Credit Card Processing Policy for University Merchant Locations

EFFECTIVE DATE: December 1, 2014 |LAST UPDATED: February 16, 2017 | Policy Section: cash-handling-receipts-1

Responsible Executive

Carolyn Ainslie, vice president for finance and treasurer

Responsible Office

Office of Finance and Treasury

Contact

Peter Krivcov, director, asset administration, pkrivcov@princeton.edu or (609) 258-5051

I. Policy StatementBACK TO TOP

Princeton University is committed to conducting its academic and administrative responsibilities in an ethical and lawful manner, including exercise of best practices in protecting personally identifying information and compliance with Payment Card Industry (PCI) Data Security Standards. This policy establishes compliance criteria that a department (as defined in section IV) must satisfy to be allowed to accept credit or debit cards as a form of payment. It defines the responsibilities of a department that accepts, captures, stores, transmits, or processes credit or debit card payments through automated systems or manual procedures, including these responsibilities related to PCI Compliance:

  1. Mandatory compliance with Payment Card Industry Data Security Standards (PCI-DSS)
  2. Required Procedures and Internal Controls for Credit and Debit Card Handling
  3. Required Training in PCI Compliance and General Information Security
  4. Required Annual attestation of PCI compliance

Since any unauthorized exposure of credit or debit card information could subject the University to significant financial penalties and reputational damage, failure to comply with the policy contained within this document will be considered a serious matter.

II. Who is Affected by this PolicyBACK TO TOP

This policy affects all departments of the University including all faculty, staff, and students who accept capture, store, transmit, or process credit or debit card transactions on behalf of the University. For the purpose of this policy, a University department is defined as any academic or administrative unit of the University (including student agencies, organizations, and clubs) that operates under the University’s tax identification number and whose members are employees or students of the University. In addition, this policy applies to any individual or volunteer who, on behalf of a University department, accepts, captures, stores, transmits, or processes credit or debit card payments for transactions.

Some examples of common credit and debit card handling activities include: processing contributions to the University; processing transactions that sell tickets, products, or other goods or services on behalf of the University, including student organizations, agencies, or clubs; accessing computer hardware and software that contain credit or debit card information; shredding credit or debit card information.

III. Definitions

Credit Card
A banking instrument used in credit transactions which is issued to cardholders by a financial institution, and is commonly accepted as a form of payment. A credit card allows its holder to buy goods and services based on the holder's promise to pay for these goods and services.

Debit Card
A banking instrument used in cash transactions. Although it may display a MasterCard or Visa logo, a debit card is not a credit card. A debit card typically withdraws funds from the cardholder’s bank account, and pays the funds to an account designated by the payee. Some debit cards have a stored value from which a payment is made. A debit card is commonly accepted as an alternative payment method to cash or check for purchase of goods or services.

Department
For the purposes of this policy, a department is any academic or administrative unit of the University (including student agencies, organizations, and clubs) that operates under the University’s tax identification number and whose staff members are employees or students of the University.

Media
Computers, removable electronic media, paper receipts, paper reports, answering machines, faxes any other item that contains cardholder information.

Merchant Account
A account that allows a business to act as a merchant location that accepts and processes credit and debit card payments. In the context of this policy, the Office of Finance and Treasury controls merchant accounts operating under the University’s taxpayer identification number (TIN) at a partner banking institution.

Merchant Account Holder
The entity that enters into an agreement with a merchant service provider for processing of credit and debit card transactions. In the context of this policy, the Office of Finance and Treasury is the University’s merchant account holder.

Merchant Services Provider
A bank, internet service provider, or other firm that provides services related to processing of debit and credit card transactions. The University’s merchant services provider is the financial institution that serves as a liaison between University departments and the payment card companies. In the context of this policy, the University’s banking partner is the merchant services provider.

Merchant Location
Any University department that operates a merchant account, by accepting credit and debit card payments.

Penetration Tests
A simulated attempt to hack into the University’s PCI compliant computing environment.

PCI-DSS
The Payment Card Industry’s Data Security Standard, or “PCI-DSS”, was created to reduce losses related to credit or debit card fraud. Five members of the payment card industry, Visa, Master Card, American Express, Discover, and JCB, banded together to develop security standards for any organization that accepts, captures, stores, transmits, or processes credit and debit card information either manually or through an automated system.

PCI Service Providers
Companies providing software or services related to the security of cardholder data. Examples include hosting providers, vendors providing secure gateways, managed firewalls, intrusion detection systems and other services related to PCI compliance. Entities such as telecommunications carriers that only provide communication services without access to the application layer of the communication link are excluded.

Qualified Security Assessor (QSA)
A person who has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI-DSS) compliance. QSAs also conduct vulnerability scans, penetration tests, gap analyses and provide advice to merchants related to their PCI compliant systems and processes.

Self-Assessment Questionnaire (SAQ)
Questionnaires developed by the payment card industry which merchants must complete in order to certify that they are processing credit or debit card transactions and storing/handling cardholder data according to PCI-DSS requirements. 

