Texas A&M University-Commerce
Rules & Procedures
21.01.02 R0.01 Credit Card Collections
Effective:
Supplements System Policy: 21.01
Supplements System Regulation: 21.01.02
Statement and Purpose
_______________________________________________________________
Texas A&M University-Commerce offers university departments the convenience of accepting credit cards in payment for goods and services provided. Departments may accept credit card payments over the counter, over the telephone, or over the Internet.
Definitions
- Merchant Accounts are special bank accounts issued by a merchant processing bank (also called a credit card processor) that allow a business to accept credit, debit, gift, and other payment cards. Merchant Accounts must be in place before credit cards can be accepted, and accounts can be revoked for failure to comply with the processor’s guidelines. University departments or offices with such accounts are referred to as Merchants.
- Merchant Level: This classification is based on transaction volume. Merchants are ranked as level 1 through 4, Level 1 being the highest-volume merchants subject to higher security risk. Any merchant that suffers a credit card data security breach, regardless of transaction volume, is automatically elevated to Level 1. Most merchants at A&M-Commerce are Level 4.
- PCI (or PCI DSS) Standards: Before a department can receive credit card payments, they must develop and implement adequate security and internal controls as required by Payment Card Industry Data Security Standards (PCI DSS) and University rules. The goal of these security standards is the safeguarding of sensitive cardholder data. The precise security measures required by a department will vary depending on how credit cards are accepted—in person, over the phone, or on the Internet—but all are covered in the PCI DSS.
- Program Fees are monthly fees assessed based on the merchant’s total monthly net credit card sales. Financial Services will charge the appropriate service account for transactions processed based on information supplied by Visa/MasterCard, Discover, and American Express. Each merchant number is linked to an appropriate service account to which charge backs and monthly service charges will be recorded. Monthly service charges are different for each card type. For more information on monthly service charges, please contact Financial Services.
Procedures
1. Departments requesting New Merchant Accounts: Departments that decide to accept credit cards must make a direct request to Financial Services. Departments should contact Financial Services to determine the best solution to their credit card collection needs. Financial Services will establish a new merchant account through the credit card processor on the department’s behalf. New merchant account activation typically takes 3 weeks from the time Financial Services receives the request.
1.1. For departments that plan to accept cards in person, financial services will acquire the equipment for installation to ensure compatibility with current systems. In certain circumstances, it may be necessary for the department to purchase the equipment. Depending on placement, this equipment may require work orders for telecommunications or AC power accommodations.
1.2. Departments that want to receive credit card payments in instances where the card is not present (such as over the phone, by fax, or online) need to provide complete information to Financial Services to establish an e-commerce site and discuss the setup process. Contact Financial Services at (903) 886-5043 OR (903) 886-5994.
1.3. A PCI Compliance Questionnaire must be completed and submitted to Financial Services for each credit merchant setup.
2. Credit Card Sales: Credit card sales should be recorded like any other sale. Customers should be given receipts verifying payment for purchases unless an exception is granted by the Assistant Vice President and Comptroller.
2.1. To process sales for walk-in customers presenting an acceptable credit card, the card should be run through the credit card machine at the time of the sale to validate the account number. The credit card must be kept within the customer’s sight. Any exceptions must be approved by Financial Services.
2.2. To process transactions in which the card is not physically present (such as telephone, fax, or mail orders), departments should contact Financial Services to determine the feasibility of establishing an e-commerce site. Departments unable to establish an e-commerce site must request a credit card terminal through financial services.
2.3. Processing “card not present” payments through MyLeo or an e-commerce site presents a much more secure avenue, with fewer PCI DSS compliance issues. If it is absolutely necessary for the merchant to process using their credit card terminal, the following must be obtained in order to process the transaction services:
- Customer Name
- Credit card account number
- Expiration date of the credit card
- See section 5 for information on the proper security for these types of transactions
3. Refunds: Credit card refunds cannot be issued for more than the original transaction amount and can only be refunded on the card used for the original purchase. However, refunds cannot be processed back to the originating card more than 180 days after the initial transaction. Refunds beyond 180 days from the original purchase should be rare. In those circumstances, the merchant should first verify that the refund has not already been processed. If the refund has not already been processed, the merchant should submit a payment request to Financial Services Accounts Payable so that a check can be issued. Please contact Financial Services at 903-468-8110 or 903-886-5213.
4. Daily Close Out and Deposit Procedures
4.1. Deposits should be made on a daily basis by someone other than the individual who accepted the transaction payments.
4.2. For Credit card sales, the credit card detail report and bill slips should be sent to Financial Services, on a daily basis. This report should break down the Visa/MasterCard, Discover, and American Express totals. If the department has credit card device with a printer, attach the tape to the credit card detail report.
4.3. Departments are responsible for reconciling credit card deposits to their FAMIS account.
5. Credit Card Security: A&M-Commerce and the payment card industry take the safeguarding of data very seriously. Failure to comply with university and industry security regulations may result in the revocation of the department’s merchant account or, in the case of lost or stolen cardholder data, assessment of severe fines on the university and department by the bank. Departments are financially responsible for fines resulting from security breaches that originate from their systems.
