Fall 2015
GVSU PCI COMPLIANCE
(CREDIT CARD PAYMENT FAST FACTS)
WHAT IS GVSU’S RESPONSIBILITY?
Comply with PCI compliance policies set forth
by industry
 Create internal policies and procedures to
protect cardholder data
 Inform and train GVSU personnel who process
cardholder data
 Perform annual review
 Report suspected or confirmed breach
incidents

GVSU PCI PROCESSING PROCEDURES


www.gvsu.edu/pci Compliance Documents
Prohibited Practices:
 Storing CVV codes, pin numbers, track data or card
numbers (either electronically or on paper)
 These must be destroyed immediately after
processing.
 Sending credit card information via mobile or enduser messaging technologies (email, fax)
 Requesting for credit card information to be sent to
GVSU street address
 Sending credit card information via intercampus mail
GVSU PCI PROCESSING PROCEDURES

Prohibited Practices:
 Accepting/entering
credit card information on
GVSU website on behalf of a customer
 Using a laptop for entering credit card
information
 Instructing customers to enter their own credit
card information on a GVSU public computer
 Directly passing credit card fees to customers
who pay via credit cards
GVSU PCI PROCESSING PROCEDURES

Prohibited Practices:
 Using
non-designated PCI compliant shredding
devices or services
 Using non-designated PCI compliant hardware
 Most
mobile terminal options, such as the Square
that connects to the IPhone/IPad are NOT
acceptable.
 Using
non-approved third party service providers
to process credit card transactions
GVSU PCI PROCESSING PROCEDURES

So, then what is allowed?
GVSU PCI PROCESSING PROCEDURES

Accepted Processing Procedures:
 Approved
secure websites for ongoing, frequent
processes
 Ben
Rapin, Institutional Marketing , 18014
 www.gvsu.edu/webteam/ecommerce.htm E-Commerce Request Form
 Approved
 Jennifer
secure terminal – wired or wireless
Schick, Accounting Business Office, 12231
 www.gvsu.edu/pci - Credit Card Processing Assistance
 Most mobile terminal options, such as the Square that
connects to the IPhone/IPad are NOT acceptable.
GVSU PCI PROCESSING PROCEDURES

Accepted Processing Procedures:
 Low
volume options
 Take
directly to cashier window on same business day .
Must be taken by GVSU employee (not a student).
 See www.gvsu.edu/pci Credit Card Processing Assistance for
Departmental Deposit Form.
 Can keep the last 4 digits of a card number for reference.

 Call
one of the following offices, provide the FOAP where
the money should be deposited, and transfer the call:
16806 for gift deposits (Gift Processing/Development Office) OR
 12209 for other credit card payments (Student Accounts
Hotline).

GVSU PCI PROCESSING PROCEDURES

Accepted Processing Procedures:
Dedicated PO Box for US Mail
 Approved PCI compliant shredders or shredding
services

 Coordinate
shredding services/bins through Kip Smalligan.
 Shredders must be cross-cut or diamond cut.

Approved PCI compliant vendors
 If
using or considering a third party service provider to accept
credit cards, the vendor must be PCI compliant.
 Notify Sue Korzinek of process to allow for proper
documentation to be acquired from third party vendor BEFORE
signing a contract.
 Approvals can take up to 6 months
GVSU PCI PROCESSING PROCEDURES

A scenario that works for many events:
 Set
up online registration with Institutional
Marketing.
 Prepare mailing and give registrants these options:
Register online for credit card payments or
Register via mail for check payments.
 For day of the event registrations, allow check
payments or request the use of a loaner terminal to
accept credit card payments.
CONSIDERING MAKING A CHANGE?
Any new contract/relationship that relates to credit
card payments MUST be approved by the PCI
Committee.
 New contracts must have approval of University
Legal, Compliance and Risk Management Office
 Contact Sue Korzinek and Jennifer Schick.
 WARNING: Just because a vendor or salesperson
says that they are PCI Compliant, it does not mean
that they are!

SECURITY BREACH PROCESS
Notify immediately
 Assess situation
 Corrective measures
 Prepare message
 Evaluate processes for improvement

UPDATES

EMV – October 2015
 EMV
(Europay/MasterCard/Visa) /a.k.a Pin & Chip
 Instead of a magnetic stripe, EMV cards contain an
embedded microprocessor.
 “EMV chip technology reduces card fraud in a faceto-face card-present environment; provides global
interoperability; and enables safer and smarter
transactions across cards and contactless
channels.” – “U.S. EMV Migration Efforts Continue Despite Debit Regulatory Challenges”,
www.cnbc.com 10/3/13
UPDATES

EMV – October 2015
 GVSU
has ordered new EMV capable credit card
terminals to replace terminals with the old
technology.
UPDATES

Mobile technology
 Most
mobile terminal options, such as the Square
that connects to the IPhone/IPad are NOT
acceptable.
 Vantiv Mobile Checkout and Vantiv Mobile Accept
are complaint options. Contact Jennifer Schick to
learn more.
 Using a laptop for entering credit card information
is NOT acceptable.
UPDATES

Terminal Security New Requirements
 See
new Terminal daily/monthly/annual checklists
UPDATES

Fees

Reminder: At GVSU, departments are NOT allowed to
directly passing credit card fees to customers who pay
via credit cards.
 Recent
headlines discussed changes in rules regarding
surcharges/convenience fees.
 Few companies are actually proceeding down this path due to
various “hoops” that they would need to jump through.

Departments are able to set their rates for all forms of
payment knowing that credit card processing fees are
2-3%.
QUESTIONS?
Contact information:
Sue Korzinek
Jennifer Schick
X12035
X12231