University Resources, Operations and Policies

Schools/Departments:

  • Office of Finance and Administration
  • Categories:

  • Business and Finance
  •  

    Credit Card Acceptance and Processing


    Policy Statement

    This policy establishes the requirements for the acceptance and processing of credit card payments and for the protection of Cardholder Data in accordance with the Payment Card Industry Data Security Standards (PCI DSS).


    Reason for Policy

    The reason for this policy is to set the standard for protecting Cardholder Data supplied to the University or any Third Party Service Provider acting on behalf of the University.


    Who Is Governed by this Policy

    Faculty and Staff


    Policy

    Adelphi University acknowledges the importance of its data security and regulatory responsibilities and has established a framework to protect Cardholder Data. All processes, operational procedures and related technologies used for accepting credit cards must comply with the PCI DSS and relevant University policies.

    • AU Merchant IDs (MIDs) can only be obtained through the University’s credit card processor which is currently Curvepay.
    • AU Merchants are expected to protect Cardholder Data (CHD) and prevent any unauthorized use.
    • AU strictly prohibits CHD and Sensitive Authentication Data (SAD) from being captured, stored, processed, or transmitted on University servers or networks with the following exceptions:
      • Transmission of encrypted CHD is permitted through a PCI validated Point-to-Point Encryption (P2PE) Solution (see Approved Methods of Accepting Credit Cards).
      • Storage of paper forms and digital images of CHD is permitted only when CHD is rendered unreadable (see Data Retention/Storage).
    • If a P2PE solution is implemented, the AU Merchant must provide documentation confirming the solution was implemented with all controls in the P2PE Instruction Manual provided by the P2PE solution provider.
    • Roles and responsibilities associated with credit card processing must be assigned and acknowledged.
    • Individuals with access to the AU Merchant CDE have completed all required training.
    • All Third Party Service Providers (TPSPs) that may affect the security of an AU Merchant’s CHD or could have an impact on the AU Merchant’s CDE must be approved through University Procurement Services prior to requesting a new AU MID or being associated with an existing AU MID.

    University Approved Methods of Accepting Credit Cards

    • Point-of-Sale (POS) (face-to-face) / Card-Present:
      • Stand-alone terminal with dial-up connection to a dedicated phone line (IP/Internet connections are prohibited for stand-alone terminals)
      • Handheld terminal enabled with Cellular connection (mobile phone card readers are prohibited)
      • P2PE Solution listed on the PCI Council’s List of PCI P2PE Validated Solutions.
    • Mail order/telephone order (MOTO) / Card-not-Present:
      • Prohibitted
    • E-Commerce / Card-not-Present:
      • Outsource all e-commerce functions and technology support to a University approved PCI compliant vendor
      • University developed websites

    Data Retention/Storage

    • Electronic storage of Primary Account Number (PAN) and/or Sensitive Authentication Data (SAD) even if encrypted is prohibited, with the following exceptions:
      • Storage of CHD is only permitted in the form of paper documents and/or digital images of such paper documents and must adhere to the following:
        • Documentation containing the full PAN may only be securely stored in paper form and only until authorization, at which point the full PAN must be rendered unreadable with no more than the first six and/or last four digits visible (411111*****1111) before the document is imaged and scanned for digital storage
      • Storage of SAD is never permitted and must be rendered completely unreadable immediately.
    • All digital records must be saved to a secure file location on a drive with limited and monitored access to select personnel on a “need to know” basis only.
    • Retention periods must be limited to that which is required for business, legal, and/or regulatory purposes per Adelphi University Records Retention Policy and Merchant must have a process in place to review the need for any stored paper records on a quarterly basis.
    • After the designated retention period:
      • Digital images of documentation must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).