5.1. Before a department can begin to receive credit card payments, they must implement adequate security and internal controls that meet PCI DSS requirements. To ensure adequate security, the department must request set up and approval from both the Technology Services and Financial Services departments.
5.2. The design and architecture of computer systems and networks associated with credit card processing, as well as the protocols used to transmit such data, must be approved by Technology Services prior to implementation. Contact 903-468-6000 for placing a work order.
5.4. Computer or computer network security and internal controls should include, but not limited to:
5.4.1. Install and maintain a firewall configuration to protect cardholder data.
5.4.2. Protect stored cardholder data through encryption and store as little cardholder data as necessary.
5.4.3. Encrypt transmissions of cardholder data, and never accept credit card data over e-mail.
5.4.4. Use and regularly update antivirus software or programs.
5.4.5. Develop and maintain secure systems and applications.
5.4.6. Restrict computer and physical access to cardholder data to authorized personnel. If credit card information is stored on a computer make sure the file is password protected and the credit card information is encrypted. The credit card information should be located on a drive or server with very limited access.
5.4.7. Assign a unique user ID to each person with computer access.
5.4.8. Track and monitor all access to network resources and cardholder data.
5.4.9. Regularly test security systems and processes, in accordance with the most current Best Practices and PCI Standards.
5.5. Business process security and internal control features should include, but are not limited to:
5.5.1. Background checks should be obtained for individuals authorized to have access to cardholder data, in accordance with PCI Data Security Standards.
5.5.2. When taking a credit card payment from an individual, always keep the credit card within the customer’s sight.
5.5.3. Cards should be accepted for no more than the amount of the purchase.
5.5.4. The amount entered into the credit card machine must agree to the purchase amount.
5.5.5. The credit card expiration date should not be included on the receipt.
5.5.6. Only the last 4 digits of the credit card number should print on the receipt copy given to the customer. Please make sure your machine is in compliance with this. Notify Financial Services at 903-886-5994 if your machine is not in compliance.
5.5.7. Third-party vendors with access to sensitive cardholder data must be contractually obligated to comply with PCI security standards.
5.5.8. If cardholder data is stored on paper (such as merchant copies of receipts or daily batch reports), make sure the paper is locked up in a location with access limited to those with legitimate business need.
5.5.9. Only authorized personnel should have access to keys to file cabinets containing cardholder data.
5.5.10. Departments should avoid storing cardholder data on portable computer devices or storage media.
5.6. In addition to the initial PCI Compliance Questionnaire completed during setup, each department is required to complete an annual PCI self assessment questionnaire. Different versions of the questionnaire are available based on the manner(s) in which you accept credit cards. Please contact Financial Services if you are unsure about which questionnaire is right for you.
5.7. Technology Services will perform periodic reviews of computer and/or computer networks to ensure that security features are in place and are adequate to protect credit card data. Financial Services is available to conduct reviews of business procedures to help departments identify ways to better protect cardholder information.
6. Department Responsibilities: Departments participating in the credit card program are responsible for complying with all rules and procedures issued by Financial Services and all PCI Data Security Standards, including periodic business review and completion of the annual PCI questionnaire. Departments will provide reasonable assistance necessary to Technology Services in the performance of periodic reviews of credit card related computer to computer network security. This includes providing IP addresses and network configuration diagrams for use in scanning systems for vulnerabilities. Departments are responsible for notifying Technology Services and Financial Services in the event of a suspected security breach.
7. Financial Management Operation Responsibilities: Financial Services is responsible for administering the Texas A&M University-Commerce credit card program and for ensuring that participating departments are kept current on all rules, procedures and security standards. Financial Services will coordinate with the merchant bank on behalf of the department, including any suspected security breach. Financial Services will distribute and coordinate the preparation of the annual PCI questionnaire to each department. Financial Services will work closely with both the department and Technology Services to ensure that all necessary security procedures are in place to ensure protection of sensitive credit card data.
8. Technology Services:
8.1. Technology Services will contract with a vendor for vulnerability scans of PCI computer systems and may require configuration changes to eliminate vulnerabilities. Third party vendor scans are required for PCI compliance. Vulnerabilities must be mitigated as soon as practical.
8.2. Technology Services standards may be stricter than the PCI requirements, to meet campus needs.
8.3. Technology Services is responsible for approving the configuration of the departments’ PCI computer systems.
9. Required Training: All departments’ staff who will be involved in the acceptance of credit card data, including IT staff who support systems that process credit card data, are required to complete an on-line PCI Security training course to handle credit card information. Periodic refresher courses may be required.
10. Disposal of Surplus or Nonfunctional Equipment: When a department no longer needs a particular device to swipe or read credit cards, that card-reader must be returned to Financial Services for handling or disposal. Notify Financial Services at 903-886-5994 if you have a device to be removed from service. This allows Financial Services to insure that all sensitive information is removed from the device.
Related Statutes, Policies, or Requirements
Electronic Information Security 24.99.99.R1
Electronic Information Security Standards 24.99.99.R1.01
Information Technology Risk Assessment/Strategic Planning 24.99.99.R1.02
References:
Payment Card Industry Data Security Standards (PCI DSS)
Contact Office
Financial Services
Phone Numbers:
903-886-5994 OR 903-886-5043