<p>Standards for Acceptance of Credit Cards VISC ACCEPTANCE OF CREDIT CARDS GUIDELINE</p><p>Last Revised: 11/23/11 Page i REVISION CONTROL </p><p>Document Title: VISC Acceptance of Credit Card Guideline Author: Click here to enter author. File Reference: VISC Acceptance of Credit Cards Guideline.docx</p><p>Revision History </p><p>Revision Date Revised By Summary of Revisions Section(s) Revised 10/07/11 Danita Leese Copy and paste to new template All</p><p>Review / Approval History </p><p>Review Date Reviewed By Action (Reviewed, Recommended or Approved) 02/07/2012 VISC Governance Approved Standards for Acceptance of Credit Cards</p><p>Table of Contents Page</p><p>Last Revised: 11/23/11 Page iii Standards for Acceptance of Credit Cards</p><p>1.0 PURPOSE</p><p>The Payment Card Industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses. The term is also used to refer to the Payment Card Industry Security Standards Council, which is an independent council originally formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.</p><p>The Payment Card Industry Data Security Standard (PCI DSS) has requirements for protecting payment card information, including information in computers which process, store or transmit credit card and other payment card information. These requirements became effective June 30, 2005, updated in 2010, and the University must adhere to these standards to limit its liability and continue to process payments using payment cards</p><p>2.0 SCOPE</p><p>This standard applies to all users (e.g., executives, managers, faculty, staff, students, guests, business partners, all auxiliaries and others) of CSU data, computer networks, equipment, or computing resources who process, transmit, or handle cardholder information in a physical or electronic format. All computers and electronic devices at California State University campuses involved in processing payment card data are governed by the PCI Data Security Standard. This includes servers which store payment card numbers, workstations which are used to enter payment card information into a central system (for example, ordering tickets over the phone), and any computers or credit/debit card swipe devices through which the payment card information is transmitted.</p><p>3.0 STANDARD</p><p>All transactions that involve the transfer of credit card information must be performed on systems approved by either the Campus Controller’s Office or a respective auxiliary financial officer and must include a compliance and security review by the Information Security Office. Any specialized servers that have been approved for this activity must be housed behind a University administrated firewall and must be administered in accordance with the requirements of all California State University campus and PCI policies, standards, procedures or guidelines.</p><p>Departments involved with the acceptance of and processing of credit card for payment of goods and services must design adequate processes to ensure the following are maintained:</p><p>• All contracts or purchases of software and/or equipment related to credit card processing must be approved by either the Campus Controller’s Office or a respective Auxiliary Financial Officer and reviewed by the Information Security Office prior to implementation. This requirement applies regardless of the transaction method or technology used (e.g. e-commerce, POS device). </p><p>• Departments must comply with the Payment Card Industry Data Security Standard. </p><p>• Establish departmental procedures for safeguarding cardholder information and secure storage of data. This pertains to ALL transactions initiated via the telephone, over the counter, mail order, Internet, etc. </p><p>Last Revised: 11/23/11 Page 4 of 7 Standards for Acceptance of Credit Cards</p><p>• Credit card numbers must not be transmitted in an insecure manner, such as by e-mail, unsecured or stored fax (including GeniFax or similar networked fax servers), or through campus mail (sealed envelopes must be used). </p><p>• Sensitive cardholder data [i.e., full account number, card type, expiration, PIN, and card-validation code -three-digit or four-digit value printed on the front or back of the card] should not be stored in any University system, personal computer, or e-mail account. </p><p>• The entire credit card number should not be printed on either the department copy or customer copy of any receipts. Old receipts with the entire credit card number should have all but the last four digits blacked out. Do not print the full credit card number under any circumstances. </p><p>• All documentation containing card account numbers must be stored in a secure environment until processed. Secure environments include locked drawers and safes, with limited access to only individuals who are processing the credit card transaction. Processing should be done as soon as possible and the credit card number should immediately be blacked out to the last four digits and the card expiration date must be masked.</p><p>• Stored credit card information will be retained according to the approved document retention standard. All media used for credit cards must be properly destroyed, based on campus disposal guidelines, when retired from use. All hardcopy must be shredded prior to disposal. </p><p>• Credit card handlers and processors must agree (in writing) not to disclose or acquire any information concerning a cardholder’s account without the cardholder’s consent, and to follow all PCI standards. </p><p>• Require all personnel involved in credit card handling to attend card security training every year in conjunction with required CSU Security Awareness training and PCI audits. </p><p>• Assign an individual to administer the control of log-in privileges, limit software access to secure locations, delete access to software for terminated employees, and do not use vendor-supplied defaults for system passwords. </p><p>• Units using third-party software, including cash register systems, are prohibited from storing complete payment card numbers on University computers at any time. </p><p>• Contractually require all third parties with access to cardholder data to adhere to PCI security requirements and provide proof of PCI certification to the merchant department.