Credit and Debit Card Processing Policy

Purpose

To protect against the exposure and possible theft of financial account and Credit Card Information that has been provided to the University of Dayton during the course of business with the University; and to comply with laws and industry requirements regulating credit and debit card information and processing.

Scope

This policy applies to all University of Dayton departments, faculty, staff, students, organizations, and individuals who, on behalf of the University of Dayton, handle electronic or paper documents associated with credit and debit card transactions or accept payments in the form of credit and debit cards.  The scope includes any such activities conducted at all University of Dayton locations. 

This policy also applies to all external organizations contracted by University of Dayton departments, faculty, staff, students, organizations, and individuals who provide credit and debit processing services.

Policy History

Effective Date:  December 9, 2024

Approval:  December 9, 2024

Policy History:

• While first approved on December 9, 2024, this policy combined and therefore replaced the following policies upon its Effective Date:
  
  • PCI General Policy (first approved August 2008)
  • PCI Systems Standards Policy (first approved August 2009)
  • Change Management for PCI Environments Policy (first approved August 2009)

Maintenance of Policy:  Vice President and Chief Information Office, University of Dayton Information Technology (UDit) and Manager of Billing and Student Accounts, Office of Student Accounts

Definitions

(a)  "Application Server":  The computer hosting the application to which end-users or point-of-sale (POS) solutions connect.

(b)  "Credit Card Information":  Any cardholder or card information accessed to initiate a credit or debit card transaction.

(c)  "Credit Card Number":  Any part or all of the unique number identifying the credit or debit card account for a financial transaction.

(d)  "Credit Card Processing":  The process of storing, processing, or transmitting credit and debit cardholder data.

(e)  "Credit Card Processor":  A third-party vendor that processes credit and debit card transactions, routes payments to the University of Dayton accounts, charges discounts and adjustment fees, and generates statements.

(f)  "Database Servers":  The computer storing the sales and/or credit and debit card numbers.

(g)  "e-Commerce Application":  Any internet-enabled application used for financial transactions, whether a buying or selling application.

(h)  "Encryption":  The process of encoding data in a way that only authorized parties can decode.

(i)  "Merchant Identification Number (MID)":  A unique number identifying the unit accepting credit and debit cards for transactions.  This number is necessary to settle the credit and debit card transactions at the appropriate University of Dayton financial institutions.  It also identifies the specific merchant (departments, faculty, staff, students, organizations, and individuals) on the cardholder’s monthly credit or debit card statement.

(j)  "Online Credit Card Acceptance":  Credit and debit card payments submitted via the web using a third-party vendor’s software and passed onto the credit card processor for real-time authorization.

(k)  "Payment Card Industry Data Security Standard (PCI-DSS)":  A set of guidelines and rules administered by the PCI Security Standards Council to protect credit card information.  It's a mandatory standard for all merchants that process, store, or transmit cardholder data or sensitive authentication data.

(l)  "POS Solution":  Computer or credit card terminals either running as stand-alone systems or connecting to a server at either the University of Dayton or a remote off-site location.

(m)  "Sensitive Cardholder Data":  Any personally identifiable data associated with a cardholder, including, but not limited to, account number, expiration date, name, address, or social security number, CVC2 / CVV2 validation code (a three- or four-digit number imprinted on the card), and data stored on track 1 and track 2 of the magnetic stripe of the card.

Policy

All credit and debit card transactions, whether card-present or through Online Credit Card Acceptance, involve the processing, storage, and transmission of Credit Card Information.  These transactions must be performed on systems reviewed by UDit for compliance and security and approved by the University’s Office of Student Accounts.  All Application and Database Servers, Credit Card Processors, e-Commerce Applications, POS Solutions, and other component parts, whether hosted at UD or on the Internet by a third-party, must be administered in accordance with the University of Dayton’s and the PCI-DSS policies. 

Departments needing to accept credit and debit card payments must first contact the Office of Student Accounts to initiate the request.  If a solution meeting the requirements exists, the Office of Student Accounts will provide them a MID, arrange system training, and provide direction on how to journalize those transactions on the books of the University.  Requests for new solutions must first be approved by the Office of Student Accounts.  That office will work with UDit to confirm the new solution does not conflict with UD’s payment processing agreements and is PCI-DSS compliant.

The Office of Student Accounts, in coordination with UDit’s IT Risk Management Officer, will verify PCI-DSS compliance of all merchant environments annually.

Credit Card Security Standard Procedures

It is the policy of the University of Dayton that all departments, faculty, staff, students, organizations, and individuals who accept credit and debit cards in the normal pursuit of business do so in a secure manner as set forth by the PCI-DSS, ensuring Sensitive Cardholder Data is protected against fraud, unauthorized use, or other compromise.  Security standards in place include, but are not limited to:

