Credit cards. 3364-40-24

Policy Class: Finance
Policy Action: Minor/technical revision of existing policy
Purpose of Policy: (1) Acceptance of credit cards (a) The University accepts credit card payments as a convenient service for customers. Departments may accept Visa, MasterCard, Discover, American Express, and debit cards with a Visa or MasterCard logo. (b) Each department that accepts credit cards for payment must be approved by the Office of the Treasurer and where applicable approved by the Office of the Chief Information Officer before entering into any contract, purchase, acquisition, or replacement of equipment, software, Internet provider, or wireless device related to credit cards. (2) Data Security standards (a) Credit card Merchants at The University are required to follow strict procedures to protect customers' credit card data. The credit card companies (including Visa, MasterCard, Discover, and American Express) have developed standards which credit card Merchants must follow called PCI DSS. All Merchants must comply with the PCI standards (https://www.pcisecuritystandards.org/approved_companies_providers/vp a_agreement.php). (b) While departments may facilitate credit cards on UT computing equipment, they may not transmit, process, or store credit card information on University computer systems or the Internet unless specifically approved. Card information may not be stored on University computer systems. (c) University online sites that cardholders visit must redirect to a PCI approved third party site to transmit, process, or store the credit card information. This should happen automatically upon the processing of the payment. Contact the Office of the Treasurer for information. (d) The Office of the Treasurer and the Office of the Chief Information Officer (Information Security) will coordinate periodic reviews of Merchants. Credit card handling procedures are subject to audit by Internal Audit and Compliance or an external audit organization. Departments not complying with approved safeguarding and processing procedures may lose the privilege to serve as a credit card Merchant.
This policy supersedes: n/a, Keywords: credit card, Payment Card Industry, PCI, Data Security Standards, DSS, SAQ A, SAW B, SAW P2PE-HW
Download pdf
Abstract/Description: Policy Class: Finance

Policy Action: Minor/technical revision of existing policy

Purpose of Policy: (1) Acceptance of credit cards (a) The University accepts credit card payments as a convenient service for customers. Departments may accept Visa, MasterCard, Discover, American Express, and debit cards with a Visa or MasterCard logo. (b) Each department that accepts credit cards for payment must be approved by the Office of the Treasurer and where applicable approved by the Office of the Chief Information Officer before entering into any contract, purchase, acquisition, or replacement of equipment, software, Internet provider, or wireless device related to credit cards. (2) Data Security standards (a) Credit card Merchants at The University are required to follow strict procedures to protect customers' credit card data. The credit card companies (including Visa, MasterCard, Discover, and American Express) have developed standards which credit card Merchants must follow called PCI DSS. All Merchants must comply with the PCI standards (https://www.pcisecuritystandards.org/approved_companies_providers/vp a_agreement.php). (b) While departments may facilitate credit cards on UT computing equipment, they may not transmit, process, or store credit card information on University computer systems or the Internet unless specifically approved. Card information may not be stored on University computer systems. (c) University online sites that cardholders visit must redirect to a PCI approved third party site to transmit, process, or store the credit card information. This should happen automatically upon the processing of the payment. Contact the Office of the Treasurer for information. (d) The Office of the Treasurer and the Office of the Chief Information Officer (Information Security) will coordinate periodic reviews of Merchants. Credit card handling procedures are subject to audit by Internal Audit and Compliance or an external audit organization. Departments not complying with approved safeguarding and processing procedures may lose the privilege to serve as a credit card Merchant.

This policy supersedes: n/a
Subject(s): Administration
Finance
Faculty
Staff





Date Created: 2015-02-11