Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Process to Implement Acceptance of Credit Card and e

advertisement 
Western New Mexico University Policy for Accepting Credit Card and e-Commerce
Payments
This policy has been approved by the President and the Vice President for Business Affairs
(VPBA)
Western New Mexico University Policy for Accepting Credit Card and e-commerce Payments
Contents:








Background and Purpose
Applicability
Policy Statement
Record Retention/Destruction of Physically Stored Credit Card Information
Process to Implement Acceptance of Credit Card and e-Commerce Payments
Process for Responding to a Security Breach
Ongoing Policy Management
Related Links
Background and Purpose
Western New Mexico University’s acceptance of credit cards to pay for gifts, goods and services
has been growing over the past several years. Increased interest in accepting payments over the
Internet (e-commerce) has also grown, spurring the need to establish business processes and
policies that protect the interests of the University and its customers.
While the costs for accepting credit card payments can be significant (2.0% -4.0% of every
transaction, depending on the card type), it often makes sense to accept this type of payment for
business reasons, which include control of receivables, competitive position and efficient
processing. To the extent that it makes economic sense to do so, the University would like to
support this activity. In order to ensure that credit card activities are consistent, efficient and
secure, the University has adopted the following policy and supporting procedures for all types
of credit card activity transacted in-person, via fax or the Internet. This policy provides guidance
so that credit card acceptance and e-commerce processes comply with the Payment Card
Industry Data Security Standards (PCI DSS) and are appropriately integrated with the
University’s financial and other systems.
Security breaches can result in serious consequences for the University, including release of
confidential information, damage to reputation, added compliance costs, the assessment of
substantial fines, possible legal liability and the potential loss of the ability to accept credit card
payments.
Western New Mexico University has contracted with a third-party vendor “TouchNet
Information Systems, Inc. (TouchNet),” whose core business includes the support and processing
of e-commerce transactions. The Authorized Vendor will provide the University with a secure
gateway and hosted solution in which all credit cards and personal payment information is
transmitted to and stored on off-site computers which TouchNet owns and maintains. TouchNet
must maintain PCI DSS compliance certification. This relationship will enable the University to
leverage the volume of e-commerce transactions and reduce processing costs.
Applicability
Any Western New Mexico University employee, contractor or agent who, in the course of doing
business on behalf of the University, is involved in the acceptance of credit card and e-commerce
payments for the University is subject to this policy. Failure to comply with the terms of this
policy may result in disciplinary actions and could also limit a department’s credit card
acceptance privileges.
Policy Statement
Any department accepting credit card and/or electronic payments on behalf of Western New
Mexico University for gifts, goods or services (“Merchant Department”) must designate an
individual within that department who will have primary authority and responsibility for ecommerce and credit card transaction processing within that department. This individual will be
referred to in the remainder of this policy statement as the Merchant Department Responsible
Person or “MDRP”.
All MDRPs must:
1. Execute on behalf of the relevant Merchant Department the Process to Implement
Acceptance of Credit Cards for Payment detailed below.
2. Ensure that all employees (including the MDRP), contractors and agents with access to
payment card data within the relevant Merchant Department acknowledge on an annual
basis and in writing that they have read and understood this Policy for Accepting Credit
Card and e-commerce Payments. These acknowledgements should be submitted, as
requested, to the Director of Fiscal Affairs located in Castorena Hall Room 150, Silver
City on an annual basis.
3. Ensure that all credit card data collected by the relevant Merchant Department in the
course of performing Western New Mexico University business, regardless of how the
payment card data is stored (physically or electronically, including but not limited to
account numbers, card imprints, and Terminal Identification Numbers (TIDs)) is secured.
Data is considered to be secured only if the following criteria are met:

Cardholder information should always be kept in a secure location until the data
can be transferred over to the Business Office. The cardholder data, along with a
list verified by the MDRP’s immediate supervisor, must be hand-carried by the
MDRP in a locked bank bag on a daily basis. The cashier must verify the
contents of the bag prior to the MDRP leaving the Business Office. If verification
cannot occur at that moment the bank bag must be locked up in the University
vault.

Only those with a need-to-know are granted access to credit card and electronic
payment data.

Email should not be used to transmit credit card or personal payment
information.

Credit card or personal payment information is never downloaded onto any
portable devices such as USB flash drives, compact disks, laptop computers
personal digital assistants, or smartphones.

Fax transmissions (both sending and receiving) of credit card and electronic
payment information occurs only on those fax machines whose access is restricted
to just those individuals who must have contact with payment card information in
order to do their jobs.

The processing and storage of personally identifiable credit card or payment
information on University computers and servers is prohibited.

Only secure communication protocols and/or encrypted connections to TouchNet
are used during the processing of e-commerce transactions.

The three-digit card-validation code printed on the signature panel of a credit card
is never stored in any form.

The full contents of any track from the magnetic stripe (on the back of a credit
card, in a chip, etc.) are never stored in any form.

All but the first and last four digits of any credit card account number are always
masked, should it be necessary to display credit card data.

