FSU / Controller's Office / Departmental Business Management Guide / Departmental Business Management Guide - Payment & Credit Cards

Departmental Business Management Guide - Payment & Credit Cards

Overview

Good business practices require the University to protect our customers’ personal financial information and prohibit the disclosure of this information to non-affiliated third parties. This means all payment card information must be secured from unauthorized access. It is the University departments’ responsibility to establish standards for administrative, technical, and physical safeguards for customer records and information.

As a result of payment card breaches and the resulting customer distrust in using payment cards as a payment option, the payment card industry has formed a global forum called the Payment Card Industry Security Standards Council (PCI SSC) which includes Visa, MasterCard, American Express, JCB, and Discover. The PCI SSC has developed the Payment Card Industry Data Security Standards (PCI DSS) which have been established to give merchants the necessary guidelines to assure consumers that their payment cards are being processed safely and securely. These standards, mandated by the industry as a requirement for processing payment cards, include controls for handling and restricting payment card information, computer and Internet security, and reporting of a breach of payment card information. In the event of a security breach; merchants who are not compliant with the PCI DSS are at risk of losing their privilege of accepting payment cards, face possible fines, restitution, and legal costs.

University Guidelines

The University's payment card policy (Policy OP-D-2-G – Payment Cards)requires all department heads and managers of units that process, transmit or store confidential cardholder information to be aware of and in compliance with the Payment Card Industry Data Security Standards (PCI DSS). These standards may be found at the PCI SSC website.

(Policy OP-D-2-G – Payment Cards)

Internal Controls

Ensure that proper authorization as a Cash Collection Point and a Payment Card Merchant has been granted for all sites that process, transmit or store cardholder information.
Ensure that physical and electronic access to cardholder data is controlled and properly restricted to authorized personnel.
Report security incidents to the Department Supervisor and the University Information Security Office in a timely manner.
Establish appropriate segregation of duties between personnel handling credit card processing, the processing of refunds, and the reconciliation function.

Departmental Responsibilities

Completing and submitting a Cash Collection Point application and an Application for Payment Card Merchants at least 90 days before the expected target date to begin processing payment cards.
Reporting any proposed changes to the department’s approved business plan as well as changes in the way that payment cards are processed by completing a new Application for Payment Card Merchants and submitted it to Student Financial Services.
Notifying Student Financial Services whenever a terminal or web access is added to ensure that vulnerability scanning is done on all departmental payment card computing devices.
Completing a PCI Self Assessment Questionnaire on an annual basis.
Developing and maintaining written procedures to safeguard cardholder information including data retention and destruction of confidential data procedures.
Ensuring staff who have payment card-related duties have read and understand the requirements of the University’s Payment Card and related policies.
Ensuring applicable background checks have been done on all employees who have access to systems, networks, or cardholder data.
Ensuring employees, who process, transmit, or store cardholder data have been properly trained, maintains annual security awareness training, and have read and signed the Employee Confidentiality Statement.

Resources

Back to Topics

QuickLinks