1) Define your Customers, Market Area, and Typical Transaction
Knowing to whom you provide your products and services, where you provide them, and what a typical transaction looks like is very important in reducing fraud. It also assists you in defining internal controls.
- Typical Customer Profile (student at AMC campus, general public, dental hygienists, general public within Colorado, everyone in the entire world)
- Market Area (Denver, Boulder, Metro Denver, within Colorado, USA only, International)
- Typical Transaction (average dollar amount / ticket size, number of items/ services purchased, how often, when)
2) Require Good Internal Controls
Require that payment processing happen with good internal controls. This means that the three tasks of processing the payment, balancing out the daily transactions, and balancing the books (PeopleSoft accounts) be distributed between at least two different people. If this is not possible, please consult with your campus controller or finance office for advice on how to implement sufficient internal controls to ensure that opportunities for error and fraud are reduced as much as possible. In no case should an employee ever process their own card transaction (payment or refund); this is a major red flag for fraud.
3) Specify a Security Policy
Each merchant is required to have a security policy, whether you process card payments manually, over the phone, through your web site, or use a third party processor to handle everything. You policy should cover at a minimum the following points:
- Perform an annual risk / threat assessment or review
- Specify standardized processing procedures that keep cardholder data secure
- Cover whether or not remote access / processing is allowed, under what circumstances, and how it will be secured
- Include employee security awareness program (all employees have security training upon hire and annually)
- Require employees to acknowledge at least annually that they have read, understood, and accept the security policies ( we recommend keeping acknowledgements in personnel file)
- Screen employees handling card payments (and other payments!)
- Address use of third parties to handle / process cardholder data
- Include PCIDSS security language in all contracts with vendors; monitor that vendor has maintained PCIDSS compliance
- Implement an incident response plan
Security Policy Tips:
- Do not store cardholder data in spreadsheet, word processing, database, or other software.
- Design forms with cardholder information / signature line in box at bottom of the form. When processing the transaction, write the last four digits of the card number and the authorization number on the upper part of the form, then separate and shred the cardholder information from the bottom of the form.
4) Specify a Refund Policy
Your customers need to know your Refund Policy, and they must be told what it is. This will minimize misunderstanding and problems down the road.
- If your policy is "No Refunds", this should be printed on the customer receipt
- Your refund policy must be disclosed to your customers, via signs in your physical location if you process card-present transactions, on your web site, or in your mailing materials
- Refunds must be processed against the original card presented for payment and for the full amount of the original purchase; they cannot be paid in cash or by check
- Refunds should be approved by a supervisor, and this approval should be documented along with the refund documentation
- Tell your customers what data you collect, why you collect it, how you will use it, and when you will delete it from your records
- You can do just about anything you want with data collected from your website as long as you disclose it
- Conversely, if your practices do not follow your policy you can get into very big trouble!
6) Establish and Maintain a Records Retention and Destruction Policy
Most departments should already have a Records Retention and Destruction Policy. If your department does not, it is important to have one and follow it for any records that might contain cardholder information– particularly the "Destruction" part. The State Archivist and the CU Office of University Controller (System) have established normal record retention timeframes for particular documents and your policy should follow those timeframes. In addition, the Payment Card Associations also have record retention timeframes pertaining specifically to payment card transactions (3 years).
The advice of the Treasurer’s office is to physically retain paper records that contain card numbers for the minimum time necessary to document disputes and chargebacks, and then destroy those records as long as there are other types of records that can help you reconstruct a particular payment. For instance, if you receive conference registrations with cardholder information on them, process the payment normally, write down the type of card and last four digits of the card number, and the authorization code on the upper part of the form. Then you can separate and shred the bottom part of the form containing the card information. If a dispute or chargeback arises later, you can reconstruct the transaction from your receipt documentation or from the online ClientLine portal.
It is extremely important to destroy records (by cross-shredding or other secure destruction technique) when their retention time is up.