Payment Card Policy Best Practices

1) Define your Customers, Market Area, and Typical Transaction

Knowing to whom you provide your products and services, where you provide them, and what a typical transaction looks like is very important in reducing fraud. It also assists you in defining internal controls. 

  • Typical Customer Profile (student at AMC campus, general public, dental hygienists, general public within Colorado, everyone in the entire world)
  • Market Area (Denver, Boulder, Metro Denver, within Colorado, USA only, International)
  • Typical Transaction (average dollar amount / ticket size, number of items/ services purchased, how often, when)

2) Require Good Internal Controls

Require that payment processing happen with good internal controls. This means that the three tasks of processing the payment, balancing out the daily transactions, and balancing the books (PeopleSoft accounts) be distributed between at least two different people. If this is not possible, please consult with your campus controller or finance office for advice on how to implement sufficient internal controls to ensure that opportunities for error and fraud are reduced as much as possible. In no case should an employee ever process their own card transaction (payment or refund); this is a major red flag for fraud.

3) Specify a Security Policy

Each merchant is required to have a security policy, whether you process card payments manually, over the phone, through your web site, or use a third party processor to handle everything. You policy should cover at a minimum the following points:

  • Perform an annual risk / threat assessment or review
  • Specify standardized processing procedures that keep cardholder data secure​
  • Cover whether or not remote access / processing is allowed, under what circumstances, and how it will be secured
  • Include employee security awareness program (all employees have security training upon hire and annually)
  • Require employees to acknowledge at least annually that they have read, understood, and accept the security policies ( we recommend keeping acknowledgements in personnel file)
  • Screen employees handling card payments (and other payments!)
  • Address use of third parties to handle / process cardholder data
  • Include PCIDSS security language in all contracts with vendors; monitor that vendor has maintained PCIDSS compliance
  • Implement an incident response plan

Security Policy Tips:

  • Do not store cardholder data in spreadsheet, word processing, database, or other software.
  • Design forms with cardholder information / signature line in box at bottom of the form. When processing the transaction, write the last four digits of the card number and the authorization number on the upper part of the form, then separate and shred the cardholder information from the bottom of the form.

4) Specify a Refund Policy

Your customers need to know your Refund Policy, and they must be told what it is. This will minimize misunderstanding and problems down the road.

  •  If your policy is "No Refunds", this should be printed on the customer receipt
  • Your refund policy must be disclosed to your customers, via signs in your physical location if you process card-present transactions, on your web site, or in your mailing materials
  • Refunds must be processed against the original card presented for payment and for the full amount of the original purchase; they cannot be paid in cash or by check
  • Refunds should be approved by a supervisor, and this approval should be documented along with the refund documentation

5) Specify a Privacy Policy for Your Web Page

Any information that you collect online to facilitate payments must be disclosed in your web site privacy policy / statement

  • Modify the CU Privacy Policy to fit your actual data collection and use; the policy can be found at https://www.cu.edu/content/privacy-policy
  • Tell your customers what data you collect, why you collect it, how you will use it, and when you will delete it from your records
  • You can do just about anything you want with data collected from your website as long as you disclose it
  • Conversely, if your practices do not follow your policy you can get into very big trouble!

6) Establish and Maintain a Records Retention and Destruction Policy

Most departments should already have a Records Retention and Destruction Policy. If your department does not, it is important to have one and follow it for any records that might contain cardholder information– particularly the "Destruction" part. The State Archivist and the CU Office of University Controller (System) have established normal record retention timeframes for particular documents and your policy should follow those timeframes. In addition, the Payment Card Associations also have record retention timeframes pertaining specifically to payment card transactions (3 years).

The advice of the Treasurer’s office is to physically retain paper records that contain card numbers for the minimum time necessary to document disputes and chargebacks, and then destroy those records as long as there are other types of records that can help you reconstruct a particular payment. For instance, if you receive conference registrations with cardholder information on them, process the payment normally, write down the type of card and last four digits of the card number, and the authorization code on the upper part of the form. Then you can separate and shred the bottom part of the form containing the card information. If a dispute or chargeback arises later, you can reconstruct the transaction from your receipt documentation or from the online ClientLine portal.

It is extremely important to destroy records (by cross-shredding or other secure destruction technique) when their retention time is up.

7) Keep Treasury apprised of staff and address changes