Policy 1510: Accepting and Processing Credit Cards for University Business

Subject Area: Cash Management
Responsible Office: Office of the Bursar
Sponsor: Chief Financial Officer
Originally Issued: November 2006
Revised: January 2010; August 2012; May 2021; December 2023
Policy Reviewed: May 2022; December 2023
Refer Questions To: Jennifer Waters, University Bursar; jwaters1@uchicago.edu

Purpose: To establish policies governing the acceptance and processing of credit card transactions, assign the authority and responsibility for such transactions and ensure compliance with applicable laws and regulations including those maintained by the Payment Card Industry (PCI) Security Standards Council.

Policy

1. Summary – This policy applies to all forms of credit card processing on behalf of the University or by affiliates using University systems on existing, new and changed services. Credit card processing includes any payment card transaction (whether credit card, debit card, or other instrument linked to such a card) or other transmission, processing or storage of credit card data. This includes transactions initiated in-person, via telephone or other telephonic means, in paper form, by US mail or other courier, through a terminal, kiosk, computer system, website, mobile device or any other means. This policy applies to whether the processing is performed by the University or by an outside party acting as a service provider to the University.

2. Merchant Application and Responsibilities – All units that would like to accept credit card payments are required to request and obtain approval from the University Bursar Merchant Services Department. Approved units will be assigned a unique Merchant ID (MID) and be established as a Merchant Account Owner. Merchant Account Owners must be a financial manager, manager or hold leadership responsibility. All units that wish to process credit card transactions must establish a valid business purpose and will be responsible for maintaining and overseeing the security of merchant operations. Merchant Account Owners must familiarize themselves with the IT Services Policy on Ecommerce. Merchant Account Owners are responsible for timely communication with the University Bursar and/or IT Services regarding any inquiries or requests for information. Failure to respond appropriately within an appropriate time period may result in the suspension of the merchant account.

3. Merchant Procurement – Units within the University or affiliates using the University’s systems are not authorized to negotiate contracts with credit card companies, processors, or external services that accept credit card payments on the University’s behalf and must complete the above stated approval process in advance of executing any agreements. The University has established contracts, incorporating the necessary security provisions, for many system and service components needed for the acceptance and processing of credit card transactions. Where such contracts exist; all units processing credit card payments are required to utilize these services. If a required business driver is not available, the unit must address this business need through Shared Services and identify an approved payment solution. Shared Services will engage IT Services and the University Bursar in the vendor review process.

4. PCI-DSS (Payment Card Industry Data Security Standard) Self-Assessment Questionnaire (SAQ) – Merchant Account Owners are required to annually complete a PCI-DSS (Payment Card Industry Data Security Standard) Self-Assessment Questionnaire (SAQ). The SAQ is facilitated by the University Bursar upon Merchant Account application. Merchants should complete all of expected testing outlined in the SAQ before completing the questionnaire. Failure to complete initial or recertification of PCI-DSS compliance may result in the suspension of the merchant account.

5. PCI-DSS Security Awareness Training – Any employee who is involved in obtaining, transmitting or storing cardholder data must complete an annual PCI-DSS Security Awareness Training Program. Merchant Account Owners are responsible for identifying, enrolling trainees, removing trainees and tracking completion dates for their program trainees. The University Bursar facilitates the PCI-DSS Security Awareness Training Program and Merchant Account Owners collaborate with the University Bursar when executing their oversight responsibilities. Any trainee failure to complete the PCI-DSS training may result in the suspension of the merchant account. Merchant Account Owners will be audited quarterly for compliance with their PCI-DSS Security Awareness Training Program.

6. Credit Card Technology – Any University computer, website, software application, point-of-sale terminal, credit card reader or other device connected to the campus network or phone system that is in involved in the processing of credit card payments must undergo a security review by and receive approval from IT Services before credit card processing can begin. Such systems and devices may be required to undergo periodic internal or external security scans. Any costs related to these internal or external scans are the responsibility of the Merchant Account Owner.

Merchant Account Owners who process credit cards payments through point of sale terminals must maintain a device inventory log at all times. Routine physical inspections of the credit card terminals to detect tampering must be performed and results maintained. The University Bursar provides guidelines and process recommendations to assist departments in developing inventory and inspection protocols. Merchant Account Owners are responsible for training employees to be aware of suspicious behavior involved with their credit card terminal and to report tampering or substitution of point of sale devices. The authorized use of these devices is conditional on meeting these requirements.

7. Cardholder Data Transmission and Storage – Merchant Account Owners are expected to protect cardholder data and prevent the unauthorized use of such data. Cardholder data refers to information printed, processed, transmitted or stored in any form from a credit card. Cardholder data elements include the primary account number (PAN), cardholder name, service code, and expiration date. Departments are prohibited from accepting credit card information through any of the following technologies: VoIP (Campus voice over IP telephone), email, fax-to-email, text message, SMS, chat, video conference, nor through any end user messaging technology or University workstations and information networks. Merchant Account Owners may not process cardholder data received through these means. If any electronic cardholder data is received, it should be deleted immediately by the recipient, and the sender informed (a) that their transaction was not processed, and (b) of the acceptable channels for the transaction.

              University departments are prohibited from storing cardholder data in any paper or electronic format. Under no circumstance is cardholder data to be stored within any storage medium (ex. paper copy, electronic files, CD-ROM, flash drive, etc.).  Merchant Account Owners must regularly investigate and locate all unauthorized storage of cardholder data. Merchant Account Owners should conduct quarterly employee interviews and review both paper and electronic records for any unauthorized cardholder data storage. Any electronic record of cardholder data located must be immediately and permanently deleted. Paper copies of cardholder data should be securely shredded and rendered unrecoverable. Merchants Account Owners will be audited quarterly for compliance with cardholder data storage and transmission policies.

8. Breach of Credit Card Data – Merchant Account Owners who suspect a breach and/or fraud involving credit cards should contact the University of Chicago Police Department immediately. Merchant Account Owners should also immediately open a PCI-DSS ticket to report point of sale terminal theft, tampering, substitution, loss of credit card information or a payment website breach. Once submitted, a notification will be sent to the Merchant Services Oversight Committee and the incident response plan will be executed.

9. Credit Card Revenue and Program Fee Assessment – The University Bursar is responsible for the depositing and recording of unit revenue and the management of merchant fees on a monthly basis. Merchant Account Owners are required to provide an FAS fee account for both revenue and fees assessment to the University Bursar upon application. Any fines or other fees and costs resulting from non-compliance with Payment Card Industry security standards, including but not limited to those resulting from breaches of security or failure to complete annual training, will be the responsibility of the department where the failure occurred.

10. Merchant Services Oversight Committee (MSOC) – All aspects of the governance of credit card processing and compliance is monitored by the Merchant Services Oversight Committee. This committee meets bi-annually and is comprised of representatives from University Bursar, Procurement/Shared Services, Treasury, Accounting and ITS Services. Non-compliance with policies and audit findings are reported directly to the committee and may result in a recommendation of termination of a merchant account.