Add to collection(s) Add to saved
  1. Business
  2. Management

P C A

advertisement 
PAYMENT CARD ACCEPTANCE
POLICIES & PROCEDURES
MICHIGAN STATE UNIVERSITY
<UNIT NAME>
1. Objective
1.1. This document establishes the policies and procedures for all aspects of payment card
processing as followed by the <UNIT NAME> at Michigan State University. These
policies and procedures are a portion of the overall effort by this office to maintain PCI
DSS compliance. Cardholder data is defined as the full magnetic stripe or the primary
account number plus any of the following: cardholder name, expiration date, or card
security (validation) code. Paper receipts without the full card number displayed are
not cardholder data.
2. Payment Methods
2.1. The <UNIT NAME> accepts payment cards in the following methods, and sets forth
guidelines for each accepted method as follows:
2.1.1.
In-Person Transactions – Payment cards will only be accepted if the person
making the payment is the cardholder. Employees will process the payment card
using the swipe terminal, resulting in merchant and customer receipts of the
transaction.
2.1.1.1. For non-EMV (chip) cards: Customers will sign the merchant receipt.
Employees will verify the signature on the signed merchant receipt with that
on the payment card. In the event an unsigned card is presented for payment,
the employee will (a) obtain the usual authorization for the transaction, (b)
ask to see a signed, photo ID and (c) require the customer to sign the card.
2.1.1.2. For EMV (chip) cards: Customer will sign merchant receipt or enter personal
PIN number.
2.1.2.
Telephone Transactions – Payment cards will only be accepted if the person
making the payment is the cardholder. Employees should request all cardholder
information over the phone. Cardholder will be asked to fax a signed letter of
approval of card use (not including the card number) to the <UNIT NAME>.
Employees will process the payment card through the swipe machine, noting
“signature on file” on the merchant receipt. Signed letter of approval will be
retained in customer’s file. All other cardholder data will be cross-cut shredded
immediately. [Note: requiring a signature for phone orders is a good fraud
prevention step, but is not required by the card brands. Business needs and
customer service issues should be considered when deciding whether to require
signatures.]
2.1.3.
Mail-in Transactions – Payment cards will only be accepted if the person making
the payment is the cardholder. Employees will process the payment card by
keying the number into the swipe machine, noting “signature on file” on the
merchant receipt.
2.1.4.
Card Data Received via Email – It is strictly prohibited to process any card data
received via email. If a customer sends their card data to <UNIT NAME>, an
employee will contact the customer, instructing them that email is not secure and
to suggest alternate methods of payment. Employee will not reply to the email
without first redacting the card data. Employee will delete the original email
from both their email inbox and their trash folder.
MSU <UNIT NAME> – Payment Card Acceptance Policies & Procedures
Page 3
2.2. Any other methods of payment via payment card are expressly prohibited.
3. Storage
3.1. The <UNIT NAME> will never store the full card number.
3.2. The <UNIT NAME> will never store any cardholder data electronically on desktop
computers or servers.
3.3. If the <UNIT NAME> ever stores cardholder data, it will only be on paper. Such data
will be stored in a secured area, which is locked with limited access and maintains a
security system that includes a security camera.
3.4. The <UNIT NAME> will never store card validation codes.
3.5. The <UNIT NAME> will never solicit or send card numbers by email or networked fax
device.
4. Restrict Access
4.1. The <UNIT NAME> limits access to cardholder data on a need to know basis. Need to
know access is granted to employees responsible for responding to inquiry and
chargeback requests. Any other access would be considered on a case-by-case basis.
4.2. The <UNIT NAME> restricts physical access to the card swipe machine(s).
4.3. The <UNIT NAME> will perform background checks on all student employees who
have access to more than one card number at a time.
4.4. Access to payment card related systems or data is removed immediately when
employees no longer perform duties related to payment cards.
4.5. Use of wireless communication to access any part of the payment card process is
strictly prohibited.
5. Retention
5.1. If cardholder data stored, it is only on paper and may be kept for no longer than
eighteen months.
5.2. Cardholder data is stored only so that the <UNIT NAME> may respond to inquiry and
chargeback requests.
5.3. At quarterly intervals, the stored data will be inventoried to ensure that all stored data is
present. A log will be maintained of these periodic inventories, which will include the
date and person performing the inventory. [Note: this procedure is only required if
cardholder data is stored. Receipts without the full card number do not need to be
inventoried.]