University PCI Computing Environment
Princeton University’s secure PCI Compliant network, also referred to as “The CAGE” that resides in the HPCRC. All Cardholder data that is electronically stored for any period of time by the University resides on the secure servers in the PCI Computing Environment.

Vulnerability Scan
Scan of the University’s PCI compliant computing environment that identifies potential vulnerability to security threats. 

IV. PolicyBACK TO TOP

Princeton University Merchant Accounts
All University merchant accounts must be authorized and established by Cash Management, and must transmit credit card receipts to Princeton University’s main bank account. 

Any department (as defined in section IV above) that wishes to become a University merchant location must contact Cash Management for prior approval. The department must demonstrate a valid business need for a merchant account and demonstrate certain business operation and financial management criteria. Please see the Merchant Accounts page for more information about requirements and the procedure for securing approval for a new merchant account.

PCI Service Providers
Departments must notify Cash Management, and conduct required due diligence, prior to engaging a service provider that handles cardholder data on behalf of the University. Service providers must contractually guarantee the security of cardholder data that they store, process, or transmit. All such PCI Service Providers and associated contracts must be reviewed and approved by Cash Management in the Office of Finance and Treasury. Departments must provide a copy of executed contracts, including contract renewals, and a Certification of PCI Compliance for all PCI service providers to Cash Management.

Public-Facing Web Applications
Any public-facing web application, including Princeton University websites, that accept online payment by credit card must be reviewed and approved by Cash Management, and must use a secure gateway to capture and transmit cardholder data to the University's payment processor. Princeton University web servers must be located in a PCI Compliant environment approved by OIT.
Use of the University Network to Process Credit or Debit Card Transactions

Even though an organization may be authorized separately to use the University network for other activities per the Acceptable Use Policy For Princeton University Information Technology And Digital Resources, only departments of the University are permitted to use the University’s network to process credit or debit card transactions. Departments that offer use of University servers or network space to organizations or individuals are required to inform such organizations and individuals that processing credit or debit transactions on University servers is prohibited.

Use of Princeton University's wireless network for transmission of cardholder data is not permitted, with the exception of special situations authorized by OIT.

Payment Card Industry (PCI) Compliance
Princeton University has designated a merchant service provider to process credit and debit card payments to the University. As a merchant account holder that accepts payment by credit or debit card, the University must comply with requirements established by the payment card industry in its Data Security Standard (PCI-DSS). Princeton University is committed to complying fully with the requirements of PCI-DSS, copies of which can be requested from Cash Management. There are four main areas of PCI compliance:

  1. Mandatory Compliance for Departments that Accept Credit and Debit Card Payments
    Any department that accepts credit and debit card payments is a merchant location and must comply with the PCI-DSS requirements set out in this policy and its procedures.
     
  2. Required Procedures and Internal Controls for Credit and Debit Card Handling
    Establishing appropriate internal controls and documenting credit and debit card handling procedures ensures the good stewardship and PCI-DSS compliance of credit and debit card transaction information. Each department that accepts, captures, stores, transmits, or processes credit or debit card payments through automated systems or manual process must exercise the following internal controls and follow the required procedures listed below:
    1. How to Accept and Process Credit and Debit Card Transactions - Credit and debit card payments may be accepted using only approved terminals and devices. Terminals must be kept in a secure location and inspected periodically for tampering or substitution. Card readers used in conjunction with cell phones and tablets are evolving technologies and are not permitted to be used for processing of credit and debit card transactions at this time. In addition, the segregation of processing and reconciling duties is required in departments. Please click here for the complete procedure.
    2. How to Securely Handle and Store Cardholder Information - Departments that handle credit and debit card information must do so securely, and according to a documented procedure that is approved by Cash Management. 

      Credit and debit card information may NOT be stored on the hard drive of any personal computer, laptop, tablet or smartphone, on the hard drive of any computer server or network storage device, or any removable storage medium, such as DVDs, CDs, thumb drives, USB keys, etc. However, in cases where there is a compelling business need and there is no reasonable alternative, Cash Management and the Office of Information Security may allow a department to store cardholder data on servers in the University’s PCI Computing Environment.

      Each person who has access to credit or debit card information is responsible for protecting the information, and destroying it as soon as it is no longer necessary, and in compliance with the University’s Information Security Policy.

      Please click here for the complete procedure on how to properly handle and store information.
  3. Required Training in PCI Compliance and General Information Security
    Only authorized individuals who have successfully completed approved University training in PCI Compliance and General Information Security may process credit and debit cards or handle cardholder information on behalf of the University.

    Students and employees of the University with access to cardholder data must complete the University’s PCI compliance training program annually. Other individuals, including contractors and volunteers who accept or process credit or debit cards on behalf of Princeton University, must also be trained annually, but may receive training specifically designed for their role by Cash Management. Individuals who are new to the role must be trained prior to taking on their credit or debit card handling duties.

