Rice University logo
 
 
 
 
 

Procedures for Accepting and Handling Credit and Debit Card Payments

 
 
Glossary of
Credit Card
Terms
 

Rice University ensures that credit and debit card information is handled and disposed of in a manner that protects customer information, complies with applicable law and, ultimately, meets the university’s obligation to comply with the data security standards required by the Payment Card Industry.

 

In order to begin accepting credit or debit card payments, Rice University units must receive prior approval from the Treasurer’s Office. All units that process credit card and debit card transactions must ensure that the payment process and related recordkeeping procedures follow university policies and procedures, PCI-DSS and all applicable legislative requirements. These procedures apply to all Rice employees, contractors and students involved in the processing of debit and credit card payments in connection with university-related business.

 

Background 

 

The set of standards referred to as the Payment Card Industry's Data Security Standard (PCI-DSS) sets forth security standards for any organization that accepts, captures, stores, transmits and/or processes credit card information either manually or through an automated system.
 

Merchant credit or debit card transactions are monetary transactions and are subject to the same control and reconciliation policies as cash transactions. Improper protection of merchant card data, whether in electronic or paper form, could lead to a security breach that may result in customer ill-will, damages to Rice’s reputation, fines, legal fees and response-related costs. Potential ramifications of a data breach are greater if Rice is not in compliance with PCI DSS at the time of the breach. Failure to comply with PCI DSS may result in loss of the university’s ability to process credit card transactions, substantial fines and increased auditing requirements if a breach occurs.
 

The components of PCI-DSS apply to all forms of transactions. They include:

  1. Build and maintain a secure network with appropriate firewalls

     

  2. Protect cardholder data including stored data in any format and encrypted transmission across public networks

     

  3. Maintain a vulnerability management program including use of anti-virus, confidential data detection and data encryption software and secure systems and applications

     

  4. Implement strong access control measures including restricted access to cardholder data in all formats

     

  5. Monitor and test networks

     

  6. Maintain an information security policy

PCI-DSS also requires that organizations complete an annual self-assessment questionnaire (SAQ) tailored to each type of credit card processing method.

 

Requirements 

  1. Compliance:  Any department that accepts, captures, stores, transmits and/or processes credit or debit card information must comply with PCI-DSS and participate in the annual self-assessment process and training.

     

  2. Authorized personnel:  Only authorized and properly trained individuals may accept and/or access credit or debit card information. No other individuals may have access to credit card information.

     

  3. Method of Processing Payments:  Departments may only accept and process credit and debit card payments by methods that are approved by the Treasurer’s Office. Departments must consult with the Treasurer’s Office on the approved methods. Rice University has contracted with TouchNet Information Systems, Inc. to provide e-commerce services including credit card payment gateway services. The TouchNet Payment Gateway system is the preferred method of payment processing for on-line credit card transactions. Rice uses a version of TouchNet which has been certified as compliant with PCI-DSS.

     

  4. Electronic Storage:  Electronic storage of credit card information is not allowed because of the increased risk that it presents.

     

  5. Protecting credit card information:  Each person who has access to credit or debit card information is responsible for protecting that information. Credit and debit card information must be securely destroyed as soon as it is no longer necessary to maintain the information. Physical documents containing credit or debit card information must be stored in secured access-controlled locations such as locked cabinets. The validation code and personal identification number should not be stored in any form. In no case, should credit card information be transmitted via insecure protocols like email or text message.

     

  6. Department procedures:  Each department that handles credit card information must have written procedures for complying with PCI-DSS and providing appropriate segregation of duties.

     

  7. Response to breach:  Suspected theft of credit or debit card information or inappropriate activity must be reported immediately to the University IT Security Officer and Rice University Police Department.

 

Definitions  

e-Commerce 

 

The process of conducting payment transactions over a computer network, usually the Internet. In e-commerce the merchant card is usually not present; instead, the payer enters that data into a web form remotely.

 

e-Merchant

 

A merchant who uses an e-commerce system to generate revenue.

 

Merchant A department, school, or other organization that collects revenue. Although merchants may receive payments in various forms (i.e. cash, check) this policy applies to merchants who wish to receive at least some of their payments from credit or debit card transactions.

 

Merchant Card Debit or credit cards, including those under the Visa, Master Card, and American Express brands.

 

Merchant ID A merchant identification code assigned by the bank and used to identify the owner of merchant card transactions.

 

PAN Primary Account Number.

 

PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) defines security requirements for card transactions and is required by a consortium of card providers (i.e. Visa, Master Card, Discover, and American Express).

 

Payment Card See "Merchant Card."

 

Personal identification number (PIN) Secret numeric password shared between a user and a system used to authenticate the user to the system.

 

POS System Point-of-Sale system. A computer-based system that processes payments over a network. A POS system differs from an e-commerce system in that the payer and card are usually present at the time of the transaction.

 

Service Provider

 
Organizations that process, store or transmit cardholder data on behalf of merchants.

 
Terminal A machine for electronically processing credit or debit card payments. Card data may be captured by swiping the card through a designated slot in the terminal or by keying in the card number by hand. Payment information may be transmitted over phone lines or the Internet.

 

Validation code Also known as Card Validation Code, Card Validation Value and Card Security Code. For the purposes of this policy, the 3 or 4 digit number printed or embossed on the back or front of a credit card used to validate the actual presence of the plastic credit card for which a PAN has been recorded. Often called CID, CAV2, CVC2 or CVV2.

 

 

Roles and Responsibilities 

  • Vice Provost for Information Technology:  Maintain a safe and secure network with appropriate firewalls and ensure appropriate monitoring and testing of network security.

     

  • PCI-DSS committee:  Overseeing annual SAQ process and training and revisions to policy and procedures as needed.

     

  • Authorized Employees:  Complete annual SAQ and certify commitment to participate in compliance programming, attend security training and informational meetings and implement appropriate departmental procedures.

     

  • Employees and Students:  Read and comply with Rice's security policies and procedures.

     

  • Departments:  Any department that uses a service provider to accept, store and/or process credit or debit card information on its behalf, except for any service provider that already has a campus-wide agreement, must receive from the vendor, on an annual basis, and keep on file documentation indicating that the vendor's system and procedures have been found to be in compliance with PCI-DSS by a firm that has been authorized by the Payment Card Industry to make such as assessment. A copy of this documentation should be submitted to General Counsel.  

     

  • Service providers:  Enter into written agreement that acknowledges responsibility for security of cardholder data the service provider possesses. Provide on an annual basis, documentation indicating that the version of the vendor's system and procedures used by Rice have been found to be in compliance with PCI-DSS by a firm that has been authorized by the Payment Card Industry to make such an assessment.

     

  • Treasurer's Office:  Authorize new merchant accounts and authorized users.

     

  • Department heads:  Develop department procedures in line with this policy and designate individual(s) to be authorized to process merchant card transactions.

     

  • General Counsel:  Review contracts with service providers.
  •  

  • Vice President for Finance:  Chair the PCI-DSS committee and maintain a list of all PCI third party service providers supporting Rice transactions.
  •  

Other resources. 

The full text of the standard and other supporting documents are available at:  https://www.pcisecuritystandards.org/ 

 

Template for departmental procedures 


 
 
 
Want to know more about the Payment Card Industry Data Security Standards (PCI-DSS)? Visit this site.

 

 
 
 
Looking for information about PCards? Visit this site for the manual and this site to learn about training.
 
 
 
 
 

 
 
 

 
   
 
Need a copy of the Guide to Card Acceptance and Best Practices from Global Payments?
 
The slides from the Rice PCI training class are here.
Click here to go back to previous page