6. Purging
PCI\University P&P\PCI SAQ B PoliciesandProcedures Template v3.1
Last Updated: 5-Nov-2015
MSU <UNIT NAME> – Payment Card Acceptance Policies & Procedures
Page 4
6.1. At the end of the retention period, all cardholder data will be purged by cross-cut
shredding.
6.2. A log will be maintained of these periodic purges, which will include the date and
person performing the purge.
7. Responsibilities
7.1. General payment card data security in the office is every staff member’s responsibility,
while overall responsibility belongs with the manager.
7.2. The manager and assistant managers are responsible for creating, distributing and
enforcing security policies and procedures.
7.3. All staff members are responsible for controlling general access to payment card data,
while the manager and assistant managers monitor and control all access to payment
card data.
8. Awareness Program
8.1. All employees are properly trained about cardholder data security at inception of duties
involving cardholder data and updated at least annually.
8.2. All employees are required to acknowledge in writing that they understand the office’s
payment card data security policies and procedures, and reassert their understanding as
a part of the annual review process.
8.3. All employees are properly trained to be aware of suspicious behavior and to report
tampering or substitution of devices.
8.4. All employees are properly trained to verify the identity of any third-party persons
claiming to be repair or maintenance personnel prior to granting them access to modify
or troubleshoot devices.
9. Inventory
9.1. The following devices are owned and authorized for use by staff or any authorized
borrower of a loaner machine:
Mercha nt Na me
Loca ti on MID
AE MID
Termi na l ID Model
Seri a l Number
MSU Mercha nt Na me
1234 277x-xxxx-xxxx
321xxxxxxx
1234567 Hypercom T4210 nnnnnnnnnnnn
MSU Mercha nt Na me
1234 277x-xxxx-xxxx
321xxxxxxx
1234567 Fi rs tDa ta FD100 nnnnnnnnnnnn
MSU Mercha nt Na me
1234 277x-xxxx-xxxx
321xxxxxxx
1234567 Fi rs tDa ta FD300 nnnnnnnnnnnn
MSU Mercha nt Na me
1234 277x-xxxx-xxxx
321xxxxxxx
1234567 Fi rs tDa ta FD400 nnnnnnnnnnnn
MSU Mercha nt Na me
1234 277x-xxxx-xxxx
321xxxxxxx
1234567 Veri fone Vx570
nnnnnnnnnnnn
9.2. All equipment is periodically inspected to detect tampering (e.g., addition of card
skimmers) or substitution (e.g., by checking the serial number or other identifying
marks to verify it has not been swapped with a fraudulent device).
PCI\University P&P\PCI SAQ B PoliciesandProcedures Template v3.1
Last Updated: 5-Nov-2015
MSU <UNIT NAME> – Payment Card Acceptance Policies & Procedures
Page 5
10. Service Providers
10.1. <UNIT NAME> will contact the Cashier’s Office for guidance before engaging any
non-MSU entity with whom cardholder data is shared, or who could affect the security
of cardholder data. This includes companies involved with the storage, processing or
transmitting of cardholder data.
10.2. <UNIT NAME> will maintain a list of all service providers.
10.3. <UNIT NAME> will maintain a program to monitor service providers’ PCI DSS
compliance status at least annually.
10.4. <UNIT NAME> will maintain information about which PCI DSS requirements are
managed by each service provider and which are managed by the <UNIT NAME>.
11. Breach Reporting
11.1. In the event of or suspicion of a breach, the employee will immediately alert their
supervisor. The supervisor will notify the manager of the <UNIT NAME>, who will
report the breach to the PCI Compliance Office at 517-355-5023 or
pcidss@ctlr.msu.edu. In the manager’s absence, the suspected incident will be
reported directly to the PCI Compliance Office or the Office of the Controller. A
breach must be reported if cardholder data is stored in an environment that was
compromised. It is not required that the <UNIT NAME> know whether cardholder
data was compromised; only that the environment was compromised.
12. On-going Compliance
12.1. The policies and procedures herein, including an overall risk assessment, will be
reviewed and updated at least annually, as noted below.
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
PCI\University P&P\PCI SAQ B PoliciesandProcedures Template v3.1
Last Updated: 5-Nov-2015
Related documents
UNIVERSITY OF WISCONSIN-GREEN BAY PURCHASING CARD RECORD STATE OF WISCONSIN ACCOUNT NAME:__________________________________
UNIVERSITY OF WISCONSIN-GREEN BAY PURCHASING CARD RECORD STATE OF WISCONSIN ACCOUNT NAME:__________________________________
Cardholder Information
Cardholder Information
Download
advertisement