Accepting Revenue Via Payment Cards
Responsible University Officer(s):
- Associate Vice President and Controller
- Director of Accounts Receivable
Departments may accept payment cards (credit or debit) as a method of payment provided they meet University policy, state and federal laws, contractual obligations, and rules of the University's banks and financial institutions.
Departments must obtain approval from Accounts Receivable Services prior to initiating or engaging in any activity where payment cards are used in connection with accepting revenue. Only University approved equipment, payment gateways, processes and vendors may be utilized.
Departments must follow the current version of the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS is comprised of twelve requirements grouped into six goals:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Departments must monitor and reconcile transactions in a timely manner.
Departments must treat customer's private data according to the requirements defined in PCI DSS, University policy, state and federal laws, and contractual obligations. Departments must not store payment card information electronically.
Failure by a department to maintain compliance with this policy and the relevant acts and standards may result in revocation of approval to accept payment cards.
Departments are responsible for any fees, fines, penalties or other costs resulting from acceptance of payment cards or non-compliance with this policy or PCI DSS.
Payment card revenue must be deposited into approved University of Minnesota bank accounts. Departments may not open bank accounts in connection with accepting revenue. Accounts Receivable Services will coordinate designation of bank accounts in consultation with the Office of Investments and Banking, who is solely responsible and authorized to open bank accounts.
The sale of goods and services must be consistent with the normal activities of the unit and support the teaching, research or outreach mission of the University. This policy deals only with the manner of payment.
This policy does not pertain to the University Procurement Card Program.
The Controller’s Office may consider granting exception to this policy or related procedures after receiving a written request.
REASON FOR POLICY
The ability to accept payment cards is a valuable tool for University departments, but it also creates risk for the University. Payment card accounts are subject to the Minnesota Government Data Practices Act, Minnesota Plastic Card Security Act, Payment Card Industry Data Security Standards (PCI DSS), and other applicable laws. This policy creates a consistent, cost-effective and secure environment for the University community to accept revenue via payment cards that meets the following requirements:
- Compliance with University policy, state and federal laws, contractual obligations and rules of the University's banks and financial institutions, and PCI DSS
- Protection of customers' private data
- Protection for the University from fines, liability, and harm to its reputation
|Primary Contact(s)||David Ladenfirstname.lastname@example.org|
|Account Set-Up, Changes, Termination||Accounts Receivable Servicesemail@example.com|
|PCI DSS Compliance||Accounts Receivable Servicesfirstname.lastname@example.org|
|Technology and Incidents/Suspected Breaches||Office of Information Technology, University Information Securityemail@example.com|
|Reconciliation/ Accounting||Accounts Receivable Servicesfirstname.lastname@example.org|
|Vendor/3rd Party Service Provider Contracts||Purchasingemail@example.com|
|Office of the General Counselfirstname.lastname@example.org|
|University Information Securityemail@example.com|
- Access Control Measures
- Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications. These include restricting access to cardholder data by business need to know, identifying and authenticating access to system components, and restricting physical access to cardholder data
- Acquiring Bank
- The bank or financial institution that accepts payments for the products or services on behalf of a merchant. Wells Fargo Merchant Services is the University of Minnesota's acquiring bank.
- Unauthorized access to, acquisition, use, or disclosure of data maintained by the University, which compromises the security and privacy of the data. “Breach” does not include (1) a good faith acquisition, access, or use of private data by an employee, contractor, or agent of the University, if the data is not provided to an unauthorized person; or (2) incidents involving data that have been rendered unusable, unreadable, or undecipherable (e.g., through valid encryption) to unauthorized individuals.
- The person to whom a payment card is issued or any individual authorized to use the payment card.
- Cardholder Data
- At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
- Contractual Obligation
- State and federal legal mandates govern many private data standards (e.g. HIPAA, FERPA, etc.). However, PCI DSS is a set of standards that are required to be followed through terms and conditions of the payment card account contract the University has with the acquiring bank.
- Customer (Non-University)
- An individual or other entity that makes a payment to the University for goods or services.
- Any unconfirmed or suspected access to, or loss of, data. An incident can become a "breach" if it is confirmed. Not all incidents are or become breaches.
- Incident Response
- The process by which incidents are handled. Each payment card account is required to have a documented incident response and continuity plan in place.
- The University, or a unit of the University, is considered a merchant when they accept payment cards as a method of payment for goods, services, information, or gifts.
- Minnesota Government Data Practices Act
- Legislation delineating how private data collected by Minnesota government entities is to be maintained and protected (including financial data).
- Minnesota Plastic Card Security Act
- Legislation prohibiting organizations from keeping the secure information stored on a payment card's magnetic strip in their computer databases after a transaction is completed. The magnetic strips on payment cards contain sensitive information such as the customer's name, account number, PIN, card expiration date, and security code data. This legislation also specifies that an organization violating this provision is responsible for both notifying their customers and covering the expenses of potential fraud if their customer's information is compromised.
- Non-Disclosure Form
- A form required to be signed annually by all University employees with access to cardholder data. By signing this form, employees agree to protect any part of the cardholder data from disclosure to anyone that does not have a business need for that data.
- Payment Card
- A financial transaction card (credit, debit, etc.) issued by a financial institution; also called Bankcard/Payment Card/Charge Card/Credit Card/Debit Card.
- Payment Card Account
- A contractual relationship between a merchant and the acquiring bank that allows the merchant to accept payment cards from purchasers.
- Payment Card Industry Data Security Standards (PCI DSS)
- A multifaceted security standard developed and owned by the major payment card companies that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. PCI DSS represents a common set of tools and measurements to help ensure the safe handling of sensitive information. The standard comprises 12 requirements that are organized in 6 logically related groups or “control objectives.” Failure of merchants to conform to these standards can result in losing the ability to process payment card payments and being audited and/or fined.
