Accepting and Handling Payment Card Transactions - University ...
Accepting and Handling Payment Card Transactions - University ...
Accepting and Handling Payment Card Transactions - University ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Virginia Polytechnic Institute <strong>and</strong> State <strong>University</strong> Policy 3610<br />
Revision: 0 December 14, 2011<br />
Upon hire <strong>and</strong> at least annually, all employees who are involved with the acceptance, processing or reconciling of<br />
payment card transactions are required to complete <strong>Payment</strong> <strong>Card</strong> Training offered by the university <strong>and</strong> complete<br />
a <strong>Payment</strong> <strong>Card</strong> Security Agreement, confirming their underst<strong>and</strong>ing <strong>and</strong> adherence to this policy. <strong>University</strong><br />
merchants must maintain records of employees’ training.<br />
8. <strong>University</strong> merchants must complete an annual assessment (through a method approved by the PCI<br />
Security St<strong>and</strong>ards Council) to validate <strong>and</strong> document compliance with the payment card requirements.<br />
The <strong>University</strong> <strong>Payment</strong> <strong>Card</strong> Coordinator will coordinate the completion of the annual assessment with<br />
all university merchants.<br />
Annually, university merchants are required to validate compliance with the PCI DSS. This effort will be<br />
coordinated by the <strong>University</strong> <strong>Payment</strong> <strong>Card</strong> Coordinator with the assistance of the Information Technology<br />
Security Office. The <strong>Payment</strong> <strong>Card</strong> Coordinator will provide assistance on business processes related to card<br />
operations <strong>and</strong> the Information Technology Security office will assist with technical security issues.<br />
<strong>University</strong> merchants are subject to review <strong>and</strong> audit of compliance with payment card policies on a recurring basis<br />
(by the Bursar Office, internal <strong>and</strong> external auditors), as well as a review of technical security by the Information<br />
Technology Security Office. Any vulnerability identified via audit or areas of non-compliance with the PCI DSS<br />
must be resolved promptly. The Office of the <strong>University</strong> Bursar reserves the right to temporarily suspend or<br />
terminate a university merchant’s authorization to accept payment cards for non-compliance.<br />
9. Suspected exposure or theft of payment card information must be reported immediately to the<br />
<strong>University</strong> <strong>Payment</strong> <strong>Card</strong> Coordinator in the Bursar’s Office. <strong>University</strong> merchants suspecting criminal<br />
activity should immediately contact the Virginia Tech Police Department <strong>and</strong> the <strong>Payment</strong> <strong>Card</strong><br />
Coordinator.<br />
In the event of an unauthorized disclosure of payment card data, which includes the suspected unauthorized access<br />
of electronic data or paper media, the university merchant should immediately contact the <strong>University</strong> <strong>Payment</strong> <strong>Card</strong><br />
Coordinator. If criminal activity is suspected the Virginia Tech Police Department should be the first point of<br />
contact. Once an incident has been validated <strong>and</strong> any potential exposure verified, procedures for contacting<br />
individuals will be determined by university administration, university legal counsel, <strong>and</strong> outside entities, as<br />
required by contract or law.<br />
4. Exceptions<br />
Written authorization must be obtained from the <strong>University</strong> Bursar for any university merchant or entity<br />
seeking an exception to any portion of this policy. <strong>University</strong> merchants seeking exception must submit a<br />
written request identifying the business need <strong>and</strong> the measures proposed to ensure compliance with the PCI<br />
DSS. It is recommended that university merchants perform a detailed review of business processes <strong>and</strong> costbenefit<br />
analysis, considering all processing channels that may be of lower risks or costs. Request(s) must at a<br />
minimum include the following:<br />
a. Identification <strong>and</strong> position description of the employee(s) charged with full PCI DSS<br />
compliance<br />
b. Description of business need for collection or storing of cardholder data<br />
c. Software applications <strong>and</strong> validation of PCI DSS compliance, including copy of contracts<br />
d. Incident response plans<br />
e. Data Retention <strong>and</strong> disposal procedures<br />
f. Network diagram(s)<br />
<strong>Accepting</strong> <strong>and</strong> H<strong>and</strong>ling <strong>Payment</strong> <strong>Card</strong> <strong>Transactions</strong> Page 6 of 8