    Merchant Responsibilities

    Responsibilities include but are not limited to the following:

    • Required training must be completed by all individuals with access to the AU Merchant CDE, first upon hire or upon assuming a new role that requires such access, then on an annual basis thereafter, for as long as the individual has access to the AU Merchant CDE.
    • Assign roles and responsibilities to individuals with access to the AU Merchant CDE to ensure appropriate internal controls and compliance with PCI DSS and Adelphi’s related policies.
    • Maintain chain of custody records for all equipment that has direct physical interaction with CHD.
    • Maintain current list and location of MIDs, terminals and authorized users, operating procedures, data flow diagrams, staff training and equipment inspection logs available for review upon request.
    • Review transactions prior to settlement and ensure all open batches are settled daily, and reconcile all account activity (including fees) at least monthly.
    • Maintain copies of TPSP documentation indicating which PCI DSS requirements will be met by the TPSP and which will be the responsibility of the AU Merchant.
      • Obtain proof of TPSP’s PCI DSS compliance on an annual basis.
    • Take immediate action to respond to a suspected or confirmed security compromise of the AU Merchant CDE or any AU Merchant CHD by notifying individuals identified in below section “Responding to a Suspected Credit Card Security Breach.”

    Enforcement

    AU Merchants are subject to periodic audit. Any AU Merchant in violation of PCI DSS or University policies can result in the termination of the Merchant’s ability to accept credit cards as a method of payment. Individuals may also be subject to disciplinary action.

    Responding to a Suspected Credit Card Security Breach

    Anyone with knowledge or suspicion that the AU Merchant CDE or any AU Merchant CHD has been compromised in any way must immediately report the incident to each of the following:

    • Immediate supervisor
    • Senior Business Officer

    Definitions

    Card Brands: Discover, MasterCard or Visa.

    CHD – Cardholder Data: At minimum, consists of the full PAN but may also include the full PAN with cardholder name, expiration date, or service code.

    CDE – Cardholder Data Environment: The people, processes and technology that capture, store, process or transmit CHD or SAD, including any system components that may affect the security of such data.

    Credit Cards: Credit and debit cards issued by one of the five Card Brands.

    AU Merchant: Any individual/school/department that accepts credit cards bearing the logos of any of the five Card Brands as payment for goods and/or services on behalf of the University.

    MID – Merchant ID: Unique ID associated with each AU Merchant account used for transaction processing and billing.

    Payment Application: Software application that stores, processes, or transmits CHD as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.

    PAN: Primary Account Number – also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account, and consists of 16 to 19 digits.

    PCI SSC: Payment Card Industry Security Standards Council made up of five Card Brand members that set the standards to enhance CHD security.

    PCI DSS: Payment Card Industry Data Security Standards – provides a baseline of technical and operational requirements designed to protect CHD which applies to all entities that store, process or transmit CHD or SAD and/or are involved in credit card processing.

    SAD: Sensitive Authentication Data – Security related information used to authenticate cardholders and/or authorize credit card transactions, includes full track data, equivalent data on the chip, three- or four-digit code (e.g., CVV2), or Personal identification number (PIN) entered by cardholder during a card present transaction, and/or encrypted PIN block present within the transaction message.

    TPSP: Third Party Service Provider – business entity that is not a Card Brand and is directly involved in the processing storage or transmission of CHD, or that provide services that control or could impact the security of the CDE.


    Forms

    This policy does not have forms associated with it at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.


    Related Information

    This policy does not have related information at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.


    Contacts

    Mary Barca
    p – 516.877.3277
    e – barca@adelphi.edu

    Michael J. McLeod
    p – 516.877.3177
    e – mcleod@adelphi.edu

    Robert Decarlo
    p – 516.877.3184
    e – decarlo@adelphi.edu   


    Document History

    • Last Reviewed Date: September 18, 2017
    • Last Revised Date: September 18, 2017
    • Policy Origination Date: Not known                            

    Who Approved This Policy

    Robert DeCarlo, Chief Financial Officer & Associate Vice President

    Michael J. McLeod, Director of Financial Operations and Associate Vice President

     
     
    Apply Now
    Request Information