</p><p>4.0 PROCEDURES</p><p>All Auxiliary credit card and debit card processing contracts and renewals, including web based procurement, must be initiated and approved through their respective Finance Office. Because the sale of goods and services to entities outside the university community may raise special considerations (e.g. unrelated business tax, accounting, legal, etc) business plans concerning credit sales should also be reviewed by each respective auxiliary Finance Office.</p><p>All Non-Auxiliary campus units/department credit card and debit card processing contracts and renewals, including web based procurement, must be initiated and approved through the campus Controller’s Office. Because the sale of goods and services to entities outside the university community may raise special</p><p>Last Revised: 11/23/11 Page 5 of 7 Standards for Acceptance of Credit Cards considerations (e.g. unrelated business tax, accounting, legal, etc) business plans concerning credit sales should also be reviewed by the campus Controller’s Office.</p><p>For campuses utilizing CashNet, upon request by department and review by the Campus Controller’s Office, a specialized Merchant Number will be established and CashNet will provide the secure payment mechanism. The department will work with the campus Information Technology department in creating their web site and integrating the payment mechanism with the CashNet system. Once the payment program is properly configured to pass the required parameters to the CashNet system, secure payment will be executed, and approval codes and other related elements will be returned to the originating web site.</p><p>All Non-Auxiliary campus units/departments that need to accept credit/debit cards through a physical terminal or a Data Capture machine for either swipe or key transactions must contact the Campus Controller’s Office to execute the required paper work, obtain a Merchant Number, receive training, and be given direction as to the accounting of those transactions. Data Capture machines must be configured according to PCI requirements to meet security standards and certified by university standard.</p><p>Under no circumstances will it be permissible to obtain credit card information, or transmit credit card information by e-mail.</p><p>The Information Security Office will perform a yearly risk assessment of comprehensive compliance obligations for credit card data maintained on all campus and auxiliary servers which transmit data throughout the campus network. The assessment will be the principle tool used to complete the required PCI self-assessment. </p><p>The Information Security Office will negotiate, manage and contract with a qualified PCI assessor to fulfill PCI quarterly scanning requirements.</p><p>The Campus Controller’s Office, in conjunction with campus Auxiliary Finance Officers will establish an E- commerce Committee to review all proposed business plans involving credit card sales over the internet. The committee will include, but is not limited to, representatives from the Campus controller’s Office, from each respective campus Auxiliary Finance Office, Vice President Administration and Finance, Information Security Office, IT ERP representatives, IT Internet Technologies and Telecommunications and Networking.</p><p>• The E-commerce Committee will review each proposal for intended business purpose, consistency with the University's mission and policies, and selling department’s ability to support an E-commerce activity. </p><p>• Following review and approval, the Campus Controller’s Office or the relevant auxiliary Finance Office will notify the requesting department of approval status, determine the appropriate accounts and revenue object codes to be credited for sale proceeds, and issue a unique merchant ID identifier for the selling department. </p><p>• Any significant changes to approved Business Plans must be reviewed and approved by the E-commerce Committee prior to implementation. The changes include changes to the departmental Web site, products or services to be sold, intended customer base, anticipated transaction volume, outside advertising, application software, or changes in the departmental contacts responsible for the e-commerce business plan. Proposed changes should be routed to the Controller's Office.</p><p>Last Revised: 11/23/11 Page 6 of 7 Standards for Acceptance of Credit Cards</p><p>5.0 SANCTIONS</p><p>Departments not complying with this standard may lose the privilege to serve as a credit card merchant. Additionally, fines may be imposed by the affected credit card company, beginning at $50,000 for the first violation.</p><p>The University reserves the right to temporarily or permanently suspend, block or restrict access to information assets, independent of such procedures, when it reasonably appears necessary to do in order to protect the confidentiality, integrity, availability, or functionality of University resources or to protect the University from liability.</p><p>Allegations against employees that are sustained may result in disciplinary action, which may only be administered in a manner consistent with the terms of the applicable collective bargaining agreement and in accordance with the applicable provisions of the California Education Code, and/or civil and criminal or prosecution. Student infractions of this standard may be referred to the Office of Student Judicial Affairs. Third party service providers who do not comply with this standard may be subject to appropriate actions as defined in contractual agreements.</p><p>Some violations may constitute criminal offenses under local, state, and federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.</p><p>6.0 DEFINITIONS</p><p>A. PCI: The PCI Standard is the result of collaboration between the four major credit card brands to develop a single approach to safeguarding sensitive data. The PCI standard defines a series of best practices for handling, transmitting and storing sensitive data.</p><p>B. Cardholder data: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, or Card Validation Code (e.g., three-digit or four-digit value printed on the front or back of a payment card such as CVV2 and CVC2 data).</p><p>C. Merchant: any person or department accepting money for goods or services.</p><p>Last Revised: 11/23/11 Page 7 of 7</p>