{"id":309,"date":"2021-07-21T11:43:41","date_gmt":"2021-07-21T16:43:41","guid":{"rendered":"https:\/\/wp.stolaf.edu\/business-office\/?page_id=309"},"modified":"2023-06-07T08:11:33","modified_gmt":"2023-06-07T13:11:33","slug":"policy-pci-dss-for-accepting-credit-card-payments","status":"publish","type":"page","link":"https:\/\/wp.stolaf.edu\/business-office\/policy-pci-dss-for-accepting-credit-card-payments\/","title":{"rendered":"Policy, PCI DSS for Accepting Credit Card Payments"},"content":{"rendered":"

Title:<\/strong> St. Olaf College Payment Card Industry Data Security Standards (PCI DSS) Policy for Accepting Credit Card Payments
\nEffective Date:<\/strong> 4-01-2011
\nIssuing Authority:\u00a0 <\/strong>Office of the Vice President & Chief Financial Officer
\nProgram Coordinator:\u00a0 <\/strong>Controller
\nLast Updated:<\/strong> November 2020<\/p>\n

Purpose of Policy<\/h3>\n

In order to accept credit card payments, the College is required to comply with the Payment Card Industry Data Security Standards (PCI DSS), which were established by a group of credit card companies (American Express, Discover, JCB, MasterCard, Visa) to protect merchants and cardholders from cardholder information theft.\u00a0 The College must also comply with the Federal Trade Commission\u2019s Fair and Accurate Credit Transactions Act (FACTA), which was also intended to reduce identity theft.\u00a0 This policy will be reviewed at least annually and will be updated as needed to reflect changes to the business objectives or the risk environment.<\/p>\n

Policy<\/h3>\n

In order to comply with these standards and to provide adequate data security measures, Departments must contact the Business Office to receive approval prior to accepting credit cards information and follow the procedures described below to ensure the security of credit card information.\u00a0 Departments will need to consider the impact of credit card fees and note that most merchant service agreements prohibit or enforce strict rules regarding the assessing of convenience fees and surcharges to the consumer.<\/p>\n

Departments are prohibited from collecting credit card information on the St. Olaf network, storing any credit card information electronically, or sending credit card information via electronic means (e.g. email, chat, instant messaging).\u00a0 Devices used to process credit cards should use only the necessary services of the device to process credit card payments.\u00a0 All services not directly needed to perform the device\u2019s specified function should be disabled.\u00a0 These devices should only be used in locations where credit card acceptance is necessary and all procedures in this policy can be followed.<\/p>\n

Access to cardholder data should be limited to only those individuals whose jobs require such access.\u00a0 Each individual with access to cardholder data should have a unique user ID, when applicable.\u00a0 User ID\u2019s should not be shared with other individuals.\u00a0 Approval should be obtained from the appropriate parties (IIT, Business Office, Individual Departments, etc.) to use credit card processing technologies.<\/p>\n

Procedures<\/h3>\n

The following procedures should be adhered to when processing payments:<\/p>\n

For credit card payments over the internet:<\/p>\n

    \n
  1. We must use payment gateways that are PCI DSS compliant for receiving, transmitting and storing credit card data.\u00a0 The transaction information should be collected and securely stored by the payment gateway or processor, so there is no reason for credit card data to be collected or stored on St. Olaf computers or network.<\/li>\n
  2. Departments should obtain from the payment gateway or processor only the information necessary to apply the payment (such as the name and amount).\u00a0 There should typically not be any reason to obtain files or print reports containing the credit card data.\u00a0 The full contents of any track data from the magnetic stripe, the card verification code and the PIN should not be stored under any circumstances.\u00a0 In the event of dispute or chargeback, we can research the transaction on the processor\u2019s website via secure login.<\/li>\n
  3. IIT policies are required to be followed when accepting credit card payments and IIT personnel should be contacted to discuss all specific PCI security issues.<\/li>\n<\/ol>\n

    For credit card payments where a card is present:<\/p>\n

      \n
    1. Credit card equipment must be capable of protecting stored data and encrypting transmitted credit card data.\u00a0 Only PCI PIN Transaction Security (PTS) compliant fully end-to-end encrypted devices may be connected to the St. Olaf network. Imprint machines should not be used.<\/li>\n
    2. Credit card information must be truncated to the last 5 digits.\u00a0 The full card number should never be printed on anything, including the customer copy, our copy or batch reports.\u00a0 In the event of dispute or chargeback, we can research the transaction on the merchant account website via secure login.<\/li>\n
    3. Any signed slips or batch reports should be retained in a locked file or vault for 18 months, and then securely destroyed.\u00a0 They should never contain the full card number.<\/li>\n<\/ol>\n

      For credit card payments when the card is not present (via mail or phone):<\/p>\n

        \n
      1. Follow rules that apply to \u201cwhen card is present\u201d or using the secure payment gateway.<\/li>\n
      2. Whenever possible, we should refer the individual to a secure payment gateway, rather than having them mail credit card information or writing it down over the phone.\u00a0 If it is absolutely necessary to have the credit card information in hardcopy, it should be entered promptly and then immediately destroyed by shredding so that cardholder data cannot be reconstructed.\u00a0 Containers storing information waiting to be destroyed must be secured to prevent access to the contents.<\/li>\n
      3. IIT policies are required to be followed when accepting credit card payments and IIT personnel should be contacted to discuss all specific PCI security issues.<\/li>\n<\/ol>\n

        The following procedures should be adhered to when setting up a credit card account:<\/p>\n

          \n
        1. Always contact the Controller in the Business Office before setting up an account.\u00a0 In some cases, IIT will also be contacted if it involves processing transactions via the internet.\u00a0 Departments and individuals processing credit card payments must sit down with the Business Office to be trained in the policies and procedures of accepting credit cards prior to accepting this type of payment.<\/li>\n
        2. The Business Office will set up each department merchant account under St. Olaf\u2019s main headquarter account, which will enable the Business Office to access all accounts and research items when reconciling.<\/li>\n
        3. Separate merchant accounts should not<\/strong> be set up for Discover.\u00a0 Merchants now have the capability to clear Visa, MasterCard, and Discover together on a single merchant account.\u00a0 American Express has this capability as well, but the fees are higher for it, so we have typically set up separate American Express merchant accounts.<\/li>\n
        4. Departments should set their accounts up to deposit gross sales daily.\u00a0 Any fees should be debited out of the bank account as a separate transaction.\u00a0 Please do not set up the accounts to have fees net out of the sales deposit.<\/li>\n
        5. Departments must provide daily accounting records to the Business Office for credit card transactions, unless other arrangements have been made for the Business Office to import credit card deposit information from the payment gateways.<\/li>\n
        6. Access to credit card information should be limited to only those employees who need the information for their jobs and who deal with similar administrative duties on a regular basis.<\/li>\n<\/ol>\n

          The following procedures should be adhered to regarding incident identification:<\/p>\n

          Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures.\u00a0 All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility.\u00a0 Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to,<\/p>\n