction. Any associated paper or other records or reports containing credit card customer information shall not be maintained unless absolutely necessary as determined by the unit or divisions Associate Dean for finance or equivalent. If absolutely necessary to maintain, the paper shall be stored in locked and secured cabinets. Access to credit card information and the processing of credit card payments should be limited to those individuals whose job requires such access, and all access must be recorded on a paper log. All records including the access log should be retained in accordance with Financial Policy 2708: Managing University Records. Paper records that exceed the retention guidelines outlined in Policy 2708 should be disposed of through secure shredding.
- Departments are responsible for informing the Bursar’s Office of all employees in their unit who accept or process credit card transactions.
- Departments who suspect a breach and/or fraud involving credit cards should contact the University of Chicago Police Department immediately.
- Employees involved with credit card processing must certify annually compliance with applicable credit card processing policies. At least annually, all University personnel with responsibilities that require, or could reasonably require, them to access eCommerce computing resources or data in support of the eCommerce infrastructure or eCommerce applications are required to review this policy and the IT Services Information Security Policy for eCommerce Payment Card Applications and indicate their compliance with the same.
- Annual training is mandatory for any employee involved with credit card processing. All employees involved in credit card acceptance and processing must complete an annual certification of compliance training. Additionally, new employees involved in credit card acceptance and processing must complete training before they can assume credit card acceptance and processing responsibilities in their area. Failure to complete training successfully may result in the loss of the merchant’s ability to process credit card transactions.
- Units are responsible for timely communication with the Bursar’s Office or IT Services regarding any credit card inquiries or requests for information. All university merchants must respond to communications from the Bursar’s Office or IT Services regarding credit card processing in a timely manner, including any surveys, annual questionnaires, or other inquiries. Some of these communications may be date sensitive, and failure to respond appropriately within the period indicated may result in the loss of the merchant’s ability to process credit card transactions.
- Units are fully responsible for any and all fees associated to the merchant ID. The University is charged fees on all credit card transactions. At month end, these fees will be charged to the unit based on that unit’s activity. Additionally, some service providers may impose annual, one-time, or other fees for their services, and these are the responsibility of the merchant department. Any fines or other fees and costs resulting from non-compliance with Payment Card Industry security standards, including but not limited to those resulting from breaches of security or failure to complete annual training, will be the responsibility of the department where the failure occurred.
- Non-compliance with this policy may result in termination of card processing abilities for the individual and/or unit. Units or individuals found to be acting outside of this and related policies or establishing non-approved credit card processing arrangements will have their card processing terminated, and the unit will be responsible for any costs associated with this termination.