West Virginia University Policy
Division of Administration and Finance
ACCEPTING AND HANDLING PAYMENT CARD TRANSACTIONS POLICY
Reason for This Policy:
The purpose of this policy is to ensure that credit and debit card information, hereafter referred to as payment card information, is accepted and handled securely to reduce the risk of identity theft and financial fraud to university customers who make payments via such methods. The payment card industry has developed security standards for any organization that accepts, captures, stores, transmits and/or processes payment card information either manually or through an automated system. This set of standards is referred to as the Payment Card Industry’s Data Security Standard, or PCI DSS. This policy and associated procedures are designed to be in compliance with PCI DSS and help those that process payment card transactions proactively protect payment card data.
To Whom Does This Policy Apply:
This policy applies to all University departments and
divisional campuses of West Virginia University, inclusive of West Virginia
University Research Corporation (WVURC) accepting payment cards.
University entities must request and receive approval from Financial Services to accept payment cards. Only entities that have established processes and appropriate controls in place will be approved to accept payment cards for goods and services. All university entities that process payment card transactions for goods and services are deemed to be merchants under the PCI DSS. Existing university merchants who process or transmit payment card data, as well as any new entity that desires to accept payment cards for good or services, must adhere to this policy and university procedures, ensuring compliance with the PCI DSS.
University merchants that capture, process, store, or transmit payment cards in exchange for goods and services must adhere to the following:
1. PCI DSS compliance is mandatory for any university merchant that accepts, captures, stores, transmits, and/or processes payment card information. This policy and university procedures have been designed to ensure compliance with the standards.
2. Only authorized and properly trained university merchants and employees may accept, process, and/or access payment card information.
3. University merchants must develop and maintain administrative and information technology security procedures related to their payment card operations that are in compliance with this policy and university procedures.
4. Payment cards may be accepted only using methods approved by Financial Services. New technology evolutions must be approved prior to implementation and must be properly secured and documented. Procurement of any software applications, third party services, or development of payment channels must be approved by Financial Services prior to execution of contractual agreements.
5. Every individual who has access to payment card information is responsible for protecting the information.
6. All types of media containing payment card information must be retained and destroyed in accordance with the PCI DSS and the University’s Payment Card Policy and Payment Card Procedures.
7. All employees of the university who are involved in the accepting, processing, or reconciling of payment card sale transactions are required to complete Payment Card Training and sign a Payment Card Security Agreement annually.
8. University merchants must annually validate compliance of the payment card requirements (via a method approved by the PCI Security Standards Council). The University Funds Handling Coordinator will coordinate the annual validation with all university merchants.
9. Suspected exposure or theft of payment card information must be reported immediately to Financial Services. University merchants suspecting criminal activity should immediately contact the West Virginia University Police Department, Internal Audit and Financial Services. Refer to 4.24 – Payment Card Incident Response Plan for further instructions.
University merchants accepting cards using methods other than the university’s preferred hosted payment solution or stand alone, dial-out phone terminals must comply with requirements of the PCI DSS in addition to those above based on the method of card acceptance. The university may require its merchants to have an independent Qualified Security Assessor (as defined by the PCI DSS) to review and assess payment card activities and documentation and affirm the annual validation of compliance of the payment card requirements.
University merchants accepting payment cards are responsible for all costs of compliance with the PCI DSS including scanning, penetration testing, network infrastructure changes, and external assessments. Further, entities are responsible for any financial penalties assessed by the bank(s) or brand(s) in the event of data breach or failure to maintain compliance with the PCI DSS.
The responsibility for procedure development of this policy rests with Financial Services.
All employees are charged with providing full support to this policy. It is the responsibility of the Dean or Director to implement and maintain this policy within their college, department, or unit.
The responsibility for interpretation of this policy rests with Financial Services.
Additional information or questions regarding this policy can be obtained by contacting the Financial Services at 304.293.4002.Effective Date: April 13, 2016
Approved by: Daniel A. Durbin,
Senior Associate Vice President for Finance - West Virginia University
Treasurer - West Virginia University Research Corporation