Acceptance of Payment Card Cost and Risk
This policy establishes ultimate authority over payment card activity, assigns responsibility for oversight of campus payment card merchants, and specifies who bears the costs and risks of organizational units accepting card payments.
The acceptance of payment cards by organizational units incurs costs and presents significant financial and reputational risks to the university. This policy establishes authority and responsibility for overall management of the university’s payment card programs, clarifying responsibility for approval and oversight of payment card merchants, and assigning responsibility for costs and risks associated with payment card acceptance.
Payment cardsPayment cardSee Section III. Definitions are one of the most convenient but also most costly methods for accepting payment for goods and services. In addition, acceptance of payment cards has inherent risks for the merchantMerchantSee Section III. Definitions unit and the university. The immediate risk is of a payment transaction being returned to the unit after a good or service is provided to a customerCustomersAn individual who applies for and/or receives goods or services from the University.. There is also the risk that any cardholder data within the merchant processing environment, on paper or in electronic form, is compromised and possibly used for fraudFraudIncludes certain illegal acts; misstatements arising from fraudulent financial reporting; and misstatements arising from misappropriation of assets. Fraudulent illegal acts are characterized by deceit, concealment, or violation of trust and perpetrated to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage. Misstatements arising from fraudulent financial reporting are intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. Misstatements arising from misappropriation of assets involve the theft of an entity's assets.. If cardholder data is compromised the negative consequences can be significant financial and reputational risk, for both the merchant department and the university as a whole.
II. Policy Statement
- Authority for overall management of the university’s payment cardPayment cardSee Section III. Definitions programs
The treasurer of the university, in coordination with the designated campus and system authorities, is responsible for the overall and ongoing oversight and management of the university’s payment card acceptance program. This includes management of the relationship with the university’s acquiring bankAcquiring bankSee Section III. Definitions, coordination of compliance efforts across the campuses and system with the acquiring bank and Payment Card Associations, and reporting to the president in the event of a breach of cardholder data confidentiality. No organizational unitOrganizational UnitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs. shall accept card payments without the express approval of the treasury. All merchantMerchantSee Section III. Definitions units will attain and maintain compliance with the Payment Card Industry Data Security Standard (PCIDSS)PCIDSSSee Section III. Definitions and other relevant standards and requirements for processing and securing cardholder data. The treasurer has the authority to temporarily suspend or permanently revoke the ability of a merchant unit to accept card payments at any time within the treasurer’s discretion.
This authority does not automatically apply to the university’s procurement card program or to non-payment transactional campus banking relationships.
- Responsibility for and oversight of payment cardPayment cardSee Section III. Definitions merchants
On each campus, the vice chancellor/chief financial officer is responsible for the approval of new payment card merchantPayment card merchantSee Section III. Definitions applications for that campus as well as ongoing oversight of new and existing merchant units. The vice chancellor may delegate these responsibilities in writing. For system units desiring to accept card payments, the system controller is the designated responsible party. This approval and oversight authority includes acceptance of the risks entailed in accepting card payments.
Each campus shall maintain a policy that identifies the roles and responsibilities for oversight of payment card activities for the campus. As per the IT Security ProgramIT Security ProgramA collection of policies, processes, and responsibilities that provide direction and guidance to the computing community on protecting University information. policy, the campus Information Security OfficersInformation Security OfficerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level. shall for their respective campuses provide security standards pursuant to payment card industry standards as well as other federal, state or local regulations. The chief information security officer and the campus information resource oversight authority, as designated in the IT Security Program policy, shall have technical oversight and approval of proposed and current electronic payment processing methods, particularly with respect to the security, integrity, and confidentiality of those methods and cardholder data. Each campus must also maintain procedures for coordinating unauthorized payment card system access or data breach with treasury and the chief information security officer.
- Responsibility for costs of payment cardPayment cardSee Section III. Definitions acceptance
The organizational unitOrganizational UnitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs. that is the merchantMerchantSee Section III. Definitions of record for payments is entirely responsible for all costs and other responsibilities of payment card acceptance including, but not limited to, merchant discounts, fees, costs of processing services, equipment, software, maintenance, incident investigation, fines, remediation, and notification to customersCustomersAn individual who applies for and/or receives goods or services from the University.. The organizational unit is also responsible for the privacy and security of any cardholder data to which it may become privy, as well as the security and integrity of any web site or web application through which it processes online payments. The unit may contract with third parties authorized by treasury to process cardholder transactions, but remains responsible for meeting their merchant compliance and security obligations.
Acquiring bank – the financial institution that sponsors the university into the payment card system, processes card transactions, and settles funds for card payments into university bank accounts.
Merchant – any organizational unitOrganizational UnitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs. accepting payment cards in payment for goods or services.
Payment card – any mechanism used for payments that is issued by a financial institution and processed through a credit card or debit card/ATM processing network.
Payment card association – associations of payment card issuers that govern payment card acceptance; this includes Visa, MasterCard, Discover, American Express, and JBC.
Payment Card Industry Data Security Standard (PCIDSS) – the technical standard for the security and privacy of cardholder data issued and maintained by the Payment Card Industry Security Standards Council or its successor.
IV. Related Policies, Procedures, Forms, Guidelines and Other Resources
- Other Resources
For additional information and training, contact Joseph D. Tinucci, Assistant Treasurer, 303-837-2185, firstname.lastname@example.org.
- Originally issued January 1, 2011
- The title of “IT Security Principals” was replaced with the title of “Information Security Officers” effective May 1, 2014.
VI. Key Words
Credit card, Credit card processing, Credit card security, Debit card, Merchant Services, Online payments, Payment card, Payments, PCI, PCIDSS, Security