Recommended Best Practices for Payment Card Processing

University of Manitoba - Financial Services Recommended Best Practices for Processing Payment Card Information

Accountability / Applicability:

This document applies to individuals with access to payment card information, in any form, at any merchant location of The University of Manitoba.

Responsibility Statement:

The University of Manitoba must conform to Payment Card Industry Data Security Standards (PCI DSS) designed to protect credit and debit card information held and/or used at the University. Merchants must protect cardholder information to prevent a breach of data security. University employees who have access to cardholder data are responsible to hold the data in confidence at all times. Cardholder information should be disclosed only for a required business purpose.

Payment Card Processing Procedures:

1. Credit Card Not Present (CNP) Procedures:

Information is obtained through phone, fax, mail or internet order form. Credit card information, including the Personal Account Number (PAN), service code, cardholder name, and card expiration date are to be recorded on paper. Request the CVV2 code from the customer as an additional means of identifying verification. The 3-4 digit card verification code helps to validate that the cardholder had the card in his/her possession during the transaction. [Note: IVR transaction processing cannot accommodate the CVV2 at this time.] IVR users: using a touch tone telephone, phone credit card provider for authorization and record authorization number on sales record. Web Merchants: enter the cardholder information in Beanstream for approval POS Merchants: key the cardholder information into POS terminal and record authorization number on the sales record. Never record the CVV 2 for any purpose once card authorization has been received. Paper notes/forms must be cross-shredded, or at least the portion with the credit card information, after transaction has been approved.

2. Card Present (Swiped) Transactions (POS Merchants)

Swipe the payment card’s magnetic stripe to transmit credit or debit card information for verification and authorization. Check the credit card for signs of tampering: for details go to: http://www.visa.ca/en/merchant/pdfs/security_features.pdf Print customer and merchant copies of receipt. Ensure that personal account number is encrypted such that all but the last 4 digits are suppressed or masked. Request and verify customer signature on sales record. Paper notes/forms need to be cross-shredded, or at least the portion with the credit card information after transaction has been approved.

Updated Jun03.13 Page 1 University of Manitoba - Financial Services Recommended Best Practices for Processing Payment Card Information

Data Storage Guidelines:

Merchants may store only the PAN, expiration date, service code, and cardholder name, using precautions for safe storage. Where applicable, encrypt printed personal account numbers to ensure that all but the last 4 digits are suppressed or masked when displayed or printed on receipts or retained in files. Paper media containing cardholder date must be securely stored in a locked environment for a 12- month retention period (VISA) or 18-month retention period (Master Card) that corresponds with the allowed chargeback period per the University’s Merchant Services agreements. Failure to provide a copy of a receipt when requested could result in a chargeback. Assign responsibility for ensuring that storage standards are maintained and strict control is maintained over access to the stored documents; Shred or destroy documents after 12 (VISA) or 18 (MasterCard) months in a manner that prevents reconstruction of the information, once the receipt information is no longer required for business purposes. Do not disclose data except for business purposes. Never send or receive credit card information by e-mail. If an e-mail that includes credit card information is received, the e-mail must be deleted from both the inbox and deleted items folder. Trash must be purged/expunged. Remove all cardholder information before replying. University employees with access to cardholder data are responsible for holding the data securely and confidentially at all times. Never leave credit card information unattended

Refunds:

Never refund a credit card sale by cash or cheque. Refund only by crediting back the cardholder. An exception to this rule exists where there is a refund policy in place that stipulates otherwise, such as where payment has been applied to a student account.

Incident Response:

Only individuals who need to access or use cardholder information should do so, accessing only the information needed to perform their job functions. Access of more than the minimum information needed by any University employee is prohibited.

If you believe credit card information has been compromised or improperly accessed or used, or if you suspect that any systems or security measures protecting cardholder information have been breached, contact the Accounting Assistant of Revenue Capital & General Accounting immediately at 474-9574 or [email protected]

Additional Information:

Merchant Fraud:

http://www.visa.ca/en/merchant/pdfs/merchant_fraud.pdf

Updated Jun03.13 Page 2 University of Manitoba - Financial Services Recommended Best Practices for Processing Payment Card Information

Card Not Present Security:

http://www.visa.ca/en/merchant/pdfs/merch_cnp.pdf

Merchant Operating Guide:

http://www.tdcanadatrust.com/merchantservices/pdf/Merchant-Guide.pdf

PCI Quick reference guide:

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

Updated Jun03.13 Page 3