• Ensure your credit and debit card processing terminal truncates the credit card account number so that no more than the last 4 digits are visible.  If your terminal is not truncating card numbers, contact the Office of Student Accounts to have it reprogrammed or replaced immediately.
• Only designated persons should handle Sensitive Cardholder data.
• Do not store Credit Card Information on desktop computers or removable media.
• Never send unencrypted credit or debit card account numbers by end-user messaging technologies (for example, e-mail, instant messaging, chat).
• If Credit Card Information is received via fax machine, the machine must be located in a secure area.
• If Credit Card Information is received via telephone or mail order, do not write information on anything other than an approved form to be used for such purpose.
• In all cases, once the credit or debit card has been processed, use a black magic marker or other implement to permanently mask all but the last four digits of the Credit Card Number on the document.  Leave the last four digits exposed for future reference.
• Never store the sensitive authentication data – full magnetic stripe data, CAV2/CVC2/CVV2/CD, or Pin/PIN block.
• Limit data storage and retention time to that which is required for legal, regulatory, or business purposes following completion of the credit or debit card transaction.  Electronically purge or physically shred the information, as appropriate, when no longer necessary.
• All documentation that contains Sensitive Cardholder Data must be kept in a secure area, such as a locked file cabinet, desk drawer, or office.  Retain these documents only as long as absolutely necessary to fulfill business needs, not to exceed one month without the express approval of the Office of Student Accounts.  Keys may be distributed only to a restricted number of designated individuals. Dual control is recommended for access to secured areas. Any locks must be rekeyed or replaced if suspected of compromise or in the event of a termination or transfer of a designated individual.

Responsibilities of UDit

• Operate and maintain a central secure solution, under the direction of UD Finance & Administrative Services, for the purpose of transacting electronic payments.
• Provide advice and tools to enable departments to follow best practices and industry regulations surrounding access, firewalls, logging, software updates, data storage, passwords, Encryption, and security.
• In accordance with UD’s IT Incident Handling policy, investigate suspected security breaches and coordinate the response with the appropriate credit card agency, affected customers, and law enforcement as needed.
• Update all PCI-related documentation to reflect any changes within a PCI environment, following UD's PCI Change Management Process (described in Appendix A).
• UDit Telecommunications and Networking are the only departments authorized, and only under the direction of the Office of Student Accounts, to logically manage and make approved changes to the network infrastructure supporting UD’s PCI environments.
• The IT Risk Management Officer will coordinate the development and distribution of security specific policy and procedures defining responsibilities for all employees and contractors.
• The IT Risk Management Officer will monitor and analyze security alerts originating within and without UD and distributing pertinent information to relevant system owners and managers.

Responsibilities of the Office of Student Accounts.

• Approve University units requesting to accept credit/debit cards.
• Obtain and assign Merchant Identification Numbers (MIDs) for each approved unit.
• Obtain approved card readers for units not requiring a more capable e-Commerce Application or POS Solution for processing credit and debit card transactions.
• Oversee credit card accounting for each approved unit.
• A representative of the Office of Student Accounts will chair UD’s Change Management Process as described in Appendix A, being ultimately responsible for monitoring and controlling all access to Credit Card Information.
• Manage service provider compliance.  The Office of Student Accounts and UDit will, upon engagement of a service provider, investigate the service provider’s PCI fitness and ensure any contract includes acknowledgement of service provider responsibility for any cardholder data they might possess.  The Office of Student Accounts will, annually, review service providers’ PCI-DSS compliance.

Responsibilities of All University Departments, Faculty, Staff, Studnets, Organizations, and Individuals

• Use only Application and Database Servers, Credit Card Processors, e-Commerce Applications, and POS Solutions as provided or approved by the Office of Student Accounts.
• Include in all PCI-related agreements that service providers will contractually adhere to the PCI-DSS requirements and are responsible for the security of the cardholder data they process, store, or transmit.
• Service agreements must include an acknowledgement that the service provider is responsible for the security of cardholder data held in the provider’s possession.  UD will actively monitor service providers’ PCI-DSS compliance status.
• Participate in annual security awareness training and acknowledge understanding of information security policies and procedures related to credit and debit card processing.
• Processes and procedures must be in place to ensure management approval prior to moving media from a secured area.
• Process (batch) transactions on, at a minimum, a daily basis.
• Record transactions according to the standard process defined by the Office of Student Accoounts.
• Reconcile and verify credit card transactions as part of the regular accounting reconciliation process.
• Monitor credit and debit card transactions to ensure compliance with this and other University policies, state/federal laws, industry regulations, and contracts with financial institutions.
• Make records available for audit by both internal and external auditors.
• Agree not to use services for illegal purposes, undermine the security of the payment or supporting UD systems, and to report any suspicious activity to UDit’s IT Risk Management Officer.
• Notify UDit’s IT Risk Management Officer and the Office of Student Accounts IN ADVANCE of any changes within a PCI environment, following UD’s PCI Change Management Process (described in Appendix A).

External Consquences

Failure to meet the requirements outlined in this policy will result in suspension of credit and debit card payment capability for the affected units.  Fines for violations of the PCI-DSS can range from $5,000 to $100,000 per month, depending on the size of the business and the scope of the breach.  There may also be a per item penalty of $15–$25 for each Credit Card Number violation.

Internal Consequences

Failure to meet the requirements outlined in this policy will result in suspension of credit card payment capability for the affected units.  Term of suspension will be commensurate with the level of violation of this Policy.

Persons found in violation of this policy are subject to the full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment, dismissal from the University, and legal action.  Some violations may constitute criminal offenses under local, state, and federal laws.  The University of Dayton will carry out its responsibility to report such violations to the appropriate authorities.

Reference Documents

1. IT Incident Handling Policy

Applicable Regulations

1. Payment Card Industry Data Security Standards (PCI-DSS)