UTD Credit Card Acceptance Policy
The University has adopted the following policy and supporting procedures for all types of credit card activity transacted in-person, over the phone, via fax, mail or the Internet. The purpose of this policy is to protect the interests of the University and its customers by establishing strong internal business controls and standard revenue collection methods throughout the University.
This policy provides guidance so that the processes of accepting electronic payments comply with the Payment Card Industry Data Security Standards (PCI DSS) and are appropriately integrated with the University's financial and other systems. In addition, adherence to this policy will ensure compliance with Sections 35.61, 72.004 and 502.002 of the Texas Business & Commercial Code, related to the protection of credit/debit card information and other personal identifying information.
UT Dallas has contracted with a third-party vendor whose core business includes the support and processing of credit card and electronic transactions. The vendor provides the University with a secure gateway and hosted solution in which all electronic personal payment information is securely transmitted to and stored on off-site computers which the company owns and maintains. The vendor maintains PCI DSS compliance certification. This relationship enables the University to provide secure infrastructure for acceptance of electronic payments.
Any UT Dallas employee, contractor or agent who, in the course of doing business on behalf of the University, is involved in the acceptance of credit card and electronic payments is subject to this policy. Failure to comply with the terms of this policy may predispose the department and/or the University to financial losses and/or legal liabilities.
3.0 POLICY STATEMENT
Any department electronically collecting revenue (through credit cards or electronic checks) on behalf of the University for goods or services must utilize a secure web based storefront. "Marketplace" is the University's preferred web based application for electronic collection of revenue. This application can accommodate receipt of checks and credit cards (Master Card, Visa, American Express, and Discover) in a secure environment which is maintained by the third-party provider as referenced in the Purpose section. If a department believes that it has a significant business case or processing requirement that cannot be achieved using Marketplace it may be granted authorization to use other credit card processing systems (see Exceptions to Using Marketplace).
4.0 RESPONSIBILITIES OF A MERCHANT DEPARTMENT
The following responsibilities are an important aspect of the University's compliance with the PCI Data Standards. Any department collecting revenue on behalf of the University is considered a Merchant Department. The Merchant Department must designate an individual who will have primary authority and responsibility for revenue collection within that department. This individual will be the designated Merchant Department Representative or "MDR".
All Merchant Depertments must:
- Complete the Application to Become a Merchant Department (see Attachment A).
- Follow the Card Acceptance guide (or similar rules) of the merchant processor/acquirer (e.g., Global Payments) and the operating regulations and rules of any card associations/networks that will be accepted by the Merchant Department (e.g., MasterCard, Visa, etc.). Links to Global Payments, MasterCard and Visa are provided for reference:
- Global Payments Card Acceptance
- MasterCard Worldwide Rules and Chargeback
- Visa Merchant Responsibility and Card Acceptance Guide
- Only those with a need-to-know are granted access to credit card and electronic payment data.
- Email is not used to transmit credit card payment information. If the use of email is necessary, only the last four digits of the credit card number are displayed.
- Credit card or electronic payment information is never downloaded onto any portable devices such as USB flash drives, compact disks, laptop computers or personal digital assistants.
- Fax transmissions (both sending and receiving) of credit card and electronic payment information are limited to those fax machines whose access is restricted to authorized individuals. The transactions must be processed immediately and the documents must be shredded.
- The processing and storage of personally identifiable credit card or electronic payment information on University computers and servers is prohibited. Exceptions can only be made if the processing and storage methods are compliant with this policy, the UT System Information Security Policy and PCI Data Security Standards. These standards detail strict encryption protocols.
- Only secure communication protocols and/or encrypted connections are used during the processing of electronic transactions. (NOTE: The UT Dallas Information Security Department maintains a staff of security professionals who are available, as required, to provide consultative services on appropriate security practices. The Director of Information Security can be contacted for more information regarding these services.
- The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form.
- All but the last four digits of any credit card account number are masked if credit card data is displayed.
- All credit card and electronic payment data that is no longer deemed necessary or appropriate to store is destroyed or rendered unreadable.
- Before accepting check payments, the storefront must contain a disclosure that all checks will be converted into ACH transactions and will be processed electronically. In addition, the receipt should provide written notification of this disclosure.
- All computers accessing or providing support for the web based storefront must be encrypted with McAfee SafeBoot. In addition, Identityfinder must be installed and configured to run weekly. All discovered instances of the full credit card number, bank account number, or social security number must be reported to the Department Head, Treasury Manager, and the Information Security Office and remedied immediately.