All media containing credit card and personal payment data that is no longer
deemed necessary or appropriate to store are destroyed or rendered unreadable.
No Western New Mexico University employee, contractor or agent who obtains access to
payment card or other personal payment information in the course of conducting business on
behalf of Western New Mexico University may sell, purchase, provide, or exchange said
information in any form including but not limited to imprinted sales slips, carbon copies of
imprinted sales slips, mailing lists, tapes, or other media obtained by reason of a card transaction
to any third party other than to Western New Mexico University’s acquiring bank, depository
bank, Visa, MasterCard or other credit card company, or pursuant to a government request.
Record Retention/Destruction of Physically Stored Credit Card Information
Payment card data physically stored (including but not limited to sales receipts, account
numbers, card imprints, and Terminal Identification Numbers (TIDs) will be locked up in the
University vault located in the Business Office. The credit card information will be postdated
with a destruction date. The data will be stored for up to eighteen (18) months in case a dispute
arises. The method of destruction will be to use a cross cut shredder.
Process to Implement Acceptance of Credit Card and e-Commerce Payments
The MDRP or his/her designee must follow the steps below in order to implement payment card
processing and e-commerce at Western New Mexico University.
1. Notify the Director of Fiscal Affairs in Castorena Hall Room 150, of a need to accept
credit card payments and/or conduct e-commerce. Notification should be sent to
merchantadministrator@wnmu.edu.
2. Complete an Application to Become a Merchant Department. (For an application click
here ). Applications must be signed by the MDRP as well as the Department Head. It is
the responsibility of the VPBA to approve the business case for the department to become
a merchant department, the Banner information provided and the designated Merchant
Department Responsible Person.
3. Submit the application for review and approval to the Director of Fiscal Affairs at
merchantadministrator@wnmu.edu. Allow 2-4 weeks for processing of the request. All
applications require the approval of the VPBA. Applications that request e-commerce
capabilities will also require approval of the designated Vice President and Director of
IT.
4. If the application is approved, the Director of Fiscal Affairs will provide the requesting
department any necessary equipment and training on cash handling as well as instructions
on what to do if there is a security breach.
Process for Responding to a Security Breach
In the event of a breach or suspected breach of security, the Merchant Department must
immediately execute each of the relevant steps detailed below.
1. The MDRP or any individual suspecting a security breach must immediately notify the
Director of Fiscal Affairs at merchantadministrator@wnmu.edu of an actual breach or
suspected breach of credit card information. Email should be used for initial notification
and to provide a telephone number for the Director of Fiscal Affairs to call in response.
Details of the breach should not be disclosed in email correspondence.
2. The MDRP or any individual suspecting a security breach involving e-commerce also
must immediately ensure that the following steps, where relevant, are taken to contain
and limit the exposure of the breach:

Prevent any further access to or alteration of the compromised system(s). (i.e., do
not log on at all to the machine and/or change passwords; do not log in with
ROOT or Administrative authority.)

Do not switch off the compromised machine; instead, isolate the compromised
system(s) from the network by unplugging the network connection cable.

Preserve logs and electronic evidence.

Log all actions taken.

If using a wireless network, the Director of Fiscal Affairs will contact IT Network
Services and request a change to the SSID on the AP and other machines that may
be using this connection. (No changes should be made to any systems believed to
be compromised, however.)

Be on HIGH alert and monitor all e-commerce applications.
3. The Director of Fiscal Affairs shall alert the merchant bank, the payment card
associations, the Western New Mexico University Director of IT, the Western New
Mexico University President’s Office and Public Relations Officer, the FBI, United
States Secret Service and other relevant regulatory agencies of the suspected breach.
4. Where an actual breach of credit card data is confirmed, the Director of Fiscal Affairs,
with the assistance of the University Director of IT, will ensure that compromised credit
card account information is securely sent to the appropriate Fraud Control Groups and
affected credit card associations.
5. Within 48 hours of the breach, the Director of Fiscal Affairs, with assistance from the
relevant MDRP, shall provide the affected credit card associations with proof of PCI
compliance.
6. Within 4 business days of the breach, the Director of Fiscal Affairs, with assistance from
the relevant MDRP, shall provide the affected credit card associations with an incident
report.
7. At the relevant credit card associations’ request and depending on the level of risk and
data elements compromised, the Director of Fiscal Affairs, in conjunction with the
University Security Direct of IT shall, within 4 business days of the event:



Arrange for an independent forensic review.
Arrange for a network and system vulnerability scan.
Complete a compliance questionnaire and submit it to relevant card
association(s).
Ongoing Policy Management

Western New Mexico University may modify this policy from time to time as required,
provided that all modifications are consistent with Payment Card Industry Data Security
Standards then in effect.

The Director of Fiscal Affairs is responsible for initiating and overseeing an annual
review of this Policy, making appropriate revisions and updates and issuing the revised
policy to appropriate Merchant Departments. The review will include reconfirmation of
certified PCI compliance of Western New Mexico University’s third party vendors that
accept credit card payments on behalf of the University.
Related Documents
Western New Mexico University Information Technology Resources Security Policy (need html
address)
Application to Become a Merchant Accepting Credit Card and/or Online Payments: (need html
address).
The web site for the PCI Security Standards Council: https://www.pcisecuritystandards.org/
Related documents
security risks
security risks
my resume
my resume
e- Commerce - Background
e- Commerce - Background
Administrative Associate 3
Administrative Associate 3
Social Media Marketing, Ecommerce and the Opportunities for Africa
Social Media Marketing, Ecommerce and the Opportunities for Africa
Responses to Challenges in Megacities
Responses to Challenges in Megacities
Strategic Analysis - Cath Kidston
Strategic Analysis - Cath Kidston
SIMPLEWISH - from visions to reality
SIMPLEWISH - from visions to reality
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
Chapter 12 Implementation and maintenance
Chapter 12 Implementation and maintenance
Download
advertisement