Credit Card Policies and Procedures

Merchants must be very careful in handling credit card information and data. Sensitive cardholder data must be securely disposed of when no longer needed. All but the last four digits of the account number must be masked when displaying cardholder data. Paper documents containing credit card information must be stored in a locked file with controlled access. Credit card data must not be stored on any of the following: server, laptop, floppy, CD, DVD, or any other electronic manner. Data Security pertains to all transactions, whether they are initiated via the telephone, over the counter, mail order, Internet, etc. If you are not in compliance with any of these requirements, contact the Office of Business Operations for immediately for assistance.

1. Secure all confidential cardholder numbers and information. Credit card receipts should typically be treated the same as you would treat cash. Departments will be responsible for any losses due to poor internal and inadequate controls.

1. Credit card numbers must never be transmitted by e-mail, unsecured fax, or through campus mail.

2. All documentation containing credit card account numbers must be maintained in a secure location that is accessible to only accountable staff members. Secure locations include locked drawers and safes.

3. Payments should be processed within 24-48 hours of receipt. If payments are stored overnight a Credit Card Storage Log must be maintained.

4. All documentation containing card account numbers must be destroyed in such a way that they will be deemed unreadable.

5. The Identity Finder program should be used monthly to scan inboxes, sent folders, and desktops to ensure rouge credit card information is appropriately identified and removed.

2. Restrict access to credit data and processing to appropriate and authorized
   personnel.

1. Departments that process credit card transactions are required to monitor all visitors. All personnel need to be able to easily distinguish between employees and visitors. Departments must either maintain a Visitor Log or require all employees to wear a Name Badges.

2. Background checks must be completed for all New Hires with a credit card processing job responsibility.

3. Establish segregation of duties between the credit card processing and reconciliation.

4. An annual review of department policy and procedures must be conducted annually. All changes must be reported to the Office of Business Operations.

5. To request changes to your Merchant Account the Credit Card Merchant Change Request form must be submitted. This form can be used for adding new users to the account, deleting users, making a department name change, or modifying account numbers used for deposits and/or fees.

6. Credit card authorizations must be kept for 18 months for response to charge-backs and other disputes.

7. Staff members working with credit card data are required to attend annual credit card policy and procedure training.

8. The Office of Business Operations and/or Internal Audit will conduct periodic reviews of existing credit card accounts regarding the safeguarding and storage of cardholder data.

9. The Credit Card Merchant Change Request form should be used to notify the Office of Business Operations of proposed changes.

10. Report all suspected or known security breaches immediately to the Office of Business Operations and your supervisor.

1. Examples include: Tampered files/cabinets used to store credit card information, lost/stolen keys, compromised ID & passwords, unusual/unexplained credit card transactions on your account, computer workstation breach, or unsecured credit card data.