No University employee, contractor or agent who obtains access to credit card or other personal payment information may sell, purchase, provide, or exchange said information in any form to any third party other than to the University's acquiring bank, depository bank, Visa, MasterCard or other credit card company, or pursuant to a government request. All requests to provide information to any outside party must be reviewed and approved in advance by the Vice President for Communications and the Vice President for Administration or their delegates.
The Development Office is responsible for screening user requests for new accounts and interpreting donor information to ensure that new accounts are classified properly with respect to function and fund.
The Finance Division is responsible for making sure that required documentation is on file and that accounts are opened in FRS in accordance with the documentation.
6.0 PROCESS TO BECOME A MERCHANT DEPARTMENT
The MDR or his/her designee must follow the steps below in order to request approval to become a Merchant Department.
- Notify the Treasury Manager in The Office of Finance of a need to accept credit card and/or electronic payments by completing an Application to Become a Merchant Department.
- Obtain approval from the school/division Department Head. It is the responsibility of the Department Head to approve the business case and all other information provided in the application, and to approve the designation of the Merchant Department Representative.
- Submit the signed application to the Treasury Manager for review and approval by the Associate Vice President for Finance and Controller.
- If the application is approved, the Treasury Manager will forward a request to University Web Services to design a new Marketplace storefront for the Merchant Department. The Merchant Department should allow sufficient time for this process to be completed.
- The Merchant Department Representative must contact the Information Security Office to schedule installation of McAfee SafeBoot and Identityfinder on the computers that will access or support the web based storefront.
- The Treasury Manager will arrange the necessary training for the Merchant Department, as well as any additional information pertinent to the approved payment method.
7.0 EXCEPTION TO USING MARKETPLACE
If a department believes that it has a significant business case or processing requirement that cannot be achieved using Marketplace, they must provide the details of their case, in writing. Examples would be departments that have a high volume of walk-in customers that are paying in person, such as The Pub or Bookstore. In this case, the department may be granted authorization to use an alternate credit card processing system or vendor.
If the Merchant Department needs to utilize this alternative, they must:
- Complete the Application to become a Merchant Department. The application should request a release from the Marketplace requirements specified by this policy. The request should include the details of their business case and specific processing requirements.
- Provide proof that the alternate vendor is certified PCI compliant and ensure that the department and its vendor comply with all relevant provisions of the UT System Information Use and Security Policy and the UT Dallas Policy for Accepting Credit Card and electronic Payments (See link at the end of this policy).
- Comply with the requirements for installation and running of McAfee SafeBoot and Identityfinder as described above.
The Treasury Manager will review the department's request, and forward it to the Associate Vice President for Finance and Controller for approval. In the event that the use of an alternate vendor is approved, the Merchant Department will be subject to periodic inspections by the Treasury Manager to ensure compliance with the University policy and the PCI Data Security Standards.
An additional exception to using Marketplace applies to departments accepting donations. All donations to the University should be coordinated by the Office of Development and should use the customized online donation option configured through that office. For assistance in establishing a donation link, users should contact the Office of Development.
8.0 PROCESS FOR RESPONDING TO A SECURITY BREACH
Security breaches can result in serious consequences for the University, including release of confidential information, damage to reputation, added compliance costs, the assessment of substantial fines, possible legal liability and the potential loss of the ability to accept credit card and electronic payments.
In the event of a breach or suspected breach of security, the Merchant Department must immediately perform the following steps:
- Contact the Treasury Manager and the Chief Information Security Officer. The Chief Information Security Officer will provide further instructions which will include measures that will preserve electronic evidence.
- The Chief Information Security Officer will implement a Crisis Response Plan to isolate, investigate, document and remediate the situation in partnership with the Treasury Manager.
- All investigation and collection of evidence will be done by an Information Security Analyst. To prevent alteration of the compromised system or systems, Information Security asks the MDR to follow the requests below:
- Do not switch off the compromised machine.
- Do not attempt to isolate the compromised system(s) from the network by unplugging the network connection cable.
- Do not log on to the machine and/or change passwords
- Be on HIGH alert and monitor all electronic applications and report suspicious activity to Information Security.
- Arrange for a network and system vulnerability scan.
- Complete a compliance questionnaire and submit it to relevant card association(s).
9.0 ONGOING POLICY MANAGEMENT
- University of Texas at Dallas may modify this policy from time to time as required, provided that all modifications are consistent with Payment Card Industry Data Security Standards then in effect.
- The Treasury Manager of the Office of Finance is responsible for initiating and overseeing an annual review of this Policy, making revisions and updates and ensuring that the updated policy has received the appropriate approvals and is distributed to the Merchant Departments.
Last Updated: August 8, 2012