- Payment Card Transaction
- The activity of purchasing a good or service through use of a payment card.
- Private Data
- Legally and contractually protected non-public University data and data which the University is obliged to treat as confidential whether it is research, clinical, educational, outreach, or administrative data. Private data can only be released to the subject of the information and to those within the university who have a legitimate business need-to-know, outside entities with the subject's written permission, and others as allowed by law.
- The process of comparing information that exists in two systems or locations, analyzing differences and making corrections so that the information is accurate, complete and consistent in both systems or locations. For financial reporting purposes, the process includes comparing the local unit's record of financial information to the general ledger.
- Sensitive Authentication Data
- Security-related information (including but not limited to card validation codes/values, full track data from the magnetic stripe or equivalent on a chip, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
- Service Provider / Vendor
- A business entity that is not a payment brand, that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes companies that provide services that control or could impact the security of cardholder data.
- University Community
- Any official member of the University. May be a college, department, unit, auxiliary, organization, etc.
- Vulnerability Management Program
- A program created to protect all systems against malware and regularly update anti-virus software or programs, and develop and maintain secure systems and applications. The goal is to protect against any flaw or weakness which, if exploited, could result in an intentional or unintentional compromise of a system.
- Accounts Receivable Services
- Develops and provides departments with a comprehensive payment card program:
- Establishes, documents, and distributes University-wide payment card account policies and procedures.
- Reviews and approves the establishment, change, and termination of payment card accounts.
- Coordinates designation of bank accounts for payment card revenue in consultation with the Office of Investments and Banking,
- Oversees payment card account compliance with University policy, state and federal law, and PCI DSS.
- Manages relationship with outside vendors and consultants to provide security assessments.
- Provides training and awareness on compliance with University policy, state and federal laws, contractual obligations and rules of the University's banks and financial institutions, PCI DSS, and management of merchant accounts.
- Sets up and maintains payment card accounts in the Enterprise Financial System.
- Assists units with reconciliation issues related to payment card accounts.
- Office of Information Technology - University Information Security (UIS)
- Responsible University-wide for assisting Accounts Receivable Services, IT Contacts, and others in protecting payment card data and ensuring the technology used follows PCI DSS:
- Reviews and advises on the implementation of all technology set-up/changes associated with payment card transaction processing.
- Coordinates external vulnerability scanning by an approved external scan vendor.
- Reviews and approves firewall changes that are supported by a valid business reason.
- Coordinates with external security monitoring vendor for logs and forwards alerts as appropriate, provides storage of logs for one year.
- Coordinates penetration testing for those devices that require the service to meet PCI DSS.
- Establishes, documents and distributes University-wide security incident response and escalation procedures to ensure timely and effective handling of situations.
- Payment Card Manager
- Department employee responsible for overall management of a payment card account. The Payment Card Manager must be knowledgeable about the payment card acceptance process in the department, PCI DSS requirements and compliance, and is the first point of contact for all questions concerning a payment card account. This individual also documents departmental policy and process and ensures that the following standards are maintained:
- Keep all cardholder data secure and confidential. The department will be responsible for any losses due to poor internal or inadequate controls.
- Restrict access to cardholder data and processing to appropriate and authorized personnel.
- Establish appropriate segregation of duties between payment card processing, the processing of refunds, and the reconciliation function. Supervisory approval of all card refunds is required.
- Perform an annual self-assessment and compliance review to ensure compliance with this policy and associated procedures, and report the results of this assessment to Accounts Receivable Services.
- Request approval from Accounts Receivable Services prior to the implementation of any changes affecting transaction processing associated with the merchant account.
- Notify University Information Security and Accounts Receivable Services in case of a security incident or potential breach of cardholder data.
- Make sure employees with access to cardholder data are trained in payment card process and understand applicable policy, standards, and regulations.
- Accounting Contact
- Department employee responsible for financial management and reconciliation of a payment card account.
- IT Contact
- Department employee responsible for management of the technology involved with a payment card account. The IT Contact must be knowledgeable about the technology involved with the payment card acceptance process in the department.
- RRC Chief Financial Manager, RRC Contact and Department Head/Dean
- University employees responsible for approving the setup, modification, and termination of payment card accounts. Setup accounting structure for payment card accounts. Active participant in management of payment card processes and procedures.
- Controller’s Office
- Review and approve all policy exceptions and payment card account remediation plans.
- Office of Investment and Banking
- Oversight of all University cash management practices to include all University bank accounts and banking services. Negotiate, coordinate and manage all agreements, policies and business-related cash management and banking services on behalf of the University. Responsible, on behalf of the University CFO/Treasurer for establishing all financial institution accounts.
Information Technology Policies:
- Acceptable Use of Information Technology Resources
- Reporting and Notifying Individuals of Information Security Breaches
- Information Security
- Information Security Risk Management
- Accessing U-Wide Banking Services
- Accepting and Depositing Revenue
- Reconciling and Verifying General Ledger Accounts and Other Financial Information
- Selling Goods and Services to External Customers
Administration & Operations Policies
Human Resource Policies
Other Related Information:
- Payment Card Industry Data Security Standard (PCI DSS)
- Minnesota Government Data Practices Act
- Minnesota Plastic Card Security Act
- Visa Core Rules and Visa Product and Service Rules
- MasterCard Rules
- American Express Merchant Regulations
- Discover Merchant Operation Regulations
- June 2016 – Comprehensive Review, Minor Revisions. Rewritten for clarity and updated to comply with current law and regulations. Reorganized and rewrote proceedures for clarity. Two new procedures were added. Removed job aids in appendices section.
- December 2009