- Accounting & Financial Reporting
- Accounts Payable
- Auxiliary Services
- Business Services
- Card Programs
- Central Processing Center
- Employee Reimbursement
- Financial Commitment
- Financial Planning & Budget
- Financial Services
- Parking and Card Services
- Real Estate
- Risk Management & Insurance
- Treasury & Investments
- Cash Management and Banking Services
- Merchant Card Services & E-commerce
- Special Events Loaner Credit Card Terminal
- Policies & Procedures
- Credit Card Training
- PCI Compliance Committee
- Credit Card Security FAQ's
- Credit Card Security Tip Sheet
- Credit Card Acceptance
- Endowment and Investment Management
- Debt Management
- Contact Treasury & Investments
- Vice President and Chief Financial Officer
Credit Card Security FAQ's
- Who does the credit card environment policy cover?
- What does the credit card environment policy cover?
- Who should have access to our customers' credit card information?
- How long do we have to retain credit card data?
- How do we protect cardholder data we accumulate and store?
- What are the risks to the University if we fail to follow the PCI Standards?
- What is your responsibility?
- What is the simplest way for me to comply with the credit card environment policy?
- What about the credit card information included with the Deposit of Funds Form?
- Whom do I contact in the case of an emergency?
- Still have questions?
Who does the credit card environment policy cover?
It covers everyone involved with gathering, processing or storing the credit card information we collect within the University.
What does the credit card environment policy cover?
It covers all the credit card and cardholder information that is gathered throughout the University
- How we process credit card transactions
- What we do with all of the credit card receipts and reports
- What we do with the credit card information we gather
- How we dispose of the information after it has served its business purpose
Who should have access to our customers' credit card information?
Only individuals with a "need to know" purpose should have access.
- Never attach receipts with the full credit card number to the web deposit that is sent to the Treasurer's Office.
- Never e-mail or electronically transmit full credit card numbers, unless they are encrypted
How long do we have to retain credit card data?
- Visa, MasterCard and Discover allow customers' to dispute charges up to 18 months from the date of the original transaction.
- American Express allows disputes up to 12 months from the date of the original transaction.
How do we protect cardholder data we accumulate and store?
- Store only the most necessary information
- Never store the full credit card number unless there is a specific business purpose
- Store information in a secure area, preferably in a locked container marked "Confidential"
- Limit access to the secure storage area - only employees or third-parties that require access to the area should be allowed
- An employee with legitimate access should always accompany other employees or third-parties needing access to the storage area
What are the risks to the University if we fail to follow the PCI Standards?
- Disciplinary actions
- Penalties - both for the University and individually
- Loss of the privilege to accept credit cards /li>
What is your responsibility?
Do your best to protect the cardholder data. Treat it as if it were your own. The ability to accept credit cards is a privilege not a right.
What is the simplest way for me to comply with the credit card environment policy?
Keep the policy handy, consult and follow it! Here are a few simple rules:
- Process cardholder data in a timely manner
- Properly destroy all cardholder data that will not be retained
- Retain or store only the necessary cardholder information
- Never retain or store the full credit card number
- Never collect the three digit CVV code
- Do not e-mail unencrypted credit card information
- Do not collect customer PIN numbers
- Make sure access to the stored data is limited and the data is secured and protected
What about the credit card information included with the Deposit of Funds Form?
- Do not send cardholder receipts with the web deposit - Treasurer's Office does not need or want that detailed information.
- Attach and send only a transaction summary, settlement, batch or close report with individual card type subtotals to the Treasurer's Office.
- Include the applicable merchant ID # on the DOF form. The Treasurers Office has a record of all the merchant ID #'s.
- The completed DOF form should show the total deposit by credit card type with an attached report that supports the information entered on the form.
Whom do I contact with questions or in the case of an emergency?