Policy 3-070 Subject: Payment Card Acceptance

  1. Purpose & Scope
    1. This policy governs the acceptance of payment cards (e.g. Visa, MasterCard, American Express, and Discover) by the University. Being able to provide this payment option to University customers - including students, staff, parents, patrons, and patients - comes with significant responsibility to maintain cardholders' security and to mitigate the risk of fraud. The University, as a merchant, must adhere to strict security guidelines established by the Payment Card Industry or face significant financial penalties. In addition to such penalties, any compromise of cardholder information undermines public confidence in the University's ability to maintain appropriate stewardship over confidential information entrusted to it. Lack of compliance in a single area of the University could jeopardize the University's ability to accept credit cards in any area. Hence, all departments and units accepting payment cards must abide by this policy.
  2. Definitions
    1. Merchant Account - An account set up through a financial institution that provides a merchant with the ability to accept payment cards as payment for goods or services.
    2. Merchant Fees - Charges assessed by payment processors and credit card companies for payment card transactions.
    3. Payment Card - Credit cards or debit cards. Examples include Visa, MasterCard, American Express, and Discover.
    4. Electronic Equipment - Payment card terminals, point of sale registers, kiosks, or computers where payment card software resides.
    5. E-Commerce -The ability to accept payment cards over the internet for various goods or services. E-commerce functionality may be provided by approved in-house developed applications (UPay) or via a compliant third party software solution.
    6. Payment Card Industry Data Security Standards (PCI DSS) - Security standards developed collaboratively by the major card issuers that must be adopted by all merchants accepting payment cards. These standards, which are updated from time to time, are intended to protect cardholder information from fraudulent use.
    7. E-checks - The mechanism for accepting payments over the internet whereby the account holder provides bank routing and account number information. Payments authorized in this manner are directly debited from an individual's checking or savings account.
    8. Certified Server - A server, computer, or point of sale device through which cardholder data is passed or stored. This equipment is PCI DSS certified by undergoing monthly scans and otherwise meeting all requirements for security. Only certified servers may be used for payment card data, even if the data's presence in the server is transitory.
    9. Third Party Software - Commercially available software acting as a surrogate to the UPay system to provide services related to the processing of payment cards.
    10. Qualified Security Assessor - An organization that has been certified by the Security Standards Council to validate an entity's adherence to PCI DSS.
  3. Policy
    1. Approval to Accept Payment Cards or E-Checks - University departments and units must receive approval prior to accepting payment cards or e-checks. Approval is granted by Financial and Business Services through its Income Accounting & Student Loan Services Office. Once approval is granted, Financial and Business Services works with the University's banking partner to establish the needed merchant accounts. They also work with the department or unit to ensure user training takes place, and all other requirements are met before payment cards may be accepted.
    2. Payment Card Acceptance- Once merchant accounts are enabled for a department or unit, the department has an ongoing responsibility to understand security requirements, comply with PCI DSS standards, and to maintain proper business practices as described further in various Rules, Procedures, and Guidelines associated with this policy. Departments and units are responsible for paying all fees and other costs associated with accepting payment cards, including internal fees for administering the University's compliance program. Such costs may be passed on to the card holder.
    3. Compliance with PCI DSS Standards - University leadership is committed to protecting confidential cardholder information. Departments and units accepting payment cards are expected to adhere to these standards, which are updated periodically, and to enforce the compliance of third party service providers. They are also expected to attend the initial training and periodic refresher training necessary to understand and stay current with these standards. More detail on the PCI DSS standards is available at the following website: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml. The standards can be summarized as follows:
        1. Build and Maintain a Secure Network
        2. Protect Cardholder Data
        3. Maintain a Vulnerability Management Program
        4. Implement Strong Access Control Measures
        5. Regularly Monitor and Test Networks
        6. Maintain an Information Security Policy
      1. Financial and Business Services, through its Income Accounting & Student Loan Services Office; and the Office of Information Technology, through its IT Compliance Office have been assigned responsibility for assessing, determining, and monitoring compliance with these standards. As a result, responsibility for determining how to apply these standards and for assessing deficiencies is shared among these named areas.
    4. Sanctions for Non-Compliance - University departments or units that transact business using payment cards in a manner that deviates from this policy are subject to various financial and other sanctions. These may include termination of merchant accounts, financial penalties and costs associated with a security breach, penalties and costs associated with bringing a non-compliant application into compliance, and/or possible disciplinary action of the staff involved - up to and including termination of employment.
    5. Use of Third Party Software - The University has spent considerable time and resources developing compliant e-commerce applications (UPay and UMarket) and evaluating various third party solutions to meet unique business needs. Departments and units whose needs cannot be met through these pre-approved applications must request prior approval from the Associate Vice President for Financial and Business Services before considering or acquiring third party solutions. Third party vendors must provide proof of PCI DSS compliance on an ongoing basis.
    6. Hosting Servers- Payment card related websites or software owned or managed by a university department or unit must be hosted on a server certified by a qualified security assessor as well as the IT Compliance Office.
    7. Secure Transmissions - To ensure that proper business practices and security are maintained, only secure and approved processes are allowable for transmitting payment card information. Any unapproved processes, including email, are not allowed to transmit or store payment card information.
    8. Security Breaches - All known or suspected security breaches of cardholder information must be reported immediately to the Income Accounting and Student Loan Services Office as well as the IT Compliance Office. Please see University of Utah Policy 4-004, University Information Technology Resource Security Policy, for additional reporting requirements. Departments and units must cooperate fully with any resulting investigation.
  4. Rules, Procedures, Guidelines, Forms & Other Related Resources
    1. Rules
      1. R3-070-A, Credit Card Guidelines, 1/22/07
      2. R3-070-B, Credit Card Security(PCI DSS) Standards , 7/18/08
      3. R3-070-C, Credit Card Rule - Health Sciences
    2. Procedures
      1. P3-070A, Credit Card Guidelines (see pgs 3 & 4), 1/22/2007
    3. Guidelines [reserved]
    4. Forms [reserved]
    5. Other related resource materials
      1. Executive Summary
  5. References
    1. Policy 3-051, Banking Policy
    2. Policy 4-002, Information Resources Policy
    3. Policy 4-003, World Wide Web Resources Policy
    4. Policy 4-004, University Information Technology Resource Security Policy
    5. PCI Security Standards Council, https://www.pcisecuritystandards.org/
  6. VI. Contacts
    1. Policy Owner: Questions about this Policy and any related Rules, Procedures, and Guidelines should be directed to the Office of the Controller.
    2. Policy Officer: Only the Vice President for Administrative Services or his/her designee has the authority to grant exceptions to this policy.
  7. VII. History
    1. Current version: Revision 0.
      1. Presented for the information of the Academic Senate: November 3, 2008.
      2. Approved by the Board of Trustees: December 8, 2008
      3. Effect date: December 8, 2008
      4. Editorially changed to update Rules, owner and officer; August 24, 2009.

Policy: 3-070 Rev: 0
Date: August 24, 2009