Procedures for Accepting Payment Cards
{Department name}
Revision Date: {date}
1. General Requirements





Documentation of all departmental policies with regards to credit card processing.
Credit card terminals must be inspected periodically. Inspection should include the following:
 Verification of make, model, and serial numbers
 Surface inspection to identify attempted tampering or the addition of unexpected
attachments or unusual devices.
Maintain a comprehensive list of all employees who have completed PCI DSS Security Awareness
Training.
Adherence at all times to the most recent version of the Purchase Card Industry Data Security
Standard, currently PCI DSS v3.2.
This department along with the university as a whole does not accept any payment card data via
email or in any manner that does not comply with PCI DSS v3.2 and it is against university policy
and procedures to do so. If a payment card number is received by email, simply reply to the
customer, having already removed the card number in the return email, stating email transactions
may not occur but provide the customer with safe alternatives.
2. Processing

Methods of Payment Card Acceptance
 Mail Phone In-Person  Web Standalone Fax Email- The {department name} does not accept any payment card data by email. It is against
JMU procedures to accept payment card information from customers through email. If a
payment card number is received by email, the {department name} will reply to the customer
(removing the card number in the return email) stating email transactions may not occur but
provide the customer with safe alternatives.
 No other forms of payment for payment cards is accepted.

Procedures
 Mail Transactions Phone Transactions In-Person Transactions Web Transactions Fax Transactions-
3. Transmitting

Third Party Vendors
 The {department name} contracts with the following third party vendors in transmitting
payment card data:

4. Storing



Physical Security-The {department name} does not store any sensitive payment card data, including but
not limited to the full contents of any track data(primary account number, expiration date), card
verification code, and personal identification number. University policy states that only the last four
digits of the PAN may be kept. If payment card information is written down in order to process a
departmental sale on the dial-out terminal, this sensitive information is cross-cut shredded to protect
card holder data.
Record Retention- How and where are your files stored? What length of time?
Disposal- Once the documentation has been maintained for the current fiscal year and three fiscal
years prior, as mandated by the Commonwealth of Virginia, proper documentation disposal follows
JMU Policy #1109 Records Management (http://www.jmu.edu/JMUpolicy/1109.shtml).
5. Security Breach

In the event a security breach is discovered or suspected within the department, then {department
name} must immediately contact the Compliance Specialist in the University Business Office at
8.4674 and e-commerce@jmu.edu. Under no circumstance should {department name} contact anyone
other than the University Business Office. The University Business Office will then assess the
situation and take corrective action at that time.