    PCI Compliance training for students and employees with a University ID is available online in through the Employee Leaning Center. Contractors, volunteers, and other individuals who do not have a University ID and password must obtain access to the training program through their academic or administrative department manager. 

    Academic and administrative managers, deans, and directors are responsible for ensuring that all individuals who handle cardholder data for their Merchant Location, including volunteers, receive appropriate training. A record of individuals who are authorized to accept and process credit or debit cards at each location, and the date that each authorized individual was trained must be maintained by the Department, and submitted annually to Cash Management.
  4. Required Departmental Attestation of PCI Compliance
    In order for the University to annually attest to compliance with PCI-DSS requirements, senior academic and administrative department managers responsible for the University’s merchant locations must understand how their location processes credit card receipts, and must complete and submit to Cash Management a Departmental Attestation of PCI Compliance annually.

    Click here for a list of University merchant locations and the academic and administrative managers responsible for attesting to the PCI Compliance of each location. 

Collecting Sales Tax and Providing Receipts
Departments accept these key responsibilities, which are required components of credit and debit card transactions:

  • To collect and record tax on any applicable sales transactions. Please refer to the New Jersey Sales Tax Guide for a list of items for which the University must collect and withhold tax.
  • To routinely offer a receipt, and provide as requested.
  • To reconcile credit and debit card transactions promptly, according to the time frame specified in the above-mentioned How to Accept and Process Credit and Debit Card Transactions procedure.

Suspected Illegal Activity
If a breach of credit or debit card information is suspected or has occurred, the person suspecting the breach must notify the Department Manager immediately. The Department Manager should contact the OIT Help Desk at 258-HELP and indicate that a credit card data breach may have occurred. If the Department Manager is unavailable at the time, the person suspecting the breach should call the OIT Help Desk directly.

Compliance with this Policy
If a department or individual fails to comply with this policy, it may result in the revocation of the ability to process credit and debit card transactions and could lead to disciplinary action. Possible subsequent penalties to the University include increased credit and debit card transaction fees, a suspension of credit and debit card services for the entire University, annual audits, and fines.

V. Procedures BACK TO TOP

VI. Forms BACK TO TOP

VII. Contact Roles and Responsibilities BACK TO TOP

Cash Management Develops and implements policy and procedures for secure processing of credit or debit card transactions in conjunction with Office of Information Security. Approves and opens new merchant accounts. Manages relationship with merchant service provider and qualified security assessor Approves and monitors relationships with all University providers of PCI compliant software and services. Provides training for PCI Compliance in conjunction with the Office of Information Security. Works with Office of Information Security to complete SAQ D on behalf of the University . Monitors PCI compliance and co-ordinates annual University Attestation of PCI Compliance. Co-ordinates response to suspected or actual breach in security of credit or debit card information.
Office of Information Security Assists in development and implementation of University policy and procedures for secure handling and processing of credit or debit card transactions. Ensures PCI compliant systems are used to process and store cardholder data. Completes security assessment questionnaire SAQ D annually on behalf of the University. Conducts monthly internal vulnerability scans of University systems that store cardholder data. Facilitates and attests to quarterly external vulnerability scans and annual penetration tests conducted by QSA.
Academic and Administrative Department Manager of Merchant Account Locations Submits application for new merchant account. Authorize individuals in the department who process and handle credit and debit cards. Ensures all individuals handling cardholder data in the department are properly trained. Completes Departmental Attestation of PCI Compliance annually. Reports suspected or actual breach in security of credit or debit card information to the OIT Help Desk at 258-HELP.
Individuals who process credit cards or handle cardholder data Accept, process, handle and store cardholder data in accordance with PCI requirements. Complete annual PCI compliance training. Report suspected or actual security breach to department manager.
Qualified Security Assessor (QSA) Conducts quarterly vulnerability scans and annual penetration tests. Provides advisory services related to PCI Compliance.
Merchant Service Provider Processes credit and debit card transactions. Deposits credit or debit card receipts to the University’s concentration account.
Third Party Providers of PCI Compliant Software and Services Securely process, store, and transmit cardholder information in compliance with PCI DSS requirements.

VIII. Update Log BACK TO TOP


 

CONTACT US

finance@princeton.edu
Tel (609) 258-3080
Fax (609) 258-0442

Princeton University
Office of Finance & Treasury
701 Carnegie Center
Princeton, NJ 08540

Google Map
Princeton Shuttle

FINANCIAL SERVICE CENTER

7 New South
Tel (609) 258-3080
Fax (609) 258-5040
Open Monday through Friday,
8:45 am — 5:00 pm

SERVICES INCLUDE

Customer service, cashiering,
check pick-up, financial system access

FINANCE NEWSLETTER

The General Ledger is your link to updates on people, policies, and other information related to financial transactions at the University.

Download Current Issue
Download Past Issues
Subscribe

WE WANT YOUR FEEDBACK!

How can we better serve you? Submit comments, questions, and ideas to our customer service department.

finance@princeton.edu