Credit Card Processing Policy for University Merchant Locations

Policy Section
Cash Collection, Deposits & Reconciliation

Effective Date
September 20, 2019
Last Updated
July 16, 2024
Responsible Executive
Vice President for Finance and Treasurer
Responsible Office
Office of Finance and Treasury
Contacts
Jody Antenucci
Cash Manager
(609) 258-6389
Pieter Richards
Systems Manager
(609) 258-7236

Summary

Princeton University is committed to conducting its academic and administrative responsibilities in an ethical and lawful manner, including exercise of best practices in protecting personally identifying information and compliance with the Payment Card Industry Data Security Standard (PCI-DSS). This policy establishes compliance criteria that must be satisfied to allow credit or debit cards as a form of payment. It defines the responsibilities of a department that accepts, captures, stores, transmits, or processes credit or debit card payments through automated systems or manual procedures, including these responsibilities related to PCI Compliance:

  1. Mandatory compliance with Payment Card Industry Data Security Standards (PCI-DSS)
  2. Required Procedures and Internal Controls for Credit and Debit Card Handling
  3. Required training in PCI Compliance and General Information Security
  4. Required annual attestation of PCI compliance

Since any unauthorized exposure of credit or debit card information could subject the University to significant financial penalties and reputational damage, failure to comply with the policy contained within this document will be considered a serious matter.

II. Who is Affected by this Policy

This policy affects all faculty, staff, students, or other individuals who accept capture, store, transmit, or process credit or debit card transactions on behalf of the University. Some examples of common credit and debit card handling activities include: processing contributions to the University; processing transactions that sell tickets, products, or other goods or services on behalf of the University, including student organizations, agencies, or clubs; accessing computer hardware and software that contain credit or debit card information; shredding credit or debit card information.

III. Definitions

Cardholder Data Environment (CDE) 
The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. 

Credit Card 
A payment card used in credit transactions which is issued to cardholders by a financial institution, and is commonly accepted as a form of payment. A credit card allows its holder to buy goods and services based on the holder's promise to pay for these goods and services.

Debit Card

A payment card that is used to deduct the amount of a purchase directly from the bank account to which the card is linked.

Department
A department is any academic or administrative unit of the University (including student agencies, organizations, and clubs) that operates under the University’s tax identification number and whose staff members are employees or students of the University.

Media
Computers, removable electronic media, paper receipts, paper reports, answering machines, faxes any other item that contains cardholder information.

Merchant Account
An account that allows a business to act as a merchant location that accepts and processes credit and debit card payments. The Office of Finance and Treasury is the merchant account holder and controls accounts operating under the University’s taxpayer identification number (TIN) at a partner banking institution. 

Merchant Services Provider
A bank, internet service provider, or other firm that provides services related to processing of debit and credit card transactions. The University’s merchant services provider is the financial institution that serves as a liaison between University departments and the payment card companies. In the context of this policy, the University’s banking partner is the merchant services provider.

Merchant Location 
Any University department that operates a merchant account, by accepting credit and debit card payments.

Penetration Tests
A simulated attempt to hack into the University’s PCI compliant computing environment.

PCI-DSS 
The Payment Card Industry’s Data Security Standard, or “PCI-DSS”, was created to reduce losses related to credit or debit card fraud.

PCI Service Providers
Companies providing software or services related to the security of cardholder data. Examples include hosting providers, vendors providing secure gateways, managed firewalls, intrusion detection systems and other services related to PCI compliance. Entities such as telecommunications carriers that only provide communication services without access to the application layer of the communication link are excluded.

Qualified Security Assessor (QSA) 
A person who has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI-DSS) compliance. QSAs also conduct vulnerability scans, penetration tests, and gap analyses, and provide advice to merchants related to their PCI compliant systems and processes.

Self-Assessment Questionnaire (SAQ)
Questionnaires developed by the payment card industry which merchants must complete in order to certify that they are processing credit or debit card transactions and storing/handling cardholder data according to PCI-DSS requirements.

Vulnerability Scan
Scan of the University’s PCI compliant computing environment that identifies potential vulnerability to security threats. 

IV. Policy

Princeton University Merchant Accounts
All University merchant accounts must be authorized and established by the Treasury Planning and Operations department, and must transmit credit card receipts to Princeton University’s main bank account. 

The department must demonstrate a valid business need for a merchant account and demonstrate certain business operation and financial management criteria. Please see the Merchant Accounts page for more information about requirements and the procedure for securing approval for a new merchant account.

PCI Service Providers
Departments must notify Finance Technology, and conduct required due diligence, including an ASR (Architecture and Security Review) by the Office of Information Technology, prior to engaging a service provider that handles cardholder data on behalf of the University. Service providers must contractually guarantee the security of cardholder data that they store, process, or transmit. All such PCI Service Providers and associated contracts must be reviewed and approved by the Office of Finance and Treasury. 

Public-Facing Web Applications
Any public-facing web application, including Princeton University websites, that accept online payment by credit or debit card must be reviewed and approved by Finance Technology, and must use a PCI compliant gateway provider to capture and transmit cardholder data to the University's payment processor. Princeton University web servers must be located in a PCI Compliant environment approved by the Office of Information Technology (OIT).

