Departments may accept payment cards (credit or debit) as a method of payment provided they meet University policy, state and federal laws, contractual obligations, and rules of the University's banks and financial institutions.
Departments must obtain approval from Accounts Receivable Services prior to initiating or engaging in any activity where payment cards are used in connection with accepting revenue. Only University approved equipment, payment gateways, processes, technologies, and supplier/vendors may be used.
Departments must follow the current version of the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is comprised of twelve requirements grouped into six goals:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Departments must monitor and reconcile transactions according to University policy Reconciling and Verifying General Ledger Accounts and Other Financial Information.
Departments must treat a customer's Cardholder Data according to the requirements defined in the PCI DSS, University policy, state and federal laws, and contractual obligations.
Electronic storage of a customer’s cardholder data on University systems is prohibited. Where a business need exists, storage of a customer’s cardholder data by third-party service providers may be permitted upon written approval from Accounts Receivable Services.
Failure by a department to maintain compliance with this policy and the relevant acts and standards may result in revocation of approval to accept payment cards.
Departments are responsible for any fees, fines, penalties, or other costs resulting from acceptance of payment cards or non-compliance with this policy or the PCI DSS.
Payment card revenue must be deposited into approved University of Minnesota bank accounts. Departments may not open bank accounts. Accounts Receivable Services will coordinate designation of bank accounts in consultation with the Office of Investments and Banking, who is solely responsible and authorized to open bank accounts.
The sale of goods and services must be consistent with the normal activities of the unit and support the teaching, research, or outreach mission of the University. This policy deals only with the manner of payment.
The department is responsible for the collection and remittance of applicable sales tax.
When an item or service is purchased using a payment card and a refund is necessary, the refund must be credited to the same account from which the purchase was made. A refund must never exceed the original payment amount. To process a refund, follow the procedure appropriate to the technology used for processing (terminal, POS, internet, etc.). Each department must have a written or published refund policy.
This policy does not pertain to the University’s Procurement Card or Travel Card Programs.
Reason for Policy
The ability to accept payment cards is a valuable tool for University departments, but it also creates risk for the University. Payment card accounts are subject to the Minnesota Government Data Practices Act, Minnesota Plastic Card Security Act, Payment Card Industry Data Security Standards (PCI DSS), and other applicable laws. This policy creates a consistent, cost-effective, and secure environment for the University community to accept revenue via payment cards that meets the following requirements:
- Compliance with University policy, state and federal laws, contractual obligations and rules of the University's banks and financial institutions, and PCI DSS
- Protection of customers' private data
- Protection for the University from fines, liability, and harm to its reputation