Accepting Credit Card Payments
In order to accept credit card payments, the College is required to comply with Payment Card Industry Data Security Standards (PCI DSS), which were established by the major credit card companies (American Express, Discover, JCB, MasterCard, and Visa) to protect merchants and cardholders from cardholder information theft. This policy will be reviewed at least annually and will be updated as needed to reflect changes in PCI DSS standards.
Departments must contact the Business Office to receive approval prior to accepting credit card payment information, and follow the procedures described below to ensure the security of credit card transactions.
Departments are prohibited from storing credit card information electronically (in databases or excel worksheets) and sending credit card information via electronic means (i.e. e-mail, chat, instant messaging).
Credit card information is defined here to mean the full credit card number, the card verification code or the PIN. Credit card numbers appearing on receipts or reports must be truncated to the last 4 digits.
Devices used to process credit card transactions must be dedicated to processing credit card payments and may not be connected to other Carleton network services such as e-mail.
Access to cardholder data must be limited to only those individuals whose jobs require such access. Each individual with access to credit card information must have a unique user ID. User IDs should not be shared with other individuals.
All Information Technology data security standards are required to be followed when accepting credit card payments.
Establishing a credit card account:
- Contact the Business Office for authorization to set up an account.
- Departments processing credit card payments must attend training with the Business Office to review the policies and procedures for accepting credit card payments.
- The Business Office must establish all merchant accounts to ensure the Business Office has access to all accounts for monitoring and reconciliation purposes.
- Departments must provide daily settlement reports to the Business Office for all credit card transactions unless other arrangements have been made.
Processing credit card payments over the internet:
- The Business Office has contracted with an online payment gateway that is PCI DSS compliant for receiving, transmitting and storing credit card data. Cardholder transaction information is collected and securely stored directly with the payment gateway or processor, at no time is credit card information collected or stored on College computers or transmitted by the College.
- Departments obtain information directly from the payment gateway, only the information necessary to apply the payment (such as the name, amount and authorization code) may be retained at the department level. Files or print reports should not contain credit card information. The full contents of any data from the magnetic stripe, the card verification code and the PIN must not be stored under any circumstances. In the event of a dispute or chargeback, the transaction can be researched from the processor’s website via a secure login.
- Carleton Web Services will assist departments with setting up web sites for processing transactions over the internet.
Processing credit card payments where a card is presented in person:
- PCI DSS compliant credit card equipment will be provided to the Department by the Business Office through our merchant service provider. Imprint machines should not be used.
- Credit card information must be truncated to the last 4 digits. The full card number must never be printed on anything, including the customer copy, our copy or batch reports. The card number should not be printed in either bar code or numeric format. In the event of a dispute or chargeback, research the transaction on the merchant account website via a secure login.
- Signed slips or batch reports must be sent to the Business Office on a daily basis. Documents must never contain the full card number.
Processing credit card payments when the card is not present (mail or telephone):
- All rules that apply to “where card is presented in person” are applicable here as well.
- Promptly process the credit card information received. Following confirmation that the transaction has transmitted without error, immediately destroy credit card information received by cross-cut shredding so that credit card information cannot be reconstructed.
- Never process credit card information that has been received by fax or e-mail. Contact the card holder (without forwarding their credit card card information back to them) to let them know that their transaction could not be processed from this source and their message has been destroyed to protect their credit card information. Direct them to the online payment gateway OR have them mail the payment information OR accept their payment information verbally over the phone following the procedures described above.
Reporting security incidents:
Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have responsibility to assist in the incident response procedures within their particular areas of responsibility.
Examples of security incidents that employees might recognize in their day to day activities include, but are not limited to:
- Theft, damage or unauthorized access (i.e. papers missing from their desk, broken locks, missing log files, alert from public safety, evidence of a break-in or unscheduled/unauthorized physical entry)
- Fraud – inaccurate information within databases, logs, files or paper records
Notify Security, ext. 4444 immediately of any suspected or real security incidents involving cardholder data. Security will file an incident report in Advocate. In the event it is determined that credit card information has been compromised, the incident response steps defined in the Identity Theft Prevention Policy will be applied.