Use of the University Network to Process Credit or Debit Card Transactions
Even though an organization may be authorized separately to use the University network for other activities per the Acceptable Use Policy For Princeton University Information Technology And Digital Resources, only departments of the University are permitted to use the University’s network to process credit or debit card transactions

Payment Card Industry (PCI) Compliance
There are five main areas of PCI compliance:

1. Mandatory Compliance for Departments that Accept Credit and Debit Card Payments 
Any department that accepts credit and debit card payments is a merchant location and must comply with the PCI-DSS requirements and other University requirements set out in this policy and its procedures. Compliance with PCI-DSS is required even if the department or a service provider engaged by the department, doesn’t directly store any credit card data.
 
2. Required Procedures and Internal Controls for Credit and Debit Card Handling 
Each department that accepts, captures, stores, transmits, or processes credit or debit card payments through automated systems or manual process must exercise the following internal controls and follow the required procedures listed below: 

     1. How to Accept and Process Credit and Debit Card Transactions - Credit and debit card payments may be accepted using only approved terminals and devices. Terminals must be kept in a secure location and inspected periodically for tampering or substitution. In addition, the segregation of processing and reconciling duties is required in departments. 
     2. How to Securely Handle Cardholder Information - Departments that handle credit and debit card information must do so securely, and according to a documented procedure that is approved by Finance Technology. 

Credit and debit card information may NOT be stored on the hard drive of any personal computer, laptop, tablet or smartphone, on the hard drive of any computer server or network storage device, or any removable storage medium, such as DVDs, CDs, thumb drives, USB keys, etc.

Each person who has access to credit or debit card information is responsible for protecting the information and destroying it as soon as it is no longer necessary in compliance with the University’s Information Security Policy.

3. Required Training in PCI Compliance and General Information Security
Only authorized individuals who have successfully completed approved University training in PCI Compliance and General Information Security may process credit and debit card transactions or handle cardholder information on behalf of the University. 

 Students and employees of the University with access to cardholder data must complete the University’s PCI compliance training program annually, available online through the Employee Learn Center. Other individuals, including contractors and volunteers who accept or process credit or debit cards on behalf of Princeton University, must also be trained annually, but may receive training specifically designed for their role by Finance Technology. Individuals who are new to the role must be trained prior to taking on their credit or debit card handling duties.

 Academic and administrative managers, deans, and directors are responsible for ensuring that all individuals who handle cardholder data for their Merchant Location, including volunteers, receive appropriate training. A record of individuals who are authorized to accept and process credit or debit cards at each location, and the date that each authorized individual was trained, must be maintained by the Department and submitted as part of the annual attestation to Finance Technology.

4. Required Departmental Attestation of PCI Compliance
In order for the University to attest to compliance with PCI-DSS requirements, senior academic and administrative department managers responsible for the University’s merchant locations must understand how their location processes credit card transactions, and must complete and submit an annual Departmental Attestation of PCI Compliance to Finance Technology.

5. Collecting Sales Tax and Providing Receipts

Departments accept these key responsibilities, which are required components of credit and debit card transactions:
• To collect and record tax on any applicable sales transactions. Please refer to the New Jersey Sales Tax Guide for a list of items for which the University must collect and withhold tax.
• Reconcile credit and debit card transactions promptly

Suspected Illegal Activity
If a breach of credit or debit card information is suspected or has occurred, the person suspecting the breach must notify the Department Manager immediately. The Department Manager should contact the OIT Service Desk at 258-HELP and indicate that a credit card data breach may have occurred. If the Department Manager is unavailable at the time, the person suspecting the breach should call the OIT Service Desk directly.

Compliance with this Policy
If a department or individual fails to comply with this policy, it may result in the revocation of the ability to process credit and debit card transactions and could lead to disciplinary action, up to and including involuntary termination. Possible subsequent penalties to the University include increased credit and debit card transaction fees, a suspension of credit and debit card services for the entire University, annual audits, and fines.  


 

Revision Log

7/16/2024 - Updated policy and procedures to reflect PCI DSS 4.0 requirements. 
9/29/2023 – Added, Card Holder Data Environment to the definitions. Removed old references to PCI computing environment. Updated procedures: “How to Accept and Process Credit and Debit Card Transactions”, and “How to Securely Handle Cardholder Information 
9/20/19 - General: Updated Cash Management to Cash and Investment services, changed to Finance Technology where appropriate; General language clean-up, remove redundant information, updated links; Updated contacts.
Definition: Made definition of Debit Card consistent with Cash and Check Handling Policy; Combined Merchant Account and Merchant Account Holder.
Policy: Included “or debit” in Public-Facing Web Applications; General updates to the procedure section of the procedure documents linked under Required Procedures and Internal Controls for Credit and Debit Card Handling; Direction for Suspected Illegal Activity rewrite in process with OIT, expect updated language in November or December, 2019; Updated language in Compliance with this Policy section to be consistent with compliance language in Cash and Check Handling Policy.
Procedures: Created 2 new documents to replace the current version; Removed redundant language; Removed reference to project grant statement and replaced with ledger detail report; Updated Cash Management to Cash and Investment services, changed to Finance Technology where appropriate. Note – these documents may require further rewrite post-launch for usability.
Forms: Continue to point to the current attestation form, but new versions are pending in the coming months.
Contact Roles and Responsibilities: Remove, not required.