Payment Card Procedures

Oregon State University requires all departments that accept payment cards do so only in accordance with Payment Card Industry Data Security Policy (PCI DSS), OSU’s eCommerce Policy, and supporting documents including OSU’s eCommerce at OSU web site.

Card Acceptance and Handling:

  • The opening of a new merchant account (merchant ID) for the purpose of accepting and processing payment cards is managed on a case-by-case basis by Business Affairs.
  • Departments should utilize standard approved university eCommerce solutions, as they are Payment Card Industry (PCI) and National Automated Clearinghouse Association (NACHA) compliant. The Business Affairs Office will assist university departments with implementing OSU’s standard solutions for accepting credit card payments using secure payment processing. 
  • Interested departments or units should contact businessaffairspitcrew@oregonstate.edu to begin the process of accepting payment cards.  See eCommerce at OSU for process steps.
  • Any fees associated with the acceptance of payment cards will be charged to the merchant.
  • A Merchant Manager for each Merchant ID must be designated by the department/unit.  See Roles and Responsibilities for description of Merchant Manager duties.
    • A back-up for each Merchant Manager must also be designated.
  • In rare cases, an exception may be granted to allow a merchant use of an eCommerce solution that is not part of OSU’s standard approved offering: 
    • Decisions are made on a case-by-case basis by Business Affairs and Information Security.
    • In accordance with Oregon State Treasury Third Party Vendor Requirements, all third party payment card vendors must be approved in advance by Oregon State Treasury (OST).  To obtain approval, vendors must complete the Oregon State Treasury Third Party Vendor Qualification Application and submit it to Business Affairs.    
    • All service providers and third party vendors that provide payment card services must be PCI-DSS compliant. Merchants who contract with third-party service providers must maintain a list that documents their service providers and:
      • Ensure contracts include language that states the service provider or third party vendor is PCI compliant and will protect all cardholder data.
      • Annually audit the PCI compliance status of all service providers and third-party vendors. A lapse in PCI compliance could result in the termination of the relationship.

Payment Card Data Security:

All merchants must comply with Payment Card Industry (PCI) Data Security Standards (DSS) requirements at all times.  All merchants must continuously monitor and enforce the use of controls specified in the PCI Data Security Standard (PCI DSS). 

All merchants authorized to accept payment card transactions must have their card handling procedures documented and made available for periodic review. Merchants must have the following components in their procedures and ensure that these components are maintained on an ongoing basis. Card handling procedures are submitted by merchants as evidence during the annual PCI DSS SAQ process.

Processing and Collection:

  • Access to cardholder data (CHD) is restricted to only those users who need the data to perform their jobs. Where practical, limit access to full time staff. Each Merchant Manager must maintain a current list of employees with access to CHD and review the list monthly to ensure that the list reflects the most current access needed and granted.
  • Equipment used to collect cardholder data is secured against unauthorized use or tampering in accordance with the PCI DSS.  This includes the following:
    • Maintain a list of devices and their location, including hardware, software, serial number, jack number, IP address (if applicable) and physical location. This list is submitted by the Merchant Manager as evidence during the annual PCI DSS SAQ process;
    • Periodically inspect the devices to check for tampering or substitution;
    • Train all personnel to be aware of suspicious behavior and reporting procedures in the event of suspected tampering or substitution.
  • Email and other forms of end-user technologies such as text messaging must never be used to transmit payment card or personal payment information, nor should they be accepted as methods to supply such information. In the event that it does occur, disposal as outlined below is critical. If payment card data is received in one of these forms:
    • The message should be replied to immediately with the payment card number deleted stating that “Oregon State University does not accept payment card data via email (text) as it is not a secure method of transmitting cardholder data."
    • Provide a list of the alternate, compliant option(s) for payment.
    • Delete the email (text).  Also delete from any Trash folder.  If email, contact CN to delete the email from the server.
  • Fax machines used to transmit payment card information to a merchant department must be standalone machines with appropriate physical security.  Receipt or transmission of payment card data using a multi-function fax machine is not permitted.
  • If taking payments online, link the University e-Commerce Privacy Policy on applicable websites.

