PURPOSE
The purpose of this policy is to ensure that credit card and e-commerce activities are consistent, efficient and secure to protect the interests of the University, its associated auxiliaries, and its customers. This policy applies to all types of credit card activity transacted in person, over the phone, mail or the Internet. This policy provides guidance to ensure that credit card acceptance and e-commerce processes comply with the Payment Card Industry Data Security Standard (PCI DSS) and are appropriately integrated with the University’s financial and other systems.
POLICY
All card processing activities must comply with the Payment Card Industry Data Security Standard (PCI DSS) and the Humboldt State University PCI Standard.
Every department that would like to accept payment cards and/or electronic payments on behalf of the University or change an existing account must submit an APPLICATION FOR PAYMENT CARD ACCOUNT ACQUSITION OR CHANGE form to request approval:
http://www2.humboldt.edu/financialservices/node/58
Each of these departments is required to appoint a management employee who will have authority and responsibility for payment card transaction processing within that department.
BACKGROUND
In response to increasing incidents of identity theft, the major payment card companies created the Payment Card Industry Data Security Standard (PCI DSS) to help prevent theft of customer data. PCI DSS applies to all businesses that accept payment cards to procure goods and services or make donations to the University. Compliance with this standard is enforced by the payment card companies and, generally, non-‐compliance is discovered when an organization experiences a security breach that includes card member data.
Security breaches can result in serious consequences for the University and the associated auxiliaries including release of confidential information, damage to a reputation, the assessment of substantial fines, possible legal liability and the potential loss in the ability to accept payment cards and e-commerce payments.
SCOPE
This policy applies to all Humboldt State University and self-‐supporting operations, except the separate campus 501(c)3 auxiliary organizations (which include the University Center, Associated Students, Sponsored Programs Foundation and Advancement Foundation), contractors, consultants or agents who, in the course of doing business on behalf of the University, accept, process, transmit, or otherwise handle cardholder information in physical or electronic format. With regard to auxiliary organizations, if they are contracting with the University for accounting and business services, they must follow this policy. If not, the auxiliary needs to provide certification of PCI compliance to the University’s information security officer.
This policy applies to all university departments and administrative areas that accept payment cards, regardless of whether revenue is deposited in a university or auxiliary account.
RESPONSIBILITIES
Every department or administrative area accepting payment cards and/or electronic payments on behalf of the University for goods, services, or donations (merchant department) must designate a "Merchant Department Responsible Person" (MDRP), a management employee within that department who will have primary authority and responsibility for payment card and e-commerce transaction processing.
All MDRPs are responsible for:
• Executing on behalf of the relevant merchant department, payment card account acquisition or change procedures.
• Ensuring that all employees (including the MDRP), contractors, and agents with access to payment card data within the relative merchant department acknowledge on an annual basis and in writing that they have read and understood this policy. These acknowledgements should be submitted, as requested, to the cashier manager.
• Ensuring that all payment card data collected by the relevant merchant department in the course of performing university business, regardless of whether the data is stored physically or electronically, is secured according to the standard listed in Appendix 1.
http://www2.humboldt.edu/financialservices/node/58
• In the event of a suspected or confirmed loss of cardholder data, the MDRP must immediately notify the Information Security Office and the cashier manager. Details of any suspected or confirmed breach should not be disclosed in any email correspondence. After normal business hours, notification shall be made to Humboldt State University Police at (707) 826-5555.
POLICY MONITORING
The Department of Information Technology Services will coordinate the University’s compliance with the PCI DSS technical requirements and verify the security controls of systems authorized to process credit cards.
The information security officer shall maintain currency with the requirements of the PCI DSS and related requirements to ensure that this policy remains current and shall coordinate and lead any campus response to a security breach involving cardholder data.
The information security officer shall conduct the University PCI DSS self-‐assessment and complete the University’s attestation of compliance.
SUSPENSION
The Manager of Student Financial Services may suspend/terminate credit card account privileges of any department or administrative unit not in compliance with this policy or that places the University at risk.
PROHIBITED PAYMENT CARD ACTIVITIES
California State University prohibits certain credit card activities that include, but are not limited to:
• accepting payment cards for cash advances
• discounting a good or service based on the method of payment
• adding a surcharge or additional fee to payment card transactions
• using a paper imprinting system unless approved by the Manager of Student Financial Services
PAYMENT CARD FEES
Each payment card transaction will have an associated fee charged by the credit card company. Payment card fees will be allocated to the PeopleSoft general ledger account identified by the merchant department.
REFUNDS
The HSU Cashier’s Office will process all credit card refunds on behalf of the University.
When a good or service is purchased using a payment card and a refund is necessary, the refund must be credited within the same billing period to the account that was originally charged. After that, the University will process the refund via check or ACH (electronic deposit to a bank account). Refunds in excess of the original sale amount or cash refunds are prohibited.
CHARGEBACKS (customer refunds)
Occasionally a customer will dispute a payment card transaction, ultimately leading to a chargeback. In the case of a chargeback, the merchant department initiating the transaction is responsible for notifying the HSU Cashier’s Office and for providing appropriate supporting documentation.
TRAINING
Employees who are expected to be given access to cardholder data shall initially be required to complete security awareness training and then renew that awareness training at least annually. Employees shall be required to acknowledge at least annually that they have received training, understand cardholder security requirements, and agree to comply with these requirements.
DEFINITIONS
Cardholder
The customer to whom a payment card has been issued or the individual authorized to use the card.
Cardholder Data
All personally identifiable data about the cardholder (i.e., account number, expiration date, cardholder name.)
Cashiering Services
University office that approves all third-‐party service providers and coordinates the policies and procedures for accepting payment cards at Humboldt State University.
Encryption
The process of converting information into an unintelligible form to anyone except holders of a specific cryptographic key. Use of encryption protects information that is between the encryption process and the decryption process from unauthorized disclosure.
Merchant or Merchant Department
For the purposes of the PCI DSS and this policy, a merchant is defined as any university department or other entity that accepts payment cards bearing the logos of any of the five members of the Payment Card Industry Security Standards Council (American Express, Discover, JCB, MasterCard or VISA) as payment for goods and/or services, or to accept donations.
Merchant Department Responsible Person (MDRP)
A management employee within a department who has primary authority and responsibility for the payment card and e-commerce transaction processing within that department.
Payment Card
Any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc.
Effective Date: April 2011
Revised Date: December 2015