Approved by: | President | |
History: | Issued -- March 14, 2002 | |
Revised -- July 2, 2014 | ||
Last Reviewed -- | ||
Related Policies: | Cash Handling Policy; Student Accounts Refund Policy | |
Additional References: | ||
Responsible Official: | Director, Treasury Services tel. (202) 319-6445 |
I. Introduction
It is the policy of the University to protect against the exposure and possible theft of credit card information provided to the University in the course of business, and to comply with the Payment Card Industry Data Security Standards (PCI DSS). Accordingly, any department, school, office or other unit of the University proposing to accept credit cards for payment must obtain advance approval to do so from the Director of Treasury Services, and may accept credit card payments only in accordance with the requirements and methods set forth in this policy. This policy applies to all faculty, staff, and student organizations proposing to accept credit card payments for goods, services or other University-related activities. Periodic audits will be performed by the University to assure compliance with this policy.
II. Definitions
Credit Card Information means any personally-identifiable information associated with a credit, debit, or other payment card, including but not limited to account number, expiration date, security code, and name, address, or other identifying information about the cardholder. For the purposes of this policy the term "credit card" does not include the University Cardinal Card.
III. Policy Requirements
A. Preapproval
Departments, schools, offices or other units of the University (hereinafter "University units") proposing to accept credit cards for payment must obtain advance approval to do so from the Office of Treasury Services. Permission to accept credit card payments will be determined based upon the volume of payments anticipated and existence of adequate internal controls to protect Credit Card Information. Treasury Services reserves the right to require the implementation of additional controls as a condition of approval to accept credit card payments. The University currently accepts MasterCard, Visa, American Express and Discover credit cards for payment.
Only the Director of Treasury Services is authorized to establish a merchant account associated with the University for the purposes of credit card acceptance.
B. Method of Payment Acceptance
A University unit that has received approval to accept credit card payments as set forth above may accept such payments only with hardware, software and/or services that conform to University security requirements and the PCI DSS (such as a University-approved swipe machine or approved online process). All determinations regarding the acceptability of a payment method shall be made by the Director of Treasury Services.
Credit card payments may only be accepted for the original amount of the purchase. Cash back and cash advances are prohibited.
C. Costs
Unless otherwise approved by the Director of Treasury Services, University units approved to accept credit card payments are responsible for all costs associated with credit card processing (e.g. merchant account setup and administrative fees, equipment purchases, transaction fees, supplies, etc.)
D. Restriction on Retention of Credit Card Information
Credit Card Information (defined above) is confidential information and must be protected against unauthorized disclosure. With the exception of the payer's name and the amount paid, any credit card information obtained for the purposes of accepting a credit card payment must be destroyed (via permanent deletion or shredding) immediately after the payment transaction has been completed. Exceptions to this provision must be expressly authorized in advance by the Director of Treasury Services.
E. University Credit Cards
University departments are prohibited from accepting a University procurement or corporate card for any type of transaction. A "payment" between departments should occur through the fund transfer process instead.