Storage and Destruction:

  • Use credit card processing terminals approved by OST and programmed to mask card numbers on both merchant and customer copies of receipts.
  • Cardholder data, whether collected on paper or electronically, is protected against unauthorized access.
  • Full cardholder data (including complete card numbers) collected on paper should be destroyed immediately after the payment card transaction has been processed by using a PCI-DSS approved method of destruction, such as a local cross-cut shredder. Use of locked shredding bins is not acceptable, as this brings the provider of shredding services into PCI DSS scope. 
  • Cardholder data (including complete card numbers) is not to be stored, either on paper or electronically.
    • In rare cases, an exception may be granted for cardholder data storage on paper. 
      • These records will be marked as ‘Confidential.’
    • Cardholder data is never to be stored electronically.
  • Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets that store the equipment, documents, or electronic files containing cardholder data.
  • No database, electronic file, or other electronic repository of information will store the full contents of any track from the magnetic stripe, or the card validation code.
  • Portable electronic media devices will not be used to store cardholder data. These devices include, but are not limited to: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives.
  • Cardholder data will not be retained any longer than that defined by a legitimate business need. CHD must be destroyed immediately following the required retention period using a PCI DSS-approved method of destruction, such as a local cross-cut shredder. Use of locked shredding bins is not acceptable, as this brings the provider of shredding services into PCI DSS scope. A regular schedule of deleting or destroying data should be established in the merchant department to ensure that no cardholder data is kept beyond the required retention period.
    • If an exception to store full cardholder data on paper has been granted, the OSU-defined maximum period of time this data may be retained is 36 months.
    • Records containing partial card numbers should be retained for no longer than seven years.
    • The merchant will inventory paper records containing full or partial credit card numbers every six months to identify loss or theft of items.
    • Security breaches and gaps will be reported to Business Affairs immediately (see ‘Responding to a Security Breach’ below).

 

PCI DSS Risk Assessment:

  • Compile and submit required documents to Business Affairs during annual PCI DSS Risk Assessment reporting process.  Documents include, but are not limited to Self-Assessment Questionnaires, Cover Pages, and evidence required to support SAQ attestations.
  • Meet OSU and Oregon State Treasury deadlines for annual PCI DSS Risk Assessment reporting.
  • Submit first PCI DSS Risk Assessment report to Business Affairs within 30 days of receipt of Merchant ID. 

 

Proper Accounting of Funds:

  • Adhere to appropriate accounting standards as established by the Vice President for Finance and Administration.
  • Specific details regarding processing and reconciliation will depend on the method of payment card acceptance and type of merchant account. Follow procedures outlined in the OSU Fiscal Operations Policy & Procedures Manual including those related to Sales of Goods & Services and Deposits, and to the Cash Handling Handbook.
  • Uniquely serialize and fully journalize all transactions to provide a conclusive audit trail.
  • Routinely reconcile to the accounting records all goods and services provided and received.

Employee Training:

  • Train all employees involved in processing payment card transactions before employees begin processing transactions. 
    • Re-train employees annually and when business processes change.
    • Keep a list of trained employees and training dates. This list is submitted by the Merchant Manager as evidence during the annual PCI DSS SAQ process.

 

Responding to a Security Breach:

In the event of a breach or suspected breach of security, the department or unit must immediately execute the Credit Card Incident Response Procedures.

 

Sanctions:

Failure to meet the requirements outlined in this policy will result in suspension of the physical and, if appropriate, electronic payment capability for the affected merchant(s). In the event of a breach or a PCI violation the payment card brands may assess penalties to the University’s bank which will likely then be passed on to the University. Any fines and assessments imposed on the University will be the responsibility of the impacted unit. A one-time penalty of up to $500,000 per card brand per breach can be assessed as well as on-going monthly penalties.

Persons in violation of this policy are subject to sanctions, including loss of computer or network access privileges, disciplinary action, suspension and termination of employment, as well as legal action. Some violations may constitute criminal offenses under local, state, or federal laws. Oregon State University will carry out its responsibility to report such violations to